Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
May 26th, 2024, 12:44am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Security In General
   Security
(Moderator: Pete Finnigan)
   Start your security project with awareness
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Start your security project with awareness  (Read 2760 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Start your security project with awareness
« on: Jan 11th, 2010, 11:11am »
Quote | Modify

I have done some longer term security projects now (I mean: beyond auditing) and I want to share one experience with you.
 
Often security (hardening) projects have been started because the organisation saw the necessity of being more secure. Sometimes it is driven by management and sometimes it is driven by IT personel.
 
It is my experience that a lot of people don't know why security projects are done. Very few people actually know what is going on in the world concerning hacking, breaches and security. They only see that they lose permissions because of your actions as a security specialist.
 
That is a problem because when hardening the infrastructure you need the cooperation of many people: management, system administrators, DBAs, application administrators and developers. In one project I discovered that you can only make very slow progress if not everybody is on the same page in this. Vulnerabilities you solved one week are sometimes back the next week. It's like that snail that works it's way up a wall: climbing 2 inches and falling 1 inch.
 
So how to solve this? Authority? Charisma? Mandate from management? Well probably, but it is better if everyone is working to achieve the same result.
 
So at one time I decided to do something I should have done at first in the project: give a presentation on security awareness. It took only 45 minutes with 15 minutes for questions.  
 
Nowadays I start my awareness presentation with a little shock effect. I show some stills from the "Health Records for Sale" documentary and tell them about how health records can be bought in India for 4,50 euros per record and how every detail is in them: disorders, medications and the patients financial situation.
 
Then I show some statistics from the Verizon Business Breach report from 2008 (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) and ask the audience to guess some of them. Interaction is pretty important by the way, because you want your audience to think with you. Let them guess how long it usually takes for a breach to be discovered (months!). In the end I show how these problems can occur. I show them something about the data flow (I like that idea, Pete. Hope you don't mind me using it Smiley).
 
I haven't had much time to see the results, but I think that the attitude towards security has changed at this site since my presentation. The last time I audited a database there. I considered the database security 9 out of 10.
 
In october Transfer Solutions, my employer, asked me to write a page about database security for an event called the Oracle Database Cruise (in Dutch) http://www.oracledatabasecruise.nl. So I decided to start with security awareness here also. You can download a security awareness presentation (in Dutch) http://www.oracledatabasecruise.nl/dl/Beveiligingsbewust.ppt and there is even a movie where I demonstrate the presentation http://www.oracledatabasecruise.nl/week6/video2/.
 
It is all in Dutch now, but I'm planning to make an English version also, so everyone can download the presentation and spread the word.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues