Oracle tech db-02-hacking-neum-15.04.2010

1,785 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,785
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Oracle tech db-02-hacking-neum-15.04.2010

  1. 1. The myth of hacking Oracle <Insert Picture Here> Michał Jerzy Kostrzewa Central and Southern Eastern Europe Database Director Michal.Kostrzewa@Oracle.com
  2. 2. More data than ever… Growth Doubles Yearly 1,800 Exabytes 2006 2011 Source: IDC, 2008 2
  3. 3. More breaches then ever… Data Breach Once exposed, the data is out there – the bell can‘t be un-rung PUBLICLY REPORTED DATA BREACHES 630% Increase Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, 2009 3
  4. 4. More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2009. 5
  5. 5. Market Overview: IT Security In 2009 There has been a clear and significant shift from what was the widely recognized state of security just a few years ago. Protecting the organization's information assets is the top issue facing security programs: data security (90%) is most often cited as an important or very important issue for IT security organizations, followed by application security (86%). 6
  6. 6. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  7. 7. Where does the attacks come from ? WHERE WHO HOW PROTECTION Insiders Source: Verizon Data Breach Report 2009
  8. 8. Official Statistics Industry relation WHERE WHO HOW PROTECTION Source: Verizon Data Breach Report 2009
  9. 9. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  10. 10. Who is attacking us ? WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
  11. 11. Information Security Has Changed 1996 2009 • Hobby Hackers • Rentable • Web Site Defacement professional • Viruses Hackers • Infrequent Attacks • Criminals • Denial of Service • Identity Theft • Constant Threat
  12. 12. Underground naming conventions Scene O O O O O Whitehats Greyhats Blackhats (increasing) Script Kiddies Criminality
  13. 13. Underground organisation Organized Computer Crime Flexible Spam Espionage Sabotage business models Marketender Group Logistican Orgnisations (fast exchange) Programer
  14. 14. Hacking Steps Preparation Phase Planing Phase HACK • Targeting • Detailed plannings • Attack • Information collection • Risk analysis • Backdoor installation • Social engeneering • Staffing • Track cleaning • Social networking • Alternative plans • Underground scene consolidation • Methodes • Technics • Choose precautions legal ilegal observation take down
  15. 15. Official statistics Secret Service Germany Dramatical increas of the computer crime since the last 12 years (professionalism) Bigest damage by insiders (sabotage, spying, Information selling) Typical Hacker is male and over 21; BUT starts with 14 !!! Source: BND Sicherheitsreport 2008
  16. 16. Profiling Hack3rs Criminal Energie Prof. Hackers Classic Industry Spy Criminal Secret Service Insider discovered Hacks by police and secret service Script Kiddies Interested Classic computer users Hacker Know How
  17. 17. Short Facts 87 % of all Databases are compromised over the Operating System 80 % of the damage is caused by insiders 1% of all professional hacks are only recognized 10 % of all ―standard hacks‖ are made public
  18. 18. Highscore List Source: Black Hat Convention 2008 40sec Windows XP SP2 55sec Windows Vista 63sec Windows NT4.0 WKST, SP4 70sec Windows 2003 Server 140sec Linux Kernel 2.6. 190sec Sun Solaris 5.9 with rootkit ... List includes also AIX, HPUX, OS2, OSX, IRIX, …
  19. 19. Shopping List 2007/2008 Source: heise security, DEFCON 2008, BlackHat 2008 50.000 $ Windows Vista Exploit (4000$ for WMF Exploit in Dec2005) 7 $ per ebay-Account 20.000 $ medium size BOT network 30.000 $ unknown security holes in well known applications 25-60 $ per 1000 BOT clients / week
  20. 20. Crisis Shopping List 2009 Source: heise security, DEFCON 2009, BlackHat 2009 100.000 $ Destruction of competitor image 250.000 $ Full internal competitor database 25 $ per credit card account (+sec code + valid date) 20.000 $ medium size BOT network (buy or rent) 2000 $ stolen VPN connection 5000 $ contact to ―turned around‖ insider
  21. 21. WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
  22. 22. Insider examples !!! European headlines 2008/2009: - lost top secret document about Al Quaida (public train) - stolen data of thousand prisoners and prison guards - personal information of 70Mio people unencrypted on DVD‗s lost - bank employee gambled with 5.4Bio US$ - 88% of admins would steal sensitive corporate informations - Industry espionage by insiders increased dramatically - biggest criminal network (RBN) still operating - Tousends of stolen hardware equipement @ US Army - US Army lost 50.000 personal data of former soliers - Chinas „Red Dragon― organization cracked german gov network - Lichtenstein Affaire – Insider vs. Secret Service - .. -.
  23. 23. Insider Threat Outsourcing and off-shoring trend Large percentage of threats go undetected - huge internal know how - powerful privileges - track cleaning - „clearance― problem - foreign contact persons / turnovers Easier exchange of sensitive data (hacker‗s ebay, RBN, paralell internet, dead postboxes...)
  24. 24. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  25. 25. How we get attacked WHERE Active Passive WHO Hack Hack Over 80% of HOW all hacks are done from Internal External internal Hack Hack PROTECTION At the moment one Technical Nontechnical of the most dangerous and Hack Hack effectives methode in the scene
  26. 26. How we get attacked -- REALITY >90% - Standard configuration WHERE - Misconfiguration - Misunderstanding of security WHO - Human errors HOW - Process/Workflow errors - ―old‖ versions / no patches PROTECTION - Known/published wholes/bugs/workarounds - Downloadable cracking software (script kiddies) - Real hacks/cracks
  27. 27. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  28. 28. Protection WHERE WHO > 90% HOW of our security problems PROTECTION could be solved !!!
  29. 29. Think … Security is a „race―, if you stop running you‗ll lose Security IS NOT a product; it‗s an ongoing living process Train your employees Security IS an intelligent combination of more areas -> „Big picture― Focus on your data, not only on the technic Start with the basics
  30. 30. Think about Solutions… Problem Oracle Solution Oracle Security Product • External Attackers • Separation of duties • Advanced Security Options (ASO) • Internal Threats • Insider threat protection • Network encryption • Image Damage • Strong access authentication • Transparent data encryption • Internal Security Regulations • Strong encryption (DB/OS/Net) • Strong authentication • Regulatory Compliances • Fine grained real time external • Database Vault auditing • .. • Audit Vault • Data consolidation control • . • Secure Backup • High availability + Security • Virtual Privat Database (VPD) combination • Oracle Label Security (OLS) • Data Masking • Total Recall Oracle Differentiator / no competition
  31. 31. Oracle Security Solutions Summary REPORTING & ALERTING Identity Directory Administration Services Access Management IDENTITY • User Provisioning • Scalable LDAP • Risk-based Authorizat. • Role Management Storage • Entitlements Managem. AND ACCESS • Virtual Directory • Self-Service driven • Single Sign-On MANAGEMENT • Directory • Federation Synchronization • Inform. Rights Mgmt Activity Access Control and Encryption and Data Monitoring Authorization Masking • Unauthorized • Privileged User • Transparent Data DATABASE Activity Detection Controls Encryption SECURITY • Automated • Multi-Factor • De-identification Compliance Reports Authorization for Non-Production • Secure Configuration • Classification • Built-In Key Audit Control Management IT MANAGEMENT & INTEGRATION
  32. 32. Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48
  33. 33. Oracle Advanced Security Transparent Data Encryption Disk Backups Exports Application Off-Site Facilities • Complete encryption for data at rest • No application changes required • Efficient encryption of all application data • Built-in key lifecycle management 39
  34. 34. Oracle Advanced Security Network Encryption & Strong Authentication • Standard-based encryption for data in transit • Strong authentication of users and servers (e.g. Kerberos, Radius) • No infrastructure changes required • Easy to implement 40
  35. 35. Oracle Data Masking Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 • Remove sensitive data from non-production databases • Referential integrity preserved so applications continue to work • Sensitive data never leaves the database • Extensible template library and policies for automation 41
  36. 36. Oracle Database Vault Separation of Duties & Privileged User Controls Procurement HR DBA Application Finance select * from finance.customers • DBA separation of duties • Limit powers of privileged users • Securely consolidate application data • No application changes required 42
  37. 37. Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Rebates Application • Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • Out-of-the box policies for Oracle applications, customizable 43
  38. 38. Oracle Label Security Data Classification for Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in other policies 44
  39. 39. Oracle Audit Vault Automated Activity Monitoring & Audit Reporting ! Alerts HR Data Built-in CRM Data Reports Audit Data Custom ERP Data Reports Policies Databases Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting • Centralized audit policy management
  40. 40. Oracle Total Recall Secure Change Management select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘ • Transparently track data changes • Efficient, tamper-resistant storage of archives • Real-time access to historical data • Simplified forensics and error correction 46
  41. 41. Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48
  42. 42. Thank You!

×