Security Inside Out #USGRockEagle13

Eddie Carter and Orrin Char, Oracle

    • Identity management and security and access management.
    • Eddie wore a UGA shirt. Guy in front of me made fun of him obviously not wanting to sell to Georgia Tech. Turns out he’s from  Kennesaw. The GT-UGA rivalry knows no bounds. Love it!
    • Handout: Database firewall more auditing and ACLs than enterprise firewalls access to many hosts.
    • 67% records breached from servers. 76% breached through weak or stolen credentials. Discovered by an external party. 97% preventable with basic controls. Source: 2013 Data Breach Investigations Report.
    • Pre-1997: security issues mistakes. 1998-2007: Privilege abuse. Curiosity. Leakage. 2008-2009: Malicious. Social engineering. Sophisticated attacks. Business data theft. Loss of reputation.
    • Can be fined. Buy services for people affected by the breach.
    • DBAs are the targets. Phishing to get credentials.
    • Change is where gaps are opened. Being more available means more highly privileged users. Consultants and vendors claim they need DBA level access.
    • 80% of IT security programs do not address db security. They address outside computers such as with firewalls. More and more attacks exploit legitimate access applications and user credentials.
    • Supports SQL Server and MySQL.
    • Preventative
      • encryption : If data stolen in encrypted form, then do not have report the breach? Application should not even know it is encrypted. Network encryption now free to us. Autonegotiates with destination. No application changes. Little overhead. Integrated with Oracle technologies. Key management 2 layers. Master in hardware module or in a wallet. Wallet can be tied to hardware and accessed at restart. Data encrypted with table or column key. Table and column keys encrypted with master key.
      • redaction : Use ACLs to determine who can see. It will replace text such as on credit card numbers, SSNs, so can only see a full, partial, fixed.
      • data masking for nonproduction use : copy of production data in test with test being less secure. Masking means no longer valuable data. Finds sensitive columns through templates and convert the data so meaningless. Shuffle salaries. ID numbers randomized even partial. Randomize all but first two characters of last name. Can be two way so change for sending to a partner for process but then revert back when returned.
      • privileged user controls : Compartmentalization of commands. Prevent consultants from querying certain tables. Creates protective zones around schema objects.
    • Detective
      • activity monitoring :
      • database firewall : sits on the network. Parses SQL to determine the intent. Whitelist and Blacklist and exception list. If none, then alerts security to it and potentially added to a list. Have a learning and blocking mode. Can return empty result list to a hacker so thinks there are no records.
      • auditing and reporting : analyze audit-event data. Central audit repository so hacker unaware. Default and custom reports.
      • conditional auditing framework : if-this-then-that
    • Administrative
      • privilege analysis : privilege capture mode. report on what actual privileges and roles that are used. Revoke unnecessary.
      • sensitive data discovery : scan Oracle for sensitive fields. data definitions.
      • configuration management : discover and classify databases. scan for secure config.

Conservatory A Perspective

Conservatory A perspective

Originally uploaded by Ezra F

Today is a Baha’i holy day. So I took the day off from work. Rather than sleep in throw off my sleep schedule, I ventured over to the State Botanical Garden of Georgia during the morning wonder light. The garden routinely pays off in great flower photos.

The Conservatory here looks like the outside of an A or upside down V. Clouds on reflective surfaces rock.

I'm No Daisy... But This Is Patriotic Mocker

tag:

Relative Truth

Found an interesting comment on an article the state of Georgia observing the Confederate Memorial Day….

The truth of history means very little to those who are dead set against learning anything from it. No matter what the history books used in our public school system say, most will never believe anything other than their own opinion about the Civil War. History revisionist are the celebs of the day. As long as people like Rev. Wright, and David Duke exist, history’s truth will be filtered through lies and distortions. Few observe Confederate Memorial Day: UGA to display original constitution; state offices closed

Truth may very well be completely relative. Back during the US Presidential election, I ran across an interesting article in the Washington Post discussing research John Bullock did about the effects of misinformation and idealogical bias ties. I used to think it had to do with a handful of people stuck in their green, second ammendment, pro-life, pro-choice, capitalist, regulation views. My favorite pasttime in college was assuming positions contrary to others even when I agree with the others.

I doubt the effect solely affects conservatives as was proposed in the article. More likely everyone has some blindspots in determing truth from myth or fiction kind of like optical illusions. (Yes, even myself.) We have to choose which information to believe any time we interact with information. Much of the rules in philosophy and science are built around combatting the biases we have.

Rather than force ideas on others, I think we should be teaching children from an early age to recognize when others and most especially themselves are operating under a bias. Its the only way to find detachment.

Flickr Search

Flickr has millions of photos. (Maybe billions.) Many of these photos are tagged. One can look at all the photos with a tag. Every tag has a built in RSS feed. However, to view a combination of tags, one needs to search for the two tags.

Something I would like to see is an RSS feed for Flickr searches. Having to choose between duplication making see the same picture more than once or missing photos because users are… inconsistent.

This is easier than me moving some place else.
🙂

Resolutions For 2009

  1. Read 10,000 pages of science, economics, health, history, or policy books. For 2008, it was read 25 books. This year, I thought to change it page-based as the previous one shied me away from larger books. Two 350 page books vs one 700 page book shouldn’t be a concern. See Reading for last and this years’ progress.
  2. Be more social. A lot of will power is required to force myself to attend social events. Over the years it has only gotten worse. Before it reaches the point of requiring professional help, I probably ought to change my habits.

Useful resolutions to me are things I realistically can and will accomplish applying moderate effort. Making too hard of a challenge will result in giving up too quickly. Making too easy of a challenge will result in doing something I would do anyway. Last year was the first time in a really long time I even bothered other than using 43things to make some goals I rarely have met more by accident than any real intent.

Some resolutions I would pick I already do to the extent I realistically would….

  • Take the stairs and walk more. I already do these as far down the exercise more resolution as I realistically will go.
  • Eat better. I already mostly avoid red meat and eat lots of green vegetables.
  • Spend more time with family.

There are resolutions I would never actually keep without support from family and friends I don’t really have to keep me honest and stick to the narrow path….

  • Less fat, less sugar, no soda, no sweet tea.
  • Exercise more.
  • Finances.
  • Organization.
  • Less time spent in front of the TV or computer.
  • More blogging.
  • I already do not smoke or drink alcohol.
  • Get a Master’s Degree.

Hmmmmmm… Resolutions are bad for your health?

I haven’t checked my blog in a long while.


Followup on resolution #1. Apparently I did not followup on the 2nd?

Details Matter

During the UGA vs. Arizona State game, a number of us who post on pictures of Athens, GA on Flickr met to hang out and shoot. With just seven of us there, we were able to stay as one group and get shots of stuff and each other. I enjoyed meeting new peoole with similar interests.

The photographers who showed:

Still need to go through what I took. I certainly wasn’t prepared. First, I forgot the release plate for my tripod so it was useless. Next, I forgot the CF card for the Rebel. So I ended up using the Elph the whole night. I think I got some good ones anyway. I’d have been happier to take a crack at them with the Rebel.

Insect-ival

Got some pictures down at the botanical garden today. Reviewed a few and posted them over at Freelove Photography (tagged Insect-ival). I’ll get everything on Flickr eventually.

Insect-ival was cute. I’m not sure what I was expecting, but 400+ screaming kids wasn’t it. The best part was the butterfly release where the few stragglers who could not escape the kids who got to play with them.

Saw a familiar face I had only seen from afar wielding two SLRs and a utility photograper’s belt. I have yet to sink that far down the photography rabbit hole. Only got his first name, but I think this is his blog: fotodave. Amazing stuff!

We Need a 4th Vista DBA / Technical Support

Work for OIIT!

Become our 4th DBA / technical support person for our team.

  • Located in Athens, GA (college town, UGA football)
  • $, benefits, generous leave, rare snow
  • we love open source
PDF of GeorgiaVIEW DBA position

Check out the PDF (right) for more information.

Sorry for the convoluted route to the application…

  • Click this link to go to our HR site.
  • Click the “View Job Postings / Apply for Job” link.
  • Check the “Information Instructional Tech” box.
  • Enter “learning” for the keyword and click search.
  • Systems Support Specialist 3” is our DBA position. We also have a Business Systems Analyst position for a less technical position.

We’d love to have you.

Public Performance and Universities

Since restaurants get sued for not paying royalties for public performances of copyrighted music, it seems likely playing a song at an athletic event is a public performance. I wonder how much the UGA Athletics or just UGA pays ASCAP for the ability to do this? Certainly, its not academic use.
🙂

Youuuuuuu – Red & Black Sports

In a craze that has swept much of the nation, the “Soulja Boy” dance has caught on in a big way with Georgia football. During home games against Ole Miss and Auburn when the Bulldogs were down, the song has cranked through the speakers and pumped up the players on the sideline, to the delight of the fans.

In an unrelated note: if the RIAA gets its way through a US House bill, then universities will have to pay millions for monthly subscription fees whether or not individual students are or are not downloading music. Plus, they have to prove they are stopping students from downloading illegally. The repercussions of not doing these being the loss of federal financial aid.

tag: , , , ASCAP,