Oracle Underground Kestner

  • April 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Oracle Underground Kestner as PDF for free.

More details

  • Words: 2,000
  • Pages: 46


Database Security & Compliance Inside Out Peter Kestner Technology Director – Database Security Oracle Core Technology EMEA 26th February 2009

Hack3rs / Insiders --- a view from the underground ---

Information Security Has Changed

1996

2009

• Hobby Hackers

• Rentable

• Web Site Defacement

professional

• Viruses

Hackers

• Infrequent Attacks

• Criminals • Denial of Service • Identity Theft • Constant Threat

Mythos Hacker

sneakers

Underground naming conventions

Scene O O O

O

O

Whitehats

Greyhats

Blackhats (increasing)

Script Kiddies

Criminality

Underground organisation

Organized Computer Crime

Spam

Spionage

Sabotage

(increasing)

(increasing)

Flexible business models

Marketender Logistican Programer

Group Orgnisations (fast exchange)

Hacking Steps

Preparation Phase

Planing Phase

HACK

• Targeting

• Detailed planning

• Attack

• Information collection

• Risk analysis

• Backdoor installation

• Social engineering

• Staffing

• Track cleaning

• Social networking

• Alternative plans

• Underground scene consolidation

• Methods • Techniques • Choose precautions

legal

Illegal

observation

take down

Official statistics Secret Service Germany Dramatic increase of the computer crime since the last 12 years (professionalism)

Highest proportion of damage by insiders (sabotage, spying,Information selling)

Typical Hacker is male and over 21; BUT starts at 14 !!!

Profiling Hackers Criminal Energy Prof. Hackers Industry Spy Secret Service

Classic Criminal

Insider

discovered Hacks by police and secret service

Script Kiddies

Interested computer users

Classic Hacker Know How

Computer Crime Development Computer Criminality

Quality

Hacking Tools

Know How Enlightenment success

1980

1990

2000

2009

Time

Short Facts 87% of all Databases are compromised over the Operating System 80% of the damage is caused by

insiders

1% of all professional hacks are only recognized 10% of all “standard hacks” are made

public

Highscore List 40 sec 55 sec 63 sec 70 sec 140 sec 190 sec ...

Source: Black Hat Convention 2008

Windows XP SP2 Windows Vista Windows NT4.0 WKST, SP4 Windows 2003 Server Linux Kernel 2.6. Sun Solaris 5.9 with rootkit

List includes also AIX, HPUX, OS2, OSX, IRIX, …

Shopping List 2007/2008

Source: heise security, DEFCON 2008, BlackHat 2008

$50,000 Windows Vista Exploit (4000$ for WMF Exploit in Dec2005) $7 per ebay-Account $20,000 medium size BOT network $30,000 unknown security holes in well known applications $25-60 per 1000 BOT clients / week

Crisis Shopping List 2009 Source: heise security, DEFCON 2008, BlackHat 2008

$100,000 $250,000 $25 $20,000 $2,000 $5,000

Destruction of competitor image Full internal competitor database Per

credit card account (+sec code + valid date)

Medium size BOT network (buy or rent) Stolen VPN connection Contact to “turned around” insider

Hacking methods / techniques

Over 80% of all hacks are done from internal

Active Hack

Passive Hack

Internal Hack

External Hack

Technical Hack

Nontechnical Hack

At the moment one of the dangerous and effective methods in the scene

Hack3rs / Insiders

Insider Examples European headlines 2008: - Lost top secret document about Al Quaida (public train) - Stolen data of thousand prisoners and prison guards - Personal information of 70Mio people unencrypted on DVD‘s lost - Bank employee gambled with 5.4Bio US$ - 88% of admins would steal sensitive corporate informations - Industry espionage by insiders increased dramatically - Biggest criminal network (RBN) still operating - Thousands of stolen hardware equipement @ US Army - US Army lost 50.000 personal data of former soliers - Chinas “Red Dragon“ organization cracked German gov network - Lichtenstein Affaire – Insider vs. Secret Service - .. -.

Insider Threat Outsourcing and off-shoring trend becomes now a governmental problem (judgement decission) Large percentage of threats go undetected - huge internal know how - powerful privileges - track cleaning - „clearance“ problem - foreign contact persons / turnovers Easier exchange of sensitive data (hacker‘s ebay, RBN, paralell internet, dead postboxes...)

Official Statistics Databreach Report Verízon 2008 Industry relation

Official Statistics Databreach Report Verízon 2008 Relation internal / external

Official Statistics Databreach Report Verízon 2008 3 years development

Official Statistics Databreach Report Verízon 2008 Location of attacking IP’s

Conclusion - Best Practice

Conclusion Security is a race, if you stop running You‘ll lose Security IS NOT a product; it iss an ongoing living process Assessment

Protection

Detection

Response

Security IS an intelligent combination of more areas -> “Big picture“ Focus on your data, not on the technology

Oracle Security Solutions

Problem

Oracle Solution

Oracle Security Product

• External Attackers

• Separation of duties

• Advanced Security Options (ASO)

• Internal Threats

• Insider threat protection



Network encryption

• Image Damage

• Strong access authentication



Transparent data encryption

• Internal Security Regulations

• Strong encryption (DB/OS/Net)



Strong authentication

• …

• Fine grained real time external

• .. • .

auditing • Data consolidation control • High availability + Security

combination

• Database Vault • Audit Vault • Secure Backup • Virtual Privat Database (VPD) • Oracle Label Security (OLS) • Data Masking • Total Recall

Oracle Differentiator / no competition

28

Auditing Database Activity for Security and Compliance with Oracle Audit Vault Pierre Leon Database Technology Group Oracle Database Security

The Forrester Wave™: Enterprise Database Auditing And Real-Time Protection, Q4 2007

Oracle Is A Strong Performer In Enterprise Database Auditing; Tops Native DBMS Auditing Oracle is the technology leader when it comes to databases, and Oracle gives database security and auditing the same level of commitment and focus as other database features. Besides Oracle’s native auditing, Oracle recently released the Audit Vault product, which offers more advanced auditing features including the ability to centralize auditing for large environments that deal with many databases.

© 2008 Oracle Corporation

30

Risks to Your Data Rising • Digital data explosion: 1800 exabytes by 2011 (IDC) • Databases now the most valuable assets • Face more threats then ever • • • •

need for greater access to data insider theft and fraud external “insiders” hackers attacking from inside the firewall

• More than 87% of data breaches could have been prevented, more than half the result of business partners or insiders (Verizon Business Risk Team)

© 2008 Oracle Corporation

31

Compliance and Privacy Bar Rising • Hundreds of data protection regulations worldwide and increasing • 90% companies behind in compliance according to IT Policy Compliance Group • Data breach disclosure laws have increased visibility and cost • Up to $35M/breach to remediate

• Databases are the first place IT auditors look • Least privilege • Separation of duties • Demonstrable controls © 2008 Oracle Corporation

32

Security Always on the Oracle Roadmap Data Masking Oracle Database 11g

TDE Tablespace Encryption Oracle Audit Vault

Oracle Database Vault Transparent Data Encryption (TDE) Oracle Database 10g

Real-Time Column Masking Secure Configuration Scanning

Client Identity Propagation Fine Grained Auditing Oracle Database 9i Oracle Label Security Proxy Authentication Enterprise User Security Oracle 8i Virtual Private Database (VPD) Database Encryption API Strong Authentication Native Network Encryption Oracle 7 Database Auditing Government Customer

© 2008 Oracle Corporation

33

Database Security & Compliance Protecting Access to Application Data Database Monitoring

De-Identifying Information

© 2008 Oracle Corporation

Data Encryption

Data Classification

34

Directly From Our Customers… • “The quarterly reports we need to prove SOX and HIPAA compliance take too much time to generate.” • “Our IT auditors told us we need more internal controls especially privileged user monitoring - for compliance.” • “Our current homegrown solutions cannot scale and it is difficult to keep up with evolving requirements from auditors • “We want to self-assess on a continuous basis to ensure we are in compliance before our PCI auditors show up.” • “We have Oracle database auditing turned on but we don’t have tools for analysing the data.” © 2008 Oracle Corporation

35

Oracle Audit Vault • Collect and consolidate audit data • Simplify compliance reporting Policies

Reports

Monitor

Security

• Alert on security threats • Lower IT costs with audit policies

Agents collect enterprise audit data into scalable secure Audit Data Warehouse DB2 Sybase

© 2008 Oracle Corporation

36

Audit Data Consolidated and Categorised • Who: DB user, OS user, Client Identifier • What: operation, object, transaction time • Where: database identifier, machine name, terminal identifier, IP address • More info: Before/after values, SQL text, … • Built-in reports are categorised based on activity

© 2008 Oracle Corporation

37

Oracle Audit Vault Collectors • Oracle Database Audit Data • Sources: Oracle Database 9iR2, 10g, 11g • Audit Data Supported: • Audit table, OS files, syslog, XML • Transaction log • Oracle Database Vault audit data • Automated Audit Trail clean-up after collection

• Microsoft SQL Server Audit Data • Sources: Microsoft SQL Server 2000 & 2005 • Audit Data Supported: • Server side trace • Windows event audit • C2 • Also: IBM UDB2 and Sybase © 2008 Oracle Corporation

38

Oracle Audit Vault Warehouse • Scalable • Built-in partitioning • Oracle RAC certified

• Flexible • • • •

Open warehouse schema Oracle Business Intelligence Publisher Oracle Application Express Custom or 3rd party tools

• Secure • • • •

Data encrypted in transit from source to Audit Vault Audit data automatically deleted from source after collection Separation of Duty – Administrator v. Auditor Database Vault protects the audit data

© 2008 Oracle Corporation

39

Oracle Audit Vault Reporting

• Built-in customisable compliance reports • Privileged user activity, role grants • DDL activity

• User defined reports • What privileged users did on the financial database? • What user ‘A’ did across multiple databases?

© 2008 Oracle Corporation

40

Oracle Audit Vault Customised Reports • • • •

Filter audit data Highlight audit records using condition values Create charts and graphs Save and share custom reports

© 2008 Oracle Corporation

41

Unified Reports Across All Databases • Audit data normalised for consolidated reporting

© 2008 Oracle Corporation

42

Oracle Audit Vault Alerts • Efficient scanning • Inbound audit data scanning

• Alerts can be defined for • • • • • • •

Direct views of sensitive data New user creation Role grants “DBA” grants Failed logins Table drops Other enterprise-defined security policies

© 2008 Oracle Corporation

43

Oracle Audit Vault Policy Management • Policy Definition • Named, centrally managed, collection of audit settings • SOX, HIPAA, PCI • Settings can be extracted from any database with auditing configured

Oracle Audit Vault

• Policy Provisioning • Policy audit settings can be applied to databases from the central Audit Vault console

Privileged User Audit Settings

SOX Audit Settings

Privacy Audit Settings

• Policy maintenance • Compare and contrast approved policy with current settings • Detect and correct policy exceptions

© 2008 Oracle Corporation

HR Database

Financial Database

Customer Database

44

What Do You Need To Audit? Database Audit Requirements Accounts, Roles & Permissions Do you have visibility of GRANT and REVOKE activities?

Failed Logins Do you have visibility of failed logins and other exception activities?

Privileged User Activity Do you have visibility of users activities?

SOX

PCI DSS

HIPAA

Basel II

FISMA

GLBA

























































Access to Sensitive Data Can you have visibility into what information is being queried (SELECTs)?

Schema Changes Are you aware of CREATE, DROP and ALTER Commands that are occurring on identified Tables / Columns?

Data Changes Do you have visibility into Insert, Update, Merge, Delete commands?

© 2008 Oracle Corporation







45

D E M O N S T R A T I O N

Oracle Audit Vault

© 2008 Oracle Corporation

46

Audit Vault Demo Summary • Audit sensitive tables on source databases • Use alerts to detect policy violations in near-real-time • View alert reports and optionally setup email to be sent to security team when an alert is triggered • View specific SQL statements executed by users • View the before/after values of sensitive data changes • Create customised reports to highlight sensitive table access

© 2008 Oracle Corporation

47

Oracle Database Security Solutions Database Vault Advanced Security 47986

Audit Vault

Secure Backup

Configuration Management Total Recall

© 2008 Oracle Corporation

$5%&*

Label Security Data Masking

48

Related Documents

Underground Lives
May 2020 16
Underground Alat.docx
June 2020 18
Underground 2009
June 2020 10
Computer Underground
December 2019 31