by Jeff Scheidel, Oracle
NOTE: hackers hangout in Support forums/blogs for employee information for insider information for software with known bugs. (Google Alerts)
NOTE: hackers hangout in Support forums/blogs for employee information for insider information for software with known bugs. (Google Alerts)
Advanced Persistent Threat
- Smart People
- Dedicated People
- People With A Purpose
- Patient, have a purpose, will find a way in, and then Sell info to someone else.
Monitor service accounts!
- they contain more privs
- control applications
Do you appreciate the threat?
- Some people get it
- Understand the risks
- how do you assess the risk
- how do you midigate the risk
- Some don't
- concerned about security
- concerned about compliance (not the same as security!)
- Can't protect what you don't know
- "I don't think we ever tried to be hacked"
Compliance standards
- NERCIP is identify focused
- PCI, HIPPA, FERPA is data centric
Principles of Access
- Least Privilege
- Do you have the privs you need?
- Do you have MORE privs than you need?
- Do you use the priv you have?
- Validation
- What privs do you have?
- Why do you have those privs?
Never Let an auditor tell you something you don't already know.
- 69% of data breeches found by external sources -- Verizon Report
Common Sense Policies (What can you do?)
- Account sharing
- configurations
- Least Privilege
- Awareness
- Third Party Security
- Data on Devices
- data encryption on laptops
- Patches/Updates
Common Sense Defenses
- Risk Assessment
- Database
- Privileged Users
- trust your DBAs, not their accounts
- Apps and web Services
- strong authentication
- multi factor auth raises security by order of magnitude
- intelligent Authorizing
Database Security Approaches
- Preventive
- encryption (if you do NOTHING else)
- encrypt sensitive fields
- transparent data encryption
- redaction
- leave privledge at field level
- masking
- replace sensitive application data
- make sure reference integrity is concerned
- Application templates available(?)
- privileged user controls
- limit database access to application data (for DBAs)
- multi-factor SQL command rules
- segregation of duties
- Application DBA
- Security DBA
- Development DBA
- Detective
- Activity Monitoring
- identify SQL from non-applications
- database firewall
- auditing and reporting
- Administrative
- priv analysis
- sensitive data discovery
- configuration management
Document exception processes, so there are NO exceptions.
Comments
Post a Comment