Secure your databases! It's where all the juicy information is, right? You know that, and hackers know that. Securing an Oracle database is journey, and you need to take the first step. Come see how you can protect your Oracle Database from hackers
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
ControlCase covers the following:
•Requirements for PCI DSS, HIPAA, Business Associates, FFIEC and Banking Service Providers
•What is Vendor Management
•Why is Continual Compliance a challenge in Vendor Management
•How to mix technology and manual processes for effective Vendor Management
The 3 Phased Approach to Data Leakage Prevention (DLP)Kirsty Donovan
https://www.securityforum.org/research/data-leakage-prevention-briefing-paper/
This presentation, drawn the the ISF's latest Data Leakage Prevention briefing paper, provides a 3-phased approach to implementing an effective data leakage prevention programme, that goes beyond installing DLP tools and technology.
By implementing a DLP programme, organisations can significantly reduce the risk of data leakage to protect their reputation, avoid litigation, meet regulatory obligations and protect IP’s.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
ControlCase covers the following:
•Requirements for PCI DSS, HIPAA, Business Associates, FFIEC and Banking Service Providers
•What is Vendor Management
•Why is Continual Compliance a challenge in Vendor Management
•How to mix technology and manual processes for effective Vendor Management
The 3 Phased Approach to Data Leakage Prevention (DLP)Kirsty Donovan
https://www.securityforum.org/research/data-leakage-prevention-briefing-paper/
This presentation, drawn the the ISF's latest Data Leakage Prevention briefing paper, provides a 3-phased approach to implementing an effective data leakage prevention programme, that goes beyond installing DLP tools and technology.
By implementing a DLP programme, organisations can significantly reduce the risk of data leakage to protect their reputation, avoid litigation, meet regulatory obligations and protect IP’s.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Performing One Audit Using Zero Trust PrinciplesControlCase
In this 45 minute webinar ControlCase, TAG Cyber & Evolve MGA cover the following:
- Introductions – ControlCase, Tag Cyber & Evolve MGA
- What has current cyber security research uncovered so far?
- What are Zero Trust Principles?
- How can Zero Trust Principles be implemented in remote working environments?
- Cyber insurance for modern day exposures
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014. In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants. What can organizations do to lower their risk? Watch this slideshare to learn more.
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
Database Auditing Essentials... or... Who did what to which data when and how?
The combination of increasing government regulation and the need for securing corporate data has driven up the need to track who is accessing data in our corporate databases. This presentation discusses these drivers as well as presenting the requirements for auditing data access in corporate databases.
The goal of this presentation is to review the regulations impacting the need to audit, and then to discuss in detail the kinds of things that may need to be audited, along with the several ways of accomplishing this.
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
GDPR is less than a year away. How is your organization making sure it will avoid penalties, fines and punishments? All organizations need to familiarize themselves with the new GDPR requirements and data subject rights as the first step to preventing fines and penalties. This presentation will look at the key requirements of GDPR and certain “best practices” approaches towards company-wide compliance. This presentation was given by Jonathan Adams, Research Director, at the MDM & Data Governance Summit on October 12, 2017 in New York City.
ControlCase will covers the following:
•Introduction to PCI PIN Security and Key Management
•Scope and Applicability
•PCI PIN Security V3.0
•Certification Process
Making Data Classification Work for You - 18 Things to Consider When Choosing Data Classification Solutions.
For more information, please visit: http://www.secureislands.com/solutions-classification/
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
ControlCase covers the following based on PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events:
•Current status of PCI DSS (including information publicly available on PCI DSS ver. 4.0)
•PA DSS and upcoming Software Security Framework overview
•P2PE updates and new concepts
•PCI PIN, PCI 3DS and Card Production overview
•Chronological Time-frame for various standards
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
ControlCase discusses the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
Log Monitoring and File Integrity MonitoringControlCase
ControlCase discusses the following:
•What is Log Management and FIM
•PCI DSS, EI3PA, ISO 27001 requirements
•Log Management and regulation requirements/ mapping
•File Integrity Monitoring and regulation requirements/ mapping
•Challenges
Meisten Manager und Entwickler bezeichnen Perl als eine gefährliche Programmiersprache, die der Source Code kompliziert und verwirrend macht. So werden für die Projekte "sichere" Sprachen gewählt, die mehr strickt und weniger flexibel sind. Selbstverständlich ist ein Kinderdreirad sicherer als einen Rennwagen, aber es gibt Aufgaben, für die der Zweite wesentlich besser passt.
Perl ist schnell und flexibel. Man muss nur immer bewusst sein, dass Perl gefährlich ist.
In diesem Vortrag werden die Strategien und Methoden vorgestellt, die während mehrjähriger Verwendung von Perl und anderen "gefährlichen" Sprachen gesammelt wurden und die in verschiedenen Projekten geholfen haben, Software schneller zu entwickeln, logische Fehler zu vermeiden, Bugs zu finden und mit unsicheren Kundendaten umzugehen.
Performing One Audit Using Zero Trust PrinciplesControlCase
In this 45 minute webinar ControlCase, TAG Cyber & Evolve MGA cover the following:
- Introductions – ControlCase, Tag Cyber & Evolve MGA
- What has current cyber security research uncovered so far?
- What are Zero Trust Principles?
- How can Zero Trust Principles be implemented in remote working environments?
- Cyber insurance for modern day exposures
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014. In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants. What can organizations do to lower their risk? Watch this slideshare to learn more.
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
Database Auditing Essentials... or... Who did what to which data when and how?
The combination of increasing government regulation and the need for securing corporate data has driven up the need to track who is accessing data in our corporate databases. This presentation discusses these drivers as well as presenting the requirements for auditing data access in corporate databases.
The goal of this presentation is to review the regulations impacting the need to audit, and then to discuss in detail the kinds of things that may need to be audited, along with the several ways of accomplishing this.
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
GDPR is less than a year away. How is your organization making sure it will avoid penalties, fines and punishments? All organizations need to familiarize themselves with the new GDPR requirements and data subject rights as the first step to preventing fines and penalties. This presentation will look at the key requirements of GDPR and certain “best practices” approaches towards company-wide compliance. This presentation was given by Jonathan Adams, Research Director, at the MDM & Data Governance Summit on October 12, 2017 in New York City.
ControlCase will covers the following:
•Introduction to PCI PIN Security and Key Management
•Scope and Applicability
•PCI PIN Security V3.0
•Certification Process
Making Data Classification Work for You - 18 Things to Consider When Choosing Data Classification Solutions.
For more information, please visit: http://www.secureislands.com/solutions-classification/
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
ControlCase covers the following based on PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events:
•Current status of PCI DSS (including information publicly available on PCI DSS ver. 4.0)
•PA DSS and upcoming Software Security Framework overview
•P2PE updates and new concepts
•PCI PIN, PCI 3DS and Card Production overview
•Chronological Time-frame for various standards
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
ControlCase discusses the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
Log Monitoring and File Integrity MonitoringControlCase
ControlCase discusses the following:
•What is Log Management and FIM
•PCI DSS, EI3PA, ISO 27001 requirements
•Log Management and regulation requirements/ mapping
•File Integrity Monitoring and regulation requirements/ mapping
•Challenges
Meisten Manager und Entwickler bezeichnen Perl als eine gefährliche Programmiersprache, die der Source Code kompliziert und verwirrend macht. So werden für die Projekte "sichere" Sprachen gewählt, die mehr strickt und weniger flexibel sind. Selbstverständlich ist ein Kinderdreirad sicherer als einen Rennwagen, aber es gibt Aufgaben, für die der Zweite wesentlich besser passt.
Perl ist schnell und flexibel. Man muss nur immer bewusst sein, dass Perl gefährlich ist.
In diesem Vortrag werden die Strategien und Methoden vorgestellt, die während mehrjähriger Verwendung von Perl und anderen "gefährlichen" Sprachen gesammelt wurden und die in verschiedenen Projekten geholfen haben, Software schneller zu entwickeln, logische Fehler zu vermeiden, Bugs zu finden und mit unsicheren Kundendaten umzugehen.
These are the slides from my re:publica talk. You can watch the talk here: http://youtu.be/jM6hP6ERPW8 or skip to the end of this presentation.
On the last weekend of 2013 Marcus was writing a list of things that had really annoyed him during the past 12 months. At the top of the list was Edward Snowden. Confused as to why this might be, he let his mind wander a little and found himself in a managed solutions office in Munich airport. He found himself in a meeting room with a beamer, notepads and a plate of biscuits.
It was 2008 and he’d been given a brief.
Four middle-aged gentlemen in suits enter the room, hands are shook, the door is locked and coffee is served. The senior man in the room repeats the terms of the meeting and then Marcus is asked to begin.
“The Pledge, The Turn, The Prestige – The Snowden Pitch” is a fictional pitch presentation that approaches the NSA as if it were a client with unlimited budget, an image problem within the espionage community and explores Edward Snowden as the protagonist of the biggest worked shoot the world has ever seen.
The talk explores why the NSA would have done this, what they would have to gain and, more importantly, it considers that which we have not yet seen – The Prestige.
Præsentation for PROSA listing some threat and how to reduce risk - open source oyu can reuse slides for your own presentations https://github.com/kramshoej/security-courses
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...Kaido Kikkas
Musings on the role of technology, spiced up with lessons from some very different folks (based on Pekka Himanen, Howard Rheingold and J.R.R. Tolkien).
Sakai11 Migration Planning: When Paranoia Leads to Successrobin0red
Information on migration planning methods used at the University of California, Santa Cruz as it moved from Blackboard to Sakai.
Migration Strategies and Resources and experiences offered by rSmart.
From a presentation I gave to the inaugural meeting of the Hacks & Hackers Ottawa chapter. It's a general survey on data journalism (nee computer-assisted reporting).
Profile Of The Worlds Top Hackers Webinar Slides 063009Lumension
Data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing damage. The current economic climate combined with new technologies such as Web 2.0 and Cloud Computing have undoubtedly created more opportunities for hackers, criminals, and industrial espionage firms who are targeting critical infrastructures and systems to steal sensitive information. This presentation from the Profile of the World's Top Hackers with Byron Acohido of USA Today, Mafiaboy, and Paul Henry provides critical insight into the inner workings of the cybercrime underground and outlines what businesses can do to protect their vital systems and information.
Healthy Paranoia: What Keeps Me Up at NightMatt Wurst
With a digital landscape that is constantly changing, social marketers must work with a sense of urgency. This presentation is a summary of what is changing and how to channel our fears to make a positive impact.
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
The advent of the cloud and the introduction of Oracle Autonomous Database Cloud presents opportunities for every organization, but what's the future role for the DBA? This presentation explores how the role of the DBA will continue to evolve, and provides advice on key skills required to be a successful DBA in the world of the cloud.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
Top 10 tips for effective SOC/NOC collaboration or integration. In 5 years the security operation center and IT operation center will integrate and bring more context to security events and help to search, store, and analyze machine data for operational intelligence
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Best Practices for implementing Database Security Comprehensive Database Secu...Kal BO
Best Practices for implementing Database Security
Comprehensive Database Security
Saikat Saha
Product Director
Database Security, Oracle
October 02, 2017
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
Data, People and Software security: how does them relate to the GDPR security principles? In this new attack landscape, network-centric security is no longer enough because threats come from inside and outside the network. Oracle Identity SOC is an identity-centric, context-aware intelligence and automation framework for security operations centers, backed by advanced user behavior analytics and machine learning to spot compelling events that require automated remediation.
Securing Your Digital Transformation: Cybersecurity and YouSAP Ariba
The digital transformation journey supported by SAP enables our customers to increase business agility, pursue innovation, and demonstrate growth. Cybersecurity is essential to a successful digital transformation and continues to be even more critical as our integrated suite of SAP Ariba solutions drives technologies to promote connected commerce. Join us in this engrossing session as we outline critical steps to securing your organization’s digital transformation.
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
Artificial Intelligence (AI) has emerged as a transformative force in various industries, from healthcare to finance and beyond. While AI offers incredible opportunities, it also raises ethical, legal, and social challenges that must be addressed. To navigate this complex landscape in the world of privacy, it is crucial to conduct comprehensive Privacy Impact Assessments (PIAs).
Conducting PIAs in this dynamic and evolving world of AI has brought new challenges to the privacy world. With AI increasingly being integrated into different areas of our lives, understanding the intersection between AI and PIAs is essential for any organization to ensure they are privacy forward.
Take advantage of this opportunity to gain a comprehensive understanding of AI impact assessments and their role in shaping the future of AI. In this insightful webinar, our experts will explore the power of Privacy Impact Assessments (PIAs) in ensuring responsible AI development and deployment.
In this webinar, some key topics that will be covered include:
- Introduction to AI PIAs
- PIAs demystified (why they are essential in the context of AI)
- Explore the evolving legal and regulatory landscape governing AI and privacy, including GDPR, CCPA, and other international standards
- Best practices for conducting effective PIAs in AI projects
- Future outlooks for AI and PIAs
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
Data is one of the most crucial assets within an organization, hence, it is highly important to prioritize its security.
How would ISO/IEC 27002:2022 and ISO/IEC 27001 help you in this regard?
The webinar covers
• ISO/IEC 27001
• Latest changes in the ISO/IEC 27002:2022
• The relation between ISO/IEC 27001 and ISO/IEC 27002:2022
• How the latest changes in the ISO/IEC 27002:2022 impacts your business?
Presenters:
Carl Carpenter
Carl is a former CISO of a $6B entity where he was responsible for protecting data of all types and regulatory environments such as FFIEC, HIPAA, and PCI as well as working with the FBI, IRS, and US Department of Labor around investigations relating to money laundering. He has performed assessments against Fortune 10 and 50 companies in the areas of GDPR, CCPA, ISO/IEC 27001 and currently performs CMMC assessments as well as CMMC pre-audit support to help ensure a successful CMMC audit. Prior to that, Carl retired from the US Military where he was involved in counter-terrorist, counter-narcotics, counter-intelligence operations and training foreign military members in these same concepts. Carl is also a PECB trainer in ISO/IEC 27001, ISO/IEC 27032, and CMMC Foundations and holds numerous other certifications.
In 2016, Carl joined Arrakis Consulting where he started as an auditor and providing CISO-as-a-Service to small or medium sized companies that needed more experience without increased cost. In 2017, Carl added active penetration testing to his portfolio of skills and routinely performs penetration tests against companies of all sizes. Carl also trains people on a variety of skills such as penetration testing, network engineering, network administration, OSI model, subnetting, etc…
Carl holds a Bachelors from Western Governors University in Network Security and Operations as well as numerous certifications from ITIL, Cisco, CompTIA, Microsoft, CMMC-AB, ISACA, OneTrust, RSA, PCI Council, Citrix, and Novell
Andreas Christoforides
Mr. Christoforides is an active IT auditor and a trainer for a various organization on Information Security Management Systems. He is a member of the Cyprus Computer Society, a PECB certified trainer for ISO/IEC 27001, ISO 22301 and GDPR CDPO, and a former Deputy Head of IT Infrastructure at a Bulgarian Leading Bank.
In 2019, he joined BEWISE and delivered to clients a wide range of Cybersecurity projects in the areas of strategy, governance and risk management, data privacy and protection (GDPR), and business resilience and recovery. He conducts IT Risk Assessments and develops IT policies and procedures towards establishing an effective and secure IT Governance framework.
Mr. Christoforides holds a BEng degree from Birmingham City University and a variety of other qualifications from Microsoft and CISCO.
YouTube video: https://youtu.be/tWyuEiXVHnY
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
For firms in the financial industry, especially within regulated organizations such as credit card processors and banks, PCI DSS compliance has become a business and operational necessity. Although the blueprint of a PCI-compliant architecture varies from organization to organization, the mixture of modern Hadoop-based data lakes and legacy systems are a common theme.
In this talk, we will discuss recent updates to PCI DSS and how significant portions of PCI DSS compliance controls can be achieved using open source Hadoop security stack and technologies for the Hadoop ecosystem. We will provide a broad overview of implementing key aspects of PCI DSS standards at WorldPay such as encryption management, data protection with anonymization, separation of duties, and deployment considerations regarding securing the Hadoop clusters at the network layer from a practitioner’s perspective. The talk will provide patterns and practices map current Hadoop security capabilities to security controls that a PCI-compliant environment requires.
Speaker
David Walker, Enterprise Data Platform Programme Director, Worldpay
Srikanth Venkat, Senior Director Product Management, Hortonworks
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
A presentation from the Data Works conference in 2018 that looks how Worldpay, a major payments provider, deployed a secure Hadoop cluster in order to meet business requirements and in the process became on e of the few fully certified PCI compliance clusters in the world
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.
As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.
MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.
MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes.
MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.
RapidScale recognizes the need for compliance with the various laws and regulations across different industries. We have established our data encryption, protocols, and procedures to follow the top compliances and ensure that customer data remains secure and confidential.
Building Service Intelligence with Splunk IT Service Intelligence (ITSI) Splunk
Providing transformational impact and insight into key business services while maintaining operational oversight is often difficult in organizations. To effectively communicate business value and alignment organizations must find new methods to bridge the gap between business and operations. This half-day hands on workshop demonstrates how customers can quickly gain insight into high-value services while aligning business and IT Operations using Splunk’s IT Service Intelligence solution. By leveraging the machine data you are already collecting the exercise provides a transformational method to model high-value services and rapidly build custom visualizations and dashboards. From executive leaders to administrators these personalized service-centric views provide powerful analytics and machine learning to transform service intelligence across your organization.
Come experience how you can transform service intelligence in your organization.
Similar to How to Protect Your Oracle Database from Hackers (20)
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. Oracle E-Business Suite DBA Since 1989
(RDBMS 5, E-Business Suite MPL 6)
Supported many Portland Oracle Shops.
‣ Sequent Computers
‣ Nike
‣ OHSU
Interested in Oracle Security for a long time.
Works for Jibe Consulting.
Jibe Consulting
4. Credited in 3 CPU security notes:
‣ Oracle Critical Patch Update – October 2006
‣ Oracle Critical Patch Update Advisory – October 2008
‣ Oracle Critical Patch Update Advisory – July 2013
‣ A forth security issue, for Oracle’s Hyperion software
product, is currently being worked by Oracle Development.
Jibe Consulting
5. 5
Late last year, I detected a password disclosure issue
with E-Business Suite R12, and reported it to Oracle.
After I made sure that Oracle Support could
replicate the issue, Oracle E-Business Suite
Development worked the issue. The password
disclosure issue has now been addressed in the July
2013 CPU security patch.
Jibe Consulting
6. 6
The Carnegie Mellon CERT organization has issues a
public advisory about this issue. You can see the
advisory here:
http://www.kb.cert.org/vuls/id/826463
As noted in the Oracle Security Alert, the CVE
number is: CVE-2013-3749
MOS note: Potential Logging of E-Business Suite
Passwords (Doc ID 1579709.1)
Jibe Consulting
8. 8
You are affected if you have applied any of the E-Business
Suite CPU patches: July 2012, Oct 2012, Jan 2013, or Apr
2013. There are also two one-off patches identified that
cause the same issue: 12832734 and 10009066. See the
MOS note for the latest news about which patches
introduce the problem.
If you are affected, please follow the mitigation steps in the
note to ensure that your E-Business Suite system is
secured.
Jibe Consulting
9. 9
Note: Even if you have already applied CPU July 2013,
you still need to read the note, because some of the
mitigation steps will still apply.
I recommend doing the optional password change
mitigation step (as well as the other mitigation steps).
Jibe Consulting
10. 10
There are two major reasons why Companies should be interest in
Database Security – Data Breaches and Compliance
Data Breaches: Information about your patients can be useful
to identity thieves. There are a number of websites that track
data breaches. Data breaches are common, averaging more than
one data breach per day. The cost of recovering from a data
breach is significant. For the Healthcare industry, one current
report states that the average cost is $282 per breached record.
Compliance: There are many compliance requirements.
External requirements include HIPAA, Sarbanes Oxley, PCI DSS,
various data privacy laws, state data breach laws, industry
regulations, etc. Internal requirements include security policies
and standards set by the corporate Information Security group.
In order to achieve a return on your investment in Database Security,
a company must have a Strategy and follow a road map
Jibe Consulting
12. 12
Average Cost of a Data Breach (per record lost)
Source: 2008 Annual Study: Cost of a Data Breach
(Performed by Ponemon Institute, Sponsored by PGP Corporation)
Jibe Consulting
13. 13
Source: 2009 Annual Study: Cost of a Data Breach
(Performed by Ponemon Institute, Sponsored by PGP Corporation)
Jibe Consulting
14. 14
External Compliance Requirements:
‣ HIPAA.
‣ Sarbanes Oxley.
‣ Payment Card Industry Data Security Standard.
‣ ARRA: American Recovery and Reinvestment Act of 2009.
Data breach of unsecured PHI requires notification starting
9/15/09.
‣ Other Data Privacy and Data Breach Laws.
Jibe Consulting
15. 15
Security standards: General rules:
‣ Ensure the confidentiality, integrity, and availability of all EPHI.
‣ Protect against anticipated threats or hazards to the security or integrity of
EPHI.
‣ Protect against anticipated unauthorized uses or disclosures of EPHI.
Technical safeguards:
‣ Access control: Required: Unique user identification, Emergency access
procedure. Addressable: Automatic logoff, Encryption and decryption.
‣ Audit controls: Required: for activity that uses EPHI.
‣ Integrity: Addressable: Mechanism to authenticate electronic protected
health information.
‣ Person or entity authentication: Required: to authenticate users of EPHI.
‣ Transmission security: Addressable: Integrity controls, Encryption.
EPHI: Electronic protected health information. Individually identifiable
health information is protected. For example: names, dates, addresses or locations,
telephone#, fax#, email, SSN, Med Rec#, License plate, etc.)
Jibe Consulting
17. Established: 2004
Employees: 130+
Customers: 200+ Over 1000 Projects
Industry Focus: Retail, Manufacturing (process, industrial & high tech),
Consumer Products, Oil & Gas, Engineering and Construction,
Life Sciences, Healthcare, Software and Clean Technologies
Principal business areas:
Management Consulting Technology Consulting
• Business & IT Alignment Strategy • ERP Implementations
• Business & Technology Strategy • Edge Products – PLM, CRM, EPM
• Lean Enterprise Process Analysis & Design • Information Management & Business Intelligence
• Program / Project Management • Managed Services & Hosting
17
Jibe Consulting
18. 18
Comprehensive Security
Audits with Oracle best
practices & 3rd party security
tools
Complete systems
management & monitoring
with Oracle Enterprise
Manager
Extensive Business
Intelligence Solutions with
Hyperion, OBIEE,
Informatica, Discoverer &
Oracle Data Integrator
Experts in Oracle
Virtualization, including
VMWare, virtual clustering &
Storage infrastructure
Oracle Gold Partner – Certified
Since 2004
Certified Microsoft Partner
Since 2006
IBM Business Partner
Authorized reseller of Oracle
Products and Education
Dedicated Technology
consultants local to the PNW &
RMR
12+ years average industry
experience; 8+ years average
technology experience
100% of consultants certified
in relevant software or
industry accreditations
Managed Services
Organization
Onshore resources
Remote systems
management
Hosting
Virtualization
Project Jumpstarts
The Resources The Experience The Tools
Business Intelligence
Enterprise Performance
Management
Data Warehousing
Database installation & Upgrades
RAC / Grid
High Availability
Security Assessments
Managed Services
Security
DBMS
Hosting
Virtualization of Database &
Packaged Software (ERP, EPM, BI)
SOA Enablement
ESB, Canonical Modeling
Agile based project development
methodology for Iterative
prototyping and rapid
implementation techniques
Jibe Consulting
19. 19
Review: Set scope and
review environment.
Inform: Inform client
about security metrics.
Assess: Measure security
using chosen metrics.
Rank: Rank issues based
on risk.
Recommend: What
needs to be done to
improve database
security?
Review
Inform
Assess
Rank
Recommend
Jibe Consulting
20. 20
Jibe Consulting commends Oracle Corporation on
providing an excellent checklist for establishing a security
baseline for Oracle databases.
Jibe Consulting has enhanced this to provide metrics (for
measuring compliance to this security baseline), and
processes (for determining compliance).
Where appropriate, Jibe Consulting has also added
commentary about security issues related to items in the
security checklist.
Jibe Consulting
21. 21
“The Oracle Database software installation has two
modes - typical and custom. For production systems,
the custom installation mode can be used to install
the minimum set of features and options required. If
in the future, you wish to install additional features
or options, simply re-run the Oracle installer.
Jibe Consulting
22. 22
When installing RDBMS, use “custom” to install
minimal set of features.
Do not install sample schemas
Jibe Consulting
23. 23
METRIC: Only the minimum Oracle software needed to
do the job is installed.
METRIC: XDB listener is not activated if it is not
needed.
METRIC: XPT listener is not activated if it is not
needed.
METRIC: Sample schemas are not installed.
METRIC: If Sample schemas are installed, the accounts
are locked.
Jibe Consulting
24. 24
416132.1: XML Database FAQ
362540.1: How to Setup XDB Protocol Server: FTP, HTTP,
WebDAV
Disable the XDB-specific dispatchers, and restart the
listener.
742156.1: 9iR2: How to Determine if XDB is Being Used in
the Database?
742113.1: 10g: How to Determine if XDB is Being Used in
the Database?
733667.1: 11g: How to Determine if XDB is Being Used in
the Database?
274508.1: Listener Issue: Removing XDB Handlers for
HTTP and FTP Ports 8080 and 2100
Jibe Consulting
25. 25
“The Oracle database installs with a number of
default (preset) user accounts. Each account has a
default (preset) database password. After
successful installation of the database the database
configuration assistant (DBCA) automatically locks
and expires most default database user accounts. In
addition, the password for accounts such as
SYSTEM are changed to the value specified during
database installation.
Jibe Consulting
26. 26
METRIC: Most default accounts are locked and
expired.
Jibe Consulting
27. 27
The following SQL can be used to lock and expire
database accounts.
sqlplus> connect mydba
sqlplus> alter user jsmith account lock and expire”
Jibe Consulting
29. 29
The most foolproof way?
Develop and test a password change procedure for
all places where passwords are used:
‣ VPN
‣ OS
‣ Database
‣ Middle-tier
‣ Applications (E-Business Suite, etc.)
Generate random, long, complex passwords.
Change ALL passwords.
Jibe Consulting
30. 30
“Choosing secure passwords and implementing
good password policies are by far the most
important defense for protecting against password
based security threats. Oracle recommends
customers use passwords at least 10 values in
length. In addition, the complexity of the password
is critical. Passwords that are based on dictionary
words are vulnerable to "Dictionary based attacks".
Jibe Consulting
31. 31
A complex password should contain:
‣ At least 10 values in length
‣ A mixture of letters and numbers
‣ Contain mixed case (Supported in Oracle Database 11g)
‣ Include symbols (Supported in Oracle Database 11g)
‣ Little or no relation to an actual word
Jibe Consulting
32. 32
METRIC: Password must be at least 10
characters in length.
METRIC: Password must have both letters and
numbers.
METRIC: Password must have symbols (“_$#” are
allowed prior to 11g).
METRIC: Password must have little or no
relation to an actual word.
Jibe Consulting
33. 33
Prior to 11g: There are some Oracle password
cracking programs that, given the password hash,
can determine the password. If the password is
short and simple, the cracking programs can obtain
the password fairly quickly. If the password is long
and complex, it takes much longer for the cracking
programs to determine the password.
Jibe Consulting
34. 34
Given this:
1) Choose long, complex passwords.
2) Change passwords reasonably often.
3) Protect the password hashes.
Password hashes are found in SYS tables and also in
the password file in ?/dbs/orapw* files.
Jibe Consulting
35. 35
The most foolproof way?
Develop and test a password change procedure for
all places where passwords are used:
‣ VPN
‣ OS
‣ Database
‣ Middle-tier
‣ Applications (E-Business Suite, etc.)
Generate random, long, complex passwords.
Change ALL passwords.
Jibe Consulting
36. 36
“While you can use the same password for
administrative accounts such as SYSTEM, SYSMAN and
DBSNMP, Oracle recommends using different
passwords for each. In any Oracle environment, be it
production or test, assign strong and distinct
passwords to these administrative accounts.”
METRIC: Passwords on Administrative accounts are
distinct.
METRIC: Passwords on Administrative accounts are
strong.
Jibe Consulting
37. 37
“The default account SCOTT no longer installs
with the default password TIGER. The account is
now locked and expired upon install. All other
accounts installed with a default password that is
the same as the user account. If any of these
accounts is unlocked, assign a new stronger
password. Starting with Oracle Database 11g
security administrators can easily check for
default passwords by using the new database view
DBA_USERS_WITH_DEF_PWD.”
Jibe Consulting
38. 38
METRIC: All open accounts have non-default
passwords.
HOW TO CHECK: Run default password scanners.
‣ Oracle’s default password scanner:
‣ MOS note 361482.1: Frequently Asked Questions about
Oracle Default Password Scanner.
‣ Patch 4926128: ORACLE DEFAULT PASSWORD SCANNER
Jibe Consulting
40. 40
Default password scanners are not all alike. For
example, if you compare the Oracle default
password scanner (from patch 4926128) and Pete
Finnigan’s default password scanner, you will find
many different username, hash_value
combinations that are checked. So, it is good to
run multiple default password scanners.
Jibe Consulting
41. 41
A better solution would be to evaluate all
accounts. If an account is not a person account,
you should ensure that the password is not
defaulted. One way to do this is to change the
passwords to strong passwords. The Oracle
Database Security Checklist has some guidelines
for strong passwords.
Jibe Consulting
42. 42
One possible method is to use long, randomly-
generated passwords. (You can store them in a
password safe – randomly generated passwords
are difficult to memorize). If you want to use that
method, some random password generators can
be found here:
https://secure.pctools.com/guides/password/
http://keepass.info/
Jibe Consulting
43. 43
The most foolproof way?
Develop and test a password change procedure for
all places where passwords are used:
‣ VPN
‣ OS
‣ Database
‣ Middle-tier
‣ Applications (E-Business Suite, etc.)
Generate random, long, complex passwords.
Change ALL passwords.
Jibe Consulting
44. 44
Jibe Consulting
“Oracle recommends customers enforce failed login,
password expiration, password complexity and reuse
policies using Oracle profiles and follow best practices
defined by Oracle Applications. Oracle Database 11g
provides an optional installation choice that will pre-
configure a default profile to enforce password expiration
and reuse. Oracle recommends that basic password
management rules be applied to all user passwords and
that all users be required to change their passwords
periodically.”
45. 45
Jibe Consulting
METRIC: Accounts are locked out after a certain
number of failed logins.
METRIC: Password expiration is implemented.
METRIC: Password reuse policies are implemented
46. 46
Jibe Consulting
HOW TO CHECK: Examine the password-related settings in
the profiles.
select * from dba_profiles
where resource_name like '%PASSWORD%’;
47. 47
Jibe Consulting
Sample Profile settings:
ALTER PROFILE xys LIMIT PASSWORD_REUSE_TIME 30
PASSWORD_REUSE_MAX 5;
The last 5 passwords cannot be reused. Users must wait
30 days before changing their passwords again.
ALTER PROFILE xyz LIMIT PASSWORD_LIFE_TIME 83
PASSWORD_GRACE_TIME 7;
Password expires after 90 days. Warnings are issues 7
days before password expiration.
48. 48
Jibe Consulting
ALTER PROFILE xyz LIMIT FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME UNLIMITED;
After 3 failed login attempts, the account is locked. You
have to manually unlock the account before it can be used
again.
49. 49
Jibe Consulting
Number of accounts with passwords that have never been
changed:
select count(*) from sys.user$
where user# in (select user_id from dba_users
where account_status = 'OPEN')
and (
(ptime is null)
or
(ptime is not null
and ptime <= ctime)
);
50. 50
Jibe Consulting
Oldest password change time:
select min(ptime) from sys.user$
where user# in (select user_id from dba_users
where account_status = 'OPEN')
and ptime is not null
and ptime > ctime;
51. 51
Secure External Password Store
“The Secure External Password Store feature
introduced with Oracle Database 10g Release 2 is
designed to help secure batch jobs that authenticate
to the database using username / password
credentials. The secure external password store uses
an Oracle Wallet to hold one or more user
name/password combinations to run batch
processes and other tasks that run without user
interaction.
Jibe Consulting
52. 52
METRIC: Secure Password Store is used to
authenticate batch jobs
Jibe Consulting
53. 53
HOW TO CHECK:
How do batch jobs connect to the database? If they
need database passwords supplied, then the password
needs to be cached somewhere and supplied to the
batch job so it can connect to the database.
In 10gR2, there is a feature called the Secure Password
Store. This allows you to use an Oracle Wallet to store
login credentials for one account per TNS alias. This
means that plaintext passwords are not stored
anywhere on the system.
Jibe Consulting
54. 54
Resources:
‣ Oracle® Database Security Guide 10g Release 2 (10.2),
Chapter 9 Secure External Password Store.
‣ MOS note 340559.1: Using The Secure External Password
Store.
‣ MOS note 759226.1: How To Maintain Multiple Wallets For
A Single Database Instance.
Jibe Consulting
55. 55
Notes:
‣ The sqlnet.ora file location: $TNS_ADMIN/sqlnet.ora,
$HOME/.sqlnet.ora
‣ Each Secure Password Store can contain only 1
username/password setting per TNS alias.
Jibe Consulting
56. 56
“Special attention should be given to managing access to
the SYSDBA and SYSOPER roles. As with any database role,
careful consideration should be given when granting these
roles. Oracle recommends customers refrain from
connecting with the SYSDBA role except when absolutely
required such as called for by an existing Oracle feature or
patching. Moving forward Oracle will be eliminating all
dependencies on direct connections using SYSDBA. Large
and small organizations should create separate
administrative accounts.
Jibe Consulting
57. 57
METRIC: Database administrators use SYSDBA and
SYSOPER login privileges only when necessary.
METRIC: Unsuccessful SYSDBA and SYSOPER
connections are audited.
METRIC: Audit logs are monitored for unsuccessful
SYSDBA and SYSOPER connections.
Jibe Consulting
58. 58
HOW TO CHECK:
‣ Ask the DBAs if they only use SYSDBA and SYSOPER
privileges when needed.
Jibe Consulting
59. 59
Make sure auditing is enabled.
INIT.ORA: AUDIT_TRAIL:
alter system set audit_trail=os scope=spfile;
Jibe Consulting
60. 60
Write text file to ADUMP destination.
Writing audit trail records to the OS is
recommended by Oracle.
Other possible settings are:
alter system set audit_trail=db scope=spfile;
Jibe Consulting
61. 61
Write to AUD$
alter system set audit_trail='db','extended' scope=spfile;
Write to AUD$ with SQL statements.
249438.1: 10G: New Value DB_EXTENDED for the
AUDIT_TRAIL init.ora Parameter
alter system set audit_trail='xml' scope=spfile;
Jibe Consulting
62. 62
Write XML file to ADUMP destination.
alter system set audit_trail='xml','extended' scope=spfile;
Jibe Consulting
63. 63
“Oracle recommends that customers implement data
dictionary protection to prevent users who have the "ANY"
system privileges from using such privileges to modify or
harm the Oracle data dictionary.
To enable data dictionary protection, set the
O7_DICTIONARY_ACCESSIBILITY parameter to FALSE. This
can be accomplished by using Oracle Enterprise Manager
Database Control
Jibe Consulting
64. 64
METRIC: Data Dictionary Protection is enabled.
HOW TO CHECK:
Ensure that INIT.ORA parameter
O7_DICTIONARY_ACCESSIBILITY = FALSE.
Jibe Consulting
65. 65
“Oracle recommends you avoid granting powerful
privileges to new database users, even privileged users.
The Oracle DBA role should be granted with caution and
only to those privileged user who need full DBA privileges.
Special attention should be given when assigning
privileges to application schemas. Access to the SYSDBA
role should be granted with extreme care and only to those
who are in the most trusted position. Auditing should be
used to monitor all activities of users connecting with the
SYSDBA role or other administrative roles such as the DBA
role, CREATE ANY TABLE privilege and so forth. For
optimal auditing performance set your audit destination to
point to the operating system.”
Jibe Consulting
66. 66
METRIC: The DBA role is only granted to users who need full
DBA privileges.
METRIC: The SYSDBA privilege is only granted to users who
need SYSDBA privileges.
METRIC: The “… ANY …” privileges are only granted to users
who need those privileges.
METRIC: All activities of users connecting with the SYSDBA
role are audited.
METRIC: All activities of users who have the DBA role are
audited.
METRIC: All usage of “…ANY…” privileges is audited.
Jibe Consulting
67. 67
HOW TO CHECK:
To see which users have the DBA role:
http://www.petefinnigan.com/who_has_role.sql
Jibe Consulting
68. 68
To see which users have the SYSDBA role:
select * from v$pwfile_users;
To see which users have “…ANY…” privileges:
select grantee, count(*) num_any_privs from
dba_sys_privs
where privilege like '% ANY %'
group by grantee;
Jibe Consulting
69. 69
If you wish to delve deeper into specific privileges, you can
use the script:
‣ http://www.petefinnigan.com/who_has_priv.sql
To check to see what is currently being audited:
select * from dba_stmt_audit_opts;
select * from dba_priv_audit_opts;
select * from dba_obj_audit_opts;
Jibe Consulting
70. 70
To audit the SYSDBA activities, see MOS note 174340.1:
Audit SYS user Operations. This additional SYS auditing
can be enabled by setting the INIT.ORA parameter:
AUDIT_SYS_OPERATIONS = TRUE.
To audit activities of users who have the DBA role,
determine which users have the DBA role, then activate
auditing for those users:
audit all privileges by <user> by access;
Jibe Consulting
71. 71
To audit the use of “…ANY…” privileges:
Get a list of the “… ANY …” privileges:
select name from system_privilege_map
where name like '% ANY %';
Enable auditing for the use of each of those privileges.
Here is a SQL statement that will generate the appropriate
AUDIT statements:
select 'audit ' || name || ';' sql_stmt
from system_privilege_map
where name like '% ANY %';
Jibe Consulting
72. 72
To disable auditing for certain “… ANY …” privileges:
select 'noaudit ' || name || ';' sql_stmt
from system_privilege_map
where name like '% ANY %';
Jibe Consulting
73. 73
“The topic of PUBLIC privileges is part of Oracle's overall
secure-by-default initiative that started with Oracle
Database 9i. New in the Oracle Database 11g release are
granular authorizations for numerous PL/SQL network
utility packages granted to PUBLIC. If you have upgraded
from a previous release of Oracle Database, and your
applications depend on PL/SQL network utility packages
such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP AND
UTL_INADDR the following error may occur when you try
to run the application:
Jibe Consulting
74. 74
METRIC: Execute permission for UTL_ networking
packages has been revoked from PUBLIC.
METRIC: UTL_FILE_DIR does not include any wildcards.
METRIC: UTL_FILE_DIR does not include sensitive or
protected directories.
METRIC: The UTL_FILE_DIR init.ora parameter is not
used.
METRIC: UTL_FILE access is controlled via DIRECTORY
objects.
Jibe Consulting
75. 75
HOW TO CHECK:
select * from dba_tab_privs
where table_name in
('UTL_TCP','UTL_SMTP','UTL_INADDR','UTL_HTTP','UTL_MAIL'
)
and grantee = 'PUBLIC';
This should return no rows.
Jibe Consulting
76. 76
show parameter utl_file_dir
The value of this INIT.ORA parameter should be blank.
select * from dba_directories;
This should return rows.
Jibe Consulting
77. 77
When granting permissions on run-time facilities such as
the Oracle Java Virtual Machine (OJVM), grant permissions
to the explicit or actual document root file path. This code
can be changed to use the explicit file path.
Jibe Consulting
79. 79
METRIC: Additional File I/O runtime privileges for Java
use specific directory paths.
Jibe Consulting
80. 80
HOW TO CHECK:
select * from dba_java_policy
where type_name like '%File%';
Jibe Consulting
81. 81
There are also Java permissions for network access. Here
is a SQL statement that shows the existing Java
permissions:
select * from dba_java_policy
where type_name like '%Socket%‘;
As an increased security measure, DBAs may wish to
restrict these Java permissions also.
Jibe Consulting
82. 82
“Oracle recommends verifying that the database
initialization parameter REMOTE_OS_AUTHENT is
set to FALSE. Setting the value to FALSE creates a
more secure configuration by enforcing server-
based authentication of clients connecting to an
Oracle database. The default setting for this
parameter is FALSE and it should not be changed.”
Jibe Consulting
84. 84
HOW TO CHECK:
show parameter remote_os_authent
Jibe Consulting
85. 85
“Limit the number of users with operating system access
on the Oracle Database host. Oracle recommends
restricting the ability to modify the default file and
directory permissions for the Oracle Database home
(installation) directory or its contents. Even privileged
operating system users and the Oracle owner should not
modify these permissions, unless instructed otherwise by
Oracle.
Jibe Consulting
86. 86
Restrict usage of symbolic links on the operating system.
When providing a path or file to the Oracle database,
neither the file nor any part of the path should be
modifiable by an un-trusted user. The file and all
components of the path should be owned by the DBA or
another trusted operating system account.”
Jibe Consulting
87. 87
METRIC: Number of users with OS access to database
server is limited.
METRIC: Restrict OS-level access to files with sensitive
content.
METRIC: Files underneath $ORACLE_HOME can only be
modified by DBAs.
METRIC: Nodes above $ORACLE_HOME can only be
modified by administrators.
Jibe Consulting
88. 88
METRIC: Components of file paths to database files are
only modifiable by a trusted user.
METRIC: Components of file paths to database files are
owned by a trusted user.
METRIC: Use of symbolic links is restricted.
Jibe Consulting
89. 89
HOW TO CHECK:
Review /etc/passwd with the DBA, to ensure that the
number of users with OS level access is limited.
Jibe Consulting
90. 90
Scripts to check ownership and permissions of
$ORACLE_HOME files:
find $ORACLE_HOME ! -user oracle -print | xargs ls -ld
find $ORACLE_HOME ! -group oinstall -print | xargs ls -ld
find $ORACLE_HOME -perm -2 ! –type l -print | xargs ls -ld
Jibe Consulting
91. 91
Navigate up the filepath, and do an “ls -ld" to determine if
the node is modifiable by untrusted personnel.
Jibe Consulting
92. 92
Ensure that the database datafiles are not readable by
persons with non-DBA privileges.
select name from v$controlfile
union select member from v$logfile
union select name from v$datafile
union select name from v$tempfile;
Then, examine the ownership and permissions on the
individual files.
Jibe Consulting
93. 93
“The Oracle Listener should be properly configured
for optimal security. Oracle Database 10g Release 1
and higher uses local OS authentication as the
default authentication mode. This mode requires the
Oracle Net administrator to be a member of the local
DBA group.
Jibe Consulting
94. 94
You should also consider using a firewall. Proper use
of a firewall will reduce exposure to security related
information including port openings and other
configuration information located behind the
firewall. Oracle Net supports a variety of firewalls.”
Jibe Consulting
95. 95
METRIC: Listeners prior to 10g have access
controlled via a password.
METRIC: Listeners 10g or later do not have a
password.
METRIC: Firewalls are used to limit SQL*Net
connections from trusted clients only
Jibe Consulting
96. 96
HOW TO CHECK:
Run:
‣ lsnrctl status
Look for:
‣ Security ON: Local OS Authentication
Jibe Consulting
97. 97
“The default configuration for external procedures
no longer requires a network listener to work with
Oracle Database and EXTPROC agent. The EXTPROC
agent is spawned directly by Oracle Database and
eliminates the risks that extproc might be spawned
by Oracle Listener, unexpectedly. This default
configuration is recommended for maximum
security.
Jibe Consulting
98. 98
Having your EXTPROC agent spawned by Oracle
Listener is necessary if you use:
‣ Multi-threaded Agent
‣ Oracle Database in MTS mode on Windows
‣ AGENT clause of the LIBRARY specification or AGENT IN
clause of the PROCEDURE specification such that you can
redirect external procedures to a different EXTPROC agent.
Jibe Consulting
99. 99
METRIC: Listener configuration files do not have
EXTPROC configured.
METRIC: If EXTPROC functionality is required, is has
been configured securely.
METRIC: EXTPROC_DLLS=ONLY has been used instead
of EXTPROC_DLLS=ALL.
METRIC: A separate listener, running as an
unprivileged user, is used for EXTPROC.
METRIC: Audit who has the CREATE LIBRARY
privileges
Jibe Consulting
100. 100
HOW TO CHECK:
Review the SQL*Net Listener configuration files:
‣ Are EXTPROC entries present?
‣ If so, is EXTPROC_DLLS=ONLY (used instead of
EXTPROC_DLLS=ALL)?
‣ Is EXTPROC functionality provided via a separate listener?
‣ Is the separate listener running as an unprivileged user?
Jibe Consulting
101. 101
“When the ADMIN_RESTRICTIONS_LISTENER is set
to ON (Default) runtime changes to the listener
parameters is disabled. To make changes, the
LISTENER.ORA file must be modified and manually
reloaded.”
Jibe Consulting
102. 102
METRIC: The SQL*Net Listener
ADMIN_RESTRICTIONS parameter is set to ON.
Jibe Consulting
103. 103
HOW TO CHECK:
Review the listener.ora file. You should see:
‣ ADMIN_RESTRICTIONS_{listener name} = ON
If it is not set, you can edit the listener.ora file
manually.
Jibe Consulting
104. 104
“Use the Oracle Net valid note checking security
feature to allow or deny access to Oracle server
processes from network clients with specified IP
address. To use this feature, set the following
protocol.ora (Oracle Net configuration file)
parameters:
‣ tcp.validnode_checking = YES
‣ tcp.excluded_nodes = {list of IP addresses}
‣ tcp.invited_nodes = {list of IP addresses}
Jibe Consulting
105. 105
The first parameter turns on the feature whereas
the latter parameters respectively deny or allow
specific client IP address from making connections
to the Oracle listener.”
Jibe Consulting
106. 106
METRIC: SQL*Net valid node checking is used to
limit access to the SQL*Net listener.
Jibe Consulting
107. 107
HOW TO CHECK:
Review the
$ORACLE_HOME/network/admin/sqlnet.ora file.
See if these parameter are set.
Jibe Consulting
108. 108
Oracle recommends limiting client connections from
authorized clients only. This can be activated via the
Database Access Control parameters
(TCP.VALIDNODE_CHECKING,
TCP.EXCLUDED_NODES, and TCP.INVITED_NODES).
This configuration can be done using Oracle Net
Manager.
Jibe Consulting
110. 110
“Both UNIX and Windows platforms provide a
variety of operating system services, most of which
are not necessary for most deployments. Such
services include FTP, TFTP, TELNET and so forth. Be
sure to close both the UDP and TCP ports for each
service that is being disabled. Disabling one type of
port and not the other does not make the operating
system more secure.”
Jibe Consulting
112. 112
HOW TO CHECK:
Check which services are enabled on the server. For
Unix, look at /etc/inetd.conf. This will tell you if any
unencrypted services are enabled.
Jibe Consulting
113. 113
“Consider encrypting network traffic between
clients, databases and application servers. Oracle
supports both SSL using X.509v3 certificates as well
as native network encryption without certificates.”
Jibe Consulting
117. 117
TRACE_LEVEL_CLIENT = OFF
TRACE_LEVEL_SERVER = OFF
#### TRACE_LEVEL_CLIENT = SUPPORT
#### TRACE_LEVEL_SERVER = SUPPORT
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
Jibe Consulting
118. 118
“Always apply relevant security patches for both the
operating system and Oracle. Periodically check the Oracle
Technology Network (OTN) security site for details on
security alerts released by Oracle. Also check Oracle
Worldwide Supports services site, MOS, for detailed on
available and upcoming security related patches and
application specific secure configuration information.”
Jibe Consulting
119. 119
METRIC: The latest CPU security patches are applied in
a timely fashion.
Jibe Consulting
120. 120
HOW TO CHECK:
Use “opatch lsinventory” to get a list of patches that have
been applied, and look up those patches on MOS. Then,
you will know which patches have been applied.
Jibe Consulting
121. 121
“If you believe that you have found a security
vulnerability in the Oracle Database, submit an
service request to Oracle Worldwide Support
Services using MOS, or email a complete description
of the problem including product version and
platform, together with any scripts and examples to
the following address:
‣ secalert_us@oracle.com”
Jibe Consulting
122. 122
METRIC: If the DBAs find a security vulnerability,
they report it to Oracle.
Jibe Consulting