Oracle Security is easier if you design for it
View Profile | WWW | Email
Start your security project with awareness
« on: Jan 11th, 2010, 11:11am »
Quote | Modify
I have done some longer term security projects now (I mean: beyond auditing) and I want to share one experience with you.
Often security (hardening) projects have been started because the organisation saw the necessity of being more secure. Sometimes it is driven by management and sometimes it is driven by IT personel.
It is my experience that a lot of people don't know why security projects are done. Very few people actually know what is going on in the world concerning hacking, breaches and security. They only see that they lose permissions because of your actions as a security specialist.
That is a problem because when hardening the infrastructure you need the cooperation of many people: management, system administrators, DBAs, application administrators and developers. In one project I discovered that you can only make very slow progress if not everybody is on the same page in this. Vulnerabilities you solved one week are sometimes back the next week. It's like that snail that works it's way up a wall: climbing 2 inches and falling 1 inch.
So how to solve this? Authority? Charisma? Mandate from management? Well probably, but it is better if everyone is working to achieve the same result.
So at one time I decided to do something I should have done at first in the project: give a presentation on security awareness. It took only 45 minutes with 15 minutes for questions.
Nowadays I start my awareness presentation with a little shock effect. I show some stills from the "Health Records for Sale" documentary and tell them about how health records can be bought in India for 4,50 euros per record and how every detail is in them: disorders, medications and the patients financial situation.
Then I show some statistics from the Verizon Business Breach report from 2008 (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) and ask the audience to guess some of them. Interaction is pretty important by the way, because you want your audience to think with you. Let them guess how long it usually takes for a breach to be discovered (months!). In the end I show how these problems can occur. I show them something about the data flow (I like that idea, Pete. Hope you don't mind me using it ).
I haven't had much time to see the results, but I think that the attitude towards security has changed at this site since my presentation. The last time I audited a database there. I considered the database security 9 out of 10.
In october Transfer Solutions, my employer, asked me to write a page about database security for an event called the Oracle Database Cruise (in Dutch) http://www.oracledatabasecruise.nl. So I decided to start with security awareness here also. You can download a security awareness presentation (in Dutch) http://www.oracledatabasecruise.nl/dl/Beveiligingsbewust.ppt and there is even a movie where I demonstrate the presentation http://www.oracledatabasecruise.nl/week6/video2/.
It is all in Dutch now, but I'm planning to make an English version also, so everyone can download the presentation and spread the word.