SlideShare a Scribd company logo

International Conference on Cyber Security, Hide and Go Seek

Download as PPTX, PDF
David Knox
David Knox

The document discusses cyber security and provides recommendations for a pragmatic approach. It recommends (1) having security policies that are enforced by technical controls and managed appropriately, (2) ensuring the policies, enforcement, and governance work as a coherent system, and (3) practicing basic cyber hygiene through defensible systems, resilience, and containment. The key lessons are to secure human-data interactions, understand why certain approaches are taken, and apply intuitive practices proven to be effective.

1 of 31
A Pragmatic Approach to a Secure Information Environment David Knox VP Technology Oracle National Security Group
Pharming and Phishing Ways to obtain phood The Devil's Infosec Dictionary CSO online (http://www.csoonline.com/read/080105/debrief.html)
Lessons Learned from Childhood  Ready or not, here they come – Need to know why you are doing what you are doing – Assumptions, motivations, and approach to complexity  Hidden in plain sight – Strategies exist for defense and detect, tools exist, need practical balance  Safety on base using the basics – Policies, enforcements, governance – Security thought of not as simple user, role, resource but based on holistic context 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Cyber Security is a Complex Topic & what this discussion is not about  Forensics  Network security – FWs, IDS, IPS, Encryption, Mobile … 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
% 67 % 76 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Breached using weak or stolen credentials 69% Discovered by an external party % 97 Over 1.1B Served Records breached from servers Preventable with basic controls
Protection in Context Data KING SCOTT Org 10 Org 20 Network uthenticate Org 30 18031 14220 PIERMAR 17170 KNOX 12029 KYTE 17045 CAREY 12032 HOECHST18029 sfING SCOjd ByAgE SMITH gAMES fONES MIER Admin Authentication 6 Privacy & integrity of communications Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Access control Privacy & integrity of data Monitoring & auditing
Ready or Not! 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
What’s Driving Security for “normal” people 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
“A” is for Assets
“B” is for Brand 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Compliance NIST FIPS 140-1 & 201 OFAC PCAOB Audit 21CFR Part 11 CA SB 1386 GLB WA SB 6043 Sarbanes-Oxley ND SB 2251 FTC 16 CFR 314 IL SB 1479 HIPAA PA SB 705 PIPEDA EU Privacy Patriot Act Basel II HSPD-12 FERPA FISMA PL107-347 BSA
Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc. Anatomy of an Attack “You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….” Uri Rivner CTO, RSA (Security Division of EMC) 13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Mission Critical Term used to help hackers identify their targets
Basic Assumptions Provide the Foundation Establish the mindset  Kerckhoff’s Principle/Shannon’s maxim: The enemy knows the system  The malicious persons/code have infiltrated your environment  Insider attack has to be addressed 15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Checkpoint  Assume compromise  ABC’s – Threats often incomparable – Impact: Resulting damage can be the same  Looking for solutions which apply to all dimensions: – Cyber – IT Security – Risk & Compliance – Privacy 16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Hidden in Plain Sight: Defining the Approach 17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
A Simplified Framework Policy Driven Security Define Policies Description • Rules that govern what people can and cannot do Possible States • Exist/Don’t Exist • Ambiguous • Ignored Enforce Policies • IT controls to ensure compliance to policies • Preventive measures put in place to proactively defend IT and information assets • Exist/Don’t Exist • Enforced/Unenforced • Effective/Ineffective (Impractical) • Intentionally bypassed/Unintentionally bypassed Manage & Monitor Policies • Governance: Ability to control and understand who has access to what • Exist/Don’t Exist • Complete/Incomplete • Provisioning/de-provisioning based on least privileges and separation of duties • Automation to ensure policy enforcements 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Practiced/not practiced
Analysis of Possibilities Event Category Policy State Enforcement State (IT Controls) • Exists • Exists • Unambiguous • Enforced • Ignored Disclosure of sensitive material • Effective • Unintentionally bypassed • Exists • Exists • Unambiguous Unauthorized access to sensitive material • Enforced • Effective • Ignored Unauthorized access to databases • Unintentionally bypassed • Exists • Complete • Practiced • Exists • Complete • Practiced • Exists • Exists • Exists • Unambiguous • Enforced • Complete • Effective • Ignored 19 Governance State Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Unintentionally bypassed • Practiced
Analysis of Possibilities Event Category Policy State Enforcement State (IT Controls) • Exists • Exists • Unambiguous • Enforced • Ignored Disclosure of sensitive material • Effective • Unintentionally bypassed • Exists • Exists • Unambiguous Unauthorized access to sensitive material • Enforced • Effective • Ignored Unauthorized access to databases • Unintentionally bypassed • Exists • Complete • Practiced • Exists • Complete • Practiced • Exists • Exists • Exists • Unambiguous • Enforced • Complete • Effective • Ignored 20 Governance State Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Unintentionally bypassed • Practiced
Two Questions 1. Are the enforcements linked to the policies? 2. Do the system components function as a system? 21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Password Policy Example  Cannot be similar to user’s name My current password:  Cannot be easily guessable  Must be at least 12 characters in length This1is2Hard!”  Contains upper and“lower case characters  Contains at least one special character  Contains at least one number  Rotated every 90 days  Cannot be re-used for 5 years 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Passwords Authentication tool that, when properly implemented, drives growth at the help desk 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Balancing the Business Usability x Security 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Performance
Practicing Good Cyber Security Hygiene We already know how to do this!  Defensible Systems – Integrated security controls – Full stack instrumentation – Establish and attest a secure environment  Resilient Systems – No SPOF: Fault tolerant, agile – Graceful degradation – Quickly recoverable  Containment – Isolation – Virtualization – Detect & response 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Safety on Base: Using the Basics 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Securing Today’s Enterprise Information Focus on securing the operational environment transparently Developers Users Administrators 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1. User’s session establishes key factors for security decisions Security 2. Centralized decision point used for authorizations of tasks Data 3. Enforcement points can verify, Enforcement validate and add context 4. Monitor for anomalous actions 5. Audit critical actions
Concluding Points Deny All; Allow Legitimate  Understand and secure human-data interactions  Need to know why you’re doing what you are doing – Approach & Principles – Keep it simple, intuitive  New security is not based on users & roles but signatures, context & services  Security components should not be separated, disjoint from enforcement – Policies, enforcements, governance all have to work together. 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Final, Final Concluding Points  Ready or Not – The perfect is the enemy of the good – Need good perception and agility  Hiding in Plain Sight – The enemy may not be obvious – You should not be obvious  Safe on Base – Know your digital economy – Apply proven, natural and intuitive practices 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Recursive See Recursive
31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

Recommended

Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 
Ht t17
Ht t17Ht t17
Ht t17
SelectedPresentations
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
Murray Security Services
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 

Recommended

Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 
Ht t17
Ht t17Ht t17
Ht t17
SelectedPresentations
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
Murray Security Services
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
KAMRAN KHALID
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
FRSecure
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
shinydey
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 

More Related Content

What's hot

Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
KAMRAN KHALID
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
FRSecure
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 

What's hot (20)

Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 

Similar to International Conference on Cyber Security, Hide and Go Seek

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
shinydey
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
Rodrigo Piovesana
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
kCura_Relativity
 
security operations center by Manage Engigne
security operations center by Manage Engignesecurity operations center by Manage Engigne
security operations center by Manage Engigne
hackeronehero
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
Rackspace
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
Global Business Events - the Heart of your Network.
 
)k
)k)k
)k
Anne Starr
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
Marneil Sanchez
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 

Similar to International Conference on Cyber Security, Hide and Go Seek (20)

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
security operations center by Manage Engigne
security operations center by Manage Engignesecurity operations center by Manage Engigne
security operations center by Manage Engigne
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
)k
)k)k
)k
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 

Recently uploaded

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 

Recently uploaded (20)

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 

International Conference on Cyber Security, Hide and Go Seek

  • 1. A Pragmatic Approach to a Secure Information Environment David Knox VP Technology Oracle National Security Group
  • 2. Pharming and Phishing Ways to obtain phood The Devil's Infosec Dictionary CSO online (http://www.csoonline.com/read/080105/debrief.html)
  • 3. Lessons Learned from Childhood  Ready or not, here they come – Need to know why you are doing what you are doing – Assumptions, motivations, and approach to complexity  Hidden in plain sight – Strategies exist for defense and detect, tools exist, need practical balance  Safety on base using the basics – Policies, enforcements, governance – Security thought of not as simple user, role, resource but based on holistic context 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 4. Cyber Security is a Complex Topic & what this discussion is not about  Forensics  Network security – FWs, IDS, IPS, Encryption, Mobile … 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 5. % 67 % 76 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Breached using weak or stolen credentials 69% Discovered by an external party % 97 Over 1.1B Served Records breached from servers Preventable with basic controls
  • 6. Protection in Context Data KING SCOTT Org 10 Org 20 Network uthenticate Org 30 18031 14220 PIERMAR 17170 KNOX 12029 KYTE 17045 CAREY 12032 HOECHST18029 sfING SCOjd ByAgE SMITH gAMES fONES MIER Admin Authentication 6 Privacy & integrity of communications Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Access control Privacy & integrity of data Monitoring & auditing
  • 7. Ready or Not! 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 8. What’s Driving Security for “normal” people 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 9. 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 10. “A” is for Assets
  • 11. “B” is for Brand 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 12. Compliance NIST FIPS 140-1 & 201 OFAC PCAOB Audit 21CFR Part 11 CA SB 1386 GLB WA SB 6043 Sarbanes-Oxley ND SB 2251 FTC 16 CFR 314 IL SB 1479 HIPAA PA SB 705 PIPEDA EU Privacy Patriot Act Basel II HSPD-12 FERPA FISMA PL107-347 BSA
  • 13. Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc. Anatomy of an Attack “You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….” Uri Rivner CTO, RSA (Security Division of EMC) 13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 14. Mission Critical Term used to help hackers identify their targets
  • 15. Basic Assumptions Provide the Foundation Establish the mindset  Kerckhoff’s Principle/Shannon’s maxim: The enemy knows the system  The malicious persons/code have infiltrated your environment  Insider attack has to be addressed 15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 16. Checkpoint  Assume compromise  ABC’s – Threats often incomparable – Impact: Resulting damage can be the same  Looking for solutions which apply to all dimensions: – Cyber – IT Security – Risk & Compliance – Privacy 16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 17. Hidden in Plain Sight: Defining the Approach 17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 18. A Simplified Framework Policy Driven Security Define Policies Description • Rules that govern what people can and cannot do Possible States • Exist/Don’t Exist • Ambiguous • Ignored Enforce Policies • IT controls to ensure compliance to policies • Preventive measures put in place to proactively defend IT and information assets • Exist/Don’t Exist • Enforced/Unenforced • Effective/Ineffective (Impractical) • Intentionally bypassed/Unintentionally bypassed Manage & Monitor Policies • Governance: Ability to control and understand who has access to what • Exist/Don’t Exist • Complete/Incomplete • Provisioning/de-provisioning based on least privileges and separation of duties • Automation to ensure policy enforcements 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Practiced/not practiced
  • 19. Analysis of Possibilities Event Category Policy State Enforcement State (IT Controls) • Exists • Exists • Unambiguous • Enforced • Ignored Disclosure of sensitive material • Effective • Unintentionally bypassed • Exists • Exists • Unambiguous Unauthorized access to sensitive material • Enforced • Effective • Ignored Unauthorized access to databases • Unintentionally bypassed • Exists • Complete • Practiced • Exists • Complete • Practiced • Exists • Exists • Exists • Unambiguous • Enforced • Complete • Effective • Ignored 19 Governance State Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Unintentionally bypassed • Practiced
  • 20. Analysis of Possibilities Event Category Policy State Enforcement State (IT Controls) • Exists • Exists • Unambiguous • Enforced • Ignored Disclosure of sensitive material • Effective • Unintentionally bypassed • Exists • Exists • Unambiguous Unauthorized access to sensitive material • Enforced • Effective • Ignored Unauthorized access to databases • Unintentionally bypassed • Exists • Complete • Practiced • Exists • Complete • Practiced • Exists • Exists • Exists • Unambiguous • Enforced • Complete • Effective • Ignored 20 Governance State Copyright © 2013, Oracle and/or its affiliates. All rights reserved. • Unintentionally bypassed • Practiced
  • 21. Two Questions 1. Are the enforcements linked to the policies? 2. Do the system components function as a system? 21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 22. Password Policy Example  Cannot be similar to user’s name My current password:  Cannot be easily guessable  Must be at least 12 characters in length This1is2Hard!”  Contains upper and“lower case characters  Contains at least one special character  Contains at least one number  Rotated every 90 days  Cannot be re-used for 5 years 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 23. Passwords Authentication tool that, when properly implemented, drives growth at the help desk 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 24. Balancing the Business Usability x Security 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Performance
  • 25. Practicing Good Cyber Security Hygiene We already know how to do this!  Defensible Systems – Integrated security controls – Full stack instrumentation – Establish and attest a secure environment  Resilient Systems – No SPOF: Fault tolerant, agile – Graceful degradation – Quickly recoverable  Containment – Isolation – Virtualization – Detect & response 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 26. Safety on Base: Using the Basics 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 27. Securing Today’s Enterprise Information Focus on securing the operational environment transparently Developers Users Administrators 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1. User’s session establishes key factors for security decisions Security 2. Centralized decision point used for authorizations of tasks Data 3. Enforcement points can verify, Enforcement validate and add context 4. Monitor for anomalous actions 5. Audit critical actions
  • 28. Concluding Points Deny All; Allow Legitimate  Understand and secure human-data interactions  Need to know why you’re doing what you are doing – Approach & Principles – Keep it simple, intuitive  New security is not based on users & roles but signatures, context & services  Security components should not be separated, disjoint from enforcement – Policies, enforcements, governance all have to work together. 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 29. Final, Final Concluding Points  Ready or Not – The perfect is the enemy of the good – Need good perception and agility  Hiding in Plain Sight – The enemy may not be obvious – You should not be obvious  Safe on Base – Know your digital economy – Apply proven, natural and intuitive practices 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 31. 31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

Editor's Notes

  1. Why do people rob banks? … Today, I’d like to talk to you about a practical way to think about creating a secure information environment. As you know, databases house organizations most critical assets. The data they contain can be the life blood of an organization. Back Office and Front Office are both important and ensuring that these systems are secure and available to serve the organization has been a primary focus of mine for almost 20 years, I have worked to architect and implement secure databases and data access systems. What I’d like to share is the aggregation of observations, lessons learned from conversations and interactions with peers, partners, customers. I recognize the diversity in interest and experience that sits in front of me today, so I’ve chosen t share this information as though I were consulting to a CXO. I often do this either proactively or in some cases reactively. As such, I’ll define some terms here to ensure that everyone will be able to follow the discussion.
  2. To outline this discussion, I chose to use a flow to make it simple to follow and easy to remember. Lessons learned in childhood will serve well in this role and I recall a favorite game that is very relevant to a Cyber Security discussion: Hide and Seek.There are many variations to the game. I am particularly fond of the one …. Essentially there were really three parts to this, Ready or not, the hunt, and getting to base.
  3. Before we get started let clarify a bit more on what I want to focus on. I’ll do this in part by saying what I am not focusing on as I recognize that many of you are focused on these areas. For the sake of brevity, I’ll refrain from the gory details of specific functional areas and the plethora of capabilities available today. Quite frankly, the complexity can be overwhelming especially at first.
  4. Notes on data pointsOver 1.1B Served: 1,138,801,792is the total number of records compromised across all breaches each year from 2004-2012 .The 44 million posted for 2012 should be considered a lower bound of the true sum (because the full record loss was not known in 85% of those breaches).67%: In addition to the variety and amount, we track the state in which data existed when compromised—stored, transmitted, or processed. This is only done for Verizon IR cases. Two-thirds of breaches involved data stored or “at rest” on assets like databases and file servers. Beyond ATMs, the next six asset varieties largely reflect standard targets in espionage campaigns. The standard event chain of phishing (other/unknown people, desktop, laptop), expanding control (directory), and exfiltration of data (database and file servers) is clear.76% : Filtering out the large number of physical ATM skimming incidents shows exploitation of weak and stolen credentials as top breach method.
  5. Here they come. One interesting part of security is the complexity in dimenstions, tools, and focus. First lesson, from Ready or Not is you have to do something. It’s tempting to try to find perfect but it can back fire since you are weighing between many choices of good. 8-9-10 Ready or NOT. It’s the or NOT part that keeps us up.
  6. It’s as simple as ABC. I do still think like a child.
  7. http://blogs.rsa.com/rivner/anatomy-of-an-attackWe are making it harder on ourselves. Social media has some unintended consequences. Spear phishing and social engineering, two effective ways at compromise are aided and abedded by, well, by we the people. Posting what we do and where, not just now but for our career makes it easy to formulate a nefarious dialogue.As RSA recognized, it’s being able to find the right people in the right organizations.
  8. In cryptography, Kerckhoffs's principle (also called Kerckhoffs's desiderata, Kerckhoffs's assumption, axiom, or law) was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated (or perhaps independently formulated) by Claude Shannon as "The enemy knows the system," i.e., "One ought design systems under the assumption that the enemy will immediately gain full familiarity with them."[citation needed] In that form, it is called Shannon's maxim. In contrast to "security through obscurity," it is widely embraced by cryptographers.This has profound implications because many people today still rely on perimeter security which does nothing for this. It is most prudent to take this approach.
  9. Let’s checkpoint. Insider attacks is not like DDOS. Impact == bad.
  10. Osama taught us that this is still true. It may be easy to hide when there are 100,000’s servers in an organization.
  11. In what is an obvious gross over-simplification, let’s think logically about what has to happen. We have to define the rules, enforce the rules, and manage he rules. This is a simple way to begin to approach the problem. Start with the most critical and most at risk.
  12. Thinking