Security Inside Out #USGRockEagle13

Eddie Carter and Orrin Char, Oracle

    • Identity management and security and access management.
    • Eddie wore a UGA shirt. Guy in front of me made fun of him obviously not wanting to sell to Georgia Tech. Turns out he’s from ¬†Kennesaw. The GT-UGA rivalry knows no bounds. Love it!
    • Handout: Database firewall more auditing and ACLs than enterprise firewalls access to many hosts.
    • 67% records breached from servers. 76% breached through weak or stolen credentials. Discovered by an external party. 97% preventable with basic controls. Source: 2013 Data Breach Investigations Report.
    • Pre-1997: security issues mistakes. 1998-2007: Privilege abuse. Curiosity. Leakage. 2008-2009: Malicious. Social engineering. Sophisticated attacks. Business data theft.¬†Loss of reputation.
    • Can be fined. Buy services for people affected by the breach.
    • DBAs are the targets. Phishing to get credentials.
    • Change is where gaps are opened. Being more available means more highly privileged users. Consultants and vendors claim they need DBA level access.
    • 80% of IT security programs do not address db security. They address outside computers such as with firewalls. More and more attacks exploit legitimate access applications and user credentials.
    • Supports SQL Server and MySQL.
    • Preventative
      • encryption : If data stolen in encrypted form, then do not have report the breach? Application should not even know it is encrypted. Network encryption now free to us. Autonegotiates with destination. No application changes. Little overhead. Integrated with Oracle technologies. Key management 2 layers. Master in hardware module or in a wallet. Wallet can be tied to hardware and accessed at restart. Data encrypted with table or column key. Table and column keys encrypted with master key.
      • redaction : Use ACLs to determine who can see. It will replace text such as on credit card numbers, SSNs, so can only see a full, partial, fixed.
      • data masking for nonproduction use : copy of production data in test with test being less secure. Masking means no longer valuable data. Finds sensitive columns through templates and convert the data so meaningless. Shuffle salaries. ID numbers randomized even partial. Randomize all but first two characters of last name. Can be two way so change for sending to a partner for process but then revert back when returned.
      • privileged user controls : Compartmentalization of commands. Prevent consultants from querying certain tables. Creates protective zones around schema objects.
    • Detective
      • activity monitoring :
      • database firewall : sits on the network. Parses SQL to determine the intent. Whitelist and Blacklist and exception list. If none, then alerts security to it and potentially added to a list. Have a learning and blocking mode. Can return empty result list to a hacker so thinks there are no records.
      • auditing and reporting : analyze audit-event data. Central audit repository so hacker unaware. Default and custom reports.
      • conditional auditing framework : if-this-then-that
    • Administrative
      • privilege analysis : privilege capture mode. report on what actual privileges and roles that are used. Revoke unnecessary.
      • sensitive data discovery : scan Oracle for sensitive fields. data definitions.
      • configuration management : discover and classify databases. scan for secure config.

Few Care What Google Says About Them

Yeah, I keep writing about identity management. [1][2].

Few Internet users say they Google themselves regularly – about three-quarters of self-searchers say they have done so only once or twice. Study: Googling Oneself Is More Popular

People admit to having looked themselves up once or twice, but few people regularly monitor themselves. I guess its not like one’s credit report?

Of course, calling it a vanity search would keep people from looking themselves up online. Few want to be considered vain, right?

Social Marketing

Normally, I consider John Dvorak a crotchety old-timer who doesn’t get human-computer interaction due to his myopic self-centered view. (His use isn’t usually my use, so he gripes seem inapplicable.) Finally, he got one right… almost. In his most recent blog post… er… opinion article, he described people using social networks as “marketing” themselves. Actually, the phrasing is identity management. People use these online tools to appear better than who they really are. Well… Duh. I’ve always thought I should use technology, especially social networking tools, to control what others think about me.

Back in the old days, as a Webmaster, I discovered the friend of a friend of a friend had a LiveJournal (one of the first social network sites, predating even Friendster) blog where she posted a bit of her art work from her classes. I’m not a freelancer, so I gave her some of the freelance web design leads which she turned into experience to help her get a real graphic design job. Rands might just be understanding getting a job is a potential use of Twitter. Given employers Google their job candidates, why not? I am sure there are many reasons for why one should strive to maintain a positive image for those taking the initiative to check.

The technology is new, but the purpose is as old as natural selection. We all wish to succeed. Stone tools allowed my distant ancestors to accomplish monotonous tasks faster than others and attract more advantageous mates. Maybe social networks are the modern stone tools?