Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:28am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Security In General
   Security
(Moderator: Pete Finnigan)
   Start your security project with awareness
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Start your security project with awareness  (Read 1705 times)
Marcel-Jan
PeteFinnigan.com Junior Member
**






   
View Profile | WWW |

Gender: male
Posts: 83
Start your security project with awareness
« on: Jan 11th, 2010, 11:11am »
Quote | Modify

I have done some longer term security projects now (I mean: beyond auditing) and I want to share one experience with you.
 
Often security (hardening) projects have been started because the organisation saw the necessity of being more secure. Sometimes it is driven by management and sometimes it is driven by IT personel.
 
It is my experience that a lot of people don't know why security projects are done. Very few people actually know what is going on in the world concerning hacking, breaches and security. They only see that they lose permissions because of your actions as a security specialist.
 
That is a problem because when hardening the infrastructure you need the cooperation of many people: management, system administrators, DBAs, application administrators and developers. In one project I discovered that you can only make very slow progress if not everybody is on the same page in this. Vulnerabilities you solved one week are sometimes back the next week. It's like that snail that works it's way up a wall: climbing 2 inches and falling 1 inch.
 
So how to solve this? Authority? Charisma? Mandate from management? Well probably, but it is better if everyone is working to achieve the same result.
 
So at one time I decided to do something I should have done at first in the project: give a presentation on security awareness. It took only 45 minutes with 15 minutes for questions.  
 
Nowadays I start my awareness presentation with a little shock effect. I show some stills from the "Health Records for Sale" documentary and tell them about how health records can be bought in India for 4,50 euros per record and how every detail is in them: disorders, medications and the patients financial situation.
 
Then I show some statistics from the Verizon Business Breach report from 2008 (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) and ask the audience to guess some of them. Interaction is pretty important by the way, because you want your audience to think with you. Let them guess how long it usually takes for a breach to be discovered (months!). In the end I show how these problems can occur. I show them something about the data flow (I like that idea, Pete. Hope you don't mind me using it Smiley).
 
I haven't had much time to see the results, but I think that the attitude towards security has changed at this site since my presentation. The last time I audited a database there. I considered the database security 9 out of 10.
 
In october Transfer Solutions, my employer, asked me to write a page about database security for an event called the Oracle Database Cruise (in Dutch) http://www.oracledatabasecruise.nl. So I decided to start with security awareness here also. You can download a security awareness presentation (in Dutch) http://www.oracledatabasecruise.nl/dl/Beveiligingsbewust.ppt and there is even a movie where I demonstrate the presentation http://www.oracledatabasecruise.nl/week6/video2/.
 
It is all in Dutch now, but I'm planning to make an English version also, so everyone can download the presentation and spread the word.
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board