oracle underground kestner
TRANSCRIPT
<Insert Picture Here>
Database Security & Compliance Inside OutPeter KestnerTechnology Director – Database Security Oracle Core Technology EMEA
26th February 2009
Hack3rs / Insiders--- a view from the underground ---
Information Security Has Changed
1996
• Hobby Hackers
• Web Site Defacement
• Viruses
• Infrequent Attacks
2009
• Rentable professional Hackers
• Criminals
• Denial of Service
• Identity Theft
• Constant Threat
Mythos Hacker
sneakers
Underground naming conventions
Whitehats Greyhats Blackhats(increasing)
Script Kiddies
Criminality
Scene
OOO
O
O
Underground organisation
Programer
Logistican
Marketender
Spam Spionage(increasing)
Sabotage(increasing)
Organized Computer Crime
Flexible businessmodels
GroupOrgnisations
(fast exchange)
Hacking Steps
• Targeting
• Information collection
• Social engineering
• Social networking
• Underground scene consolidation
Preparation Phase
• Detailed planning
• Risk analysis
• Staffing
• Alternative plans
• Methods
• Techniques
• Choose precautions
Planing Phase
• Attack
• Backdoor installation
• Track cleaning
HACK
legal Illegal
observation take down
Official statistics Secret Service Germany
Dramatic increase of the computer crimesince the last 12 years (professionalism)
Highest proportion of damage by insiders(sabotage, spying,Information selling)
Typical Hacker is male and over 21;BUT starts at 14 !!!
Criminal Energy
Know How
ClassicCriminal
Prof. HackersIndustry Spy
Secret Service
Script Kiddies
Interested computer users
ClassicHacker
discovered Hacksby police and secret service
Profiling Hackers
Insider
Quality
Time1990 2000 2009
HackingTools
Know How
Enlightenment success
Computer Crime Development
1980
Computer Criminality
Short Facts
87% of all Databases are compromised over the Operating System
80% of the damage is caused by insiders
1% of all professional hacks are only recognized
10% of all “standard hacks” are made public
Highscore List
63 sec Windows NT4.0 WKST, SP4
40 sec Windows XP SP2
70 sec Windows 2003 Server
140 sec Linux Kernel 2.6.
190 sec Sun Solaris 5.9 with rootkit
...
Source: Black Hat Convention 2008
55 sec Windows Vista
List includes also AIX, HPUX, OS2, OSX, IRIX, …
Shopping List 2007/2008
$50,000 Windows Vista Exploit (4000$ for WMF Exploit in Dec2005)
$7 per ebay-Account
$20,000 medium size BOT network
$30,000 unknown security holes in well known applications
$25-60 per 1000 BOT clients / week
Source: heise security, DEFCON 2008, BlackHat 2008
Crisis Shopping List 2009
$100,000 Destruction of competitor image
$250,000 Full internal competitor database
$25 Per credit card account (+sec code + valid date)
$20,000 Medium size BOT network (buy or rent)
$2,000 Stolen VPN connection
$5,000 Contact to “turned around” insider
Source: heise security, DEFCON 2008, BlackHat 2008
Hacking methods / techniques
Active Hack
Passive Hack
Internal Hack
External Hack
Technical Hack
Nontechnical Hack
Over 80% ofall hacks aredone frominternal
At the moment oneof the dangerous andeffective methodsin the scene
Hack3rs / Insiders
Insider Examples
European headlines 2008:
- Lost top secret document about Al Quaida (public train)- Stolen data of thousand prisoners and prison guards- Personal information of 70Mio people unencrypted on DVD‘s lost- Bank employee gambled with 5.4Bio US$- 88% of admins would steal sensitive corporate informations- Industry espionage by insiders increased dramatically- Biggest criminal network (RBN) still operating- Thousands of stolen hardware equipement @ US Army- US Army lost 50.000 personal data of former soliers- Chinas “Red Dragon“ organization cracked German gov network- Lichtenstein Affaire – Insider vs. Secret Service- ..- .
Insider Threat
- huge internal know how
- powerful privileges
- track cleaning
- „clearance“ problem
- foreign contact persons / turnovers
Easier exchange of sensitive data
(hacker‘s ebay, RBN, paralell internet, dead postboxes...)
Large percentage of threats go undetected
Outsourcing and off-shoring trend becomes now a governmental problem (judgement decission)
Official Statistics Databreach Report Verízon 2008
Industry relation
Official Statistics Databreach Report Verízon 2008
Relation internal / external
Official Statistics Databreach Report Verízon 2008
3 years development
Official Statistics Databreach Report Verízon 2008
Location of attacking IP’s
Conclusion - Best Practice
Conclusion
Security IS NOT a product; it iss an ongoing living process
Assessment Protection
Detection Response
Security IS an intelligent combination of more areas -> “Big picture“
Focus on your data, not on the technology
Security is a race, if you stop runningYou‘ll lose
• External Attackers
• Internal Threats
• Image Damage
• Internal Security Regulations
• …
• ..
• .
Problem
• Separation of duties• Insider threat protection• Strong access authentication• Strong encryption (DB/OS/Net)• Fine grained real time external
auditing• Data consolidation control• High availability + Security
combination
• Advanced Security Options (ASO)
• Network encryption
• Transparent data encryption
• Strong authentication
• Database Vault
• Audit Vault
• Secure Backup
• Virtual Privat Database (VPD)
• Oracle Label Security (OLS)
• Data Masking
• Total Recall
Oracle Differentiator / no competition
Oracle Solution Oracle Security Product
Oracle Security Solutions
28
Auditing Database Activity for Security and Compliance with Oracle Audit Vault Pierre LeonDatabase Technology GroupOracle Database Security
© 2008 Oracle Corporation 30
Oracle Is A Strong Performer In Enterprise Database Auditing; Tops Native DBMS Auditing
Oracle is the technology leader when it comes to databases, and Oracle gives database security and auditing the same level of commitment and focus as other database features. Besides Oracle’s native auditing, Oracle recently released the Audit Vaultproduct, which offers more advanced auditing features including the ability to centralize auditing for large environments that deal with many databases.
The Forrester Wave™: Enterprise Database Auditing And Real-Time
Protection, Q4 2007
© 2008 Oracle Corporation 31
Risks to Your Data Rising
• Digital data explosion: 1800 exabytes by 2011 (IDC)• Databases now the most valuable assets• Face more threats then ever
• need for greater access to data• insider theft and fraud• external “insiders”• hackers attacking from inside the firewall
• More than 87% of data breaches could have been prevented, more than half the result of business partners or insiders (Verizon Business Risk Team)
© 2008 Oracle Corporation 32
Compliance and Privacy Bar Rising
• Hundreds of data protection regulations worldwide and increasing
• 90% companies behind in compliance according to IT Policy Compliance Group
• Data breach disclosure laws have increased visibility and cost• Up to $35M/breach to remediate
• Databases are the first place IT auditors look• Least privilege• Separation of duties• Demonstrable controls
© 2008 Oracle Corporation 33
Data MaskingTDE Tablespace Encryption
Oracle Audit VaultOracle Database Vault
Transparent Data Encryption (TDE)Real-Time Column Masking
Secure Configuration ScanningClient Identity Propagation
Fine Grained AuditingOracle Label Security
Proxy AuthenticationEnterprise User Security
Virtual Private Database (VPD)Database Encryption API
Strong Authentication Native Network Encryption
Database Auditing Government Customer
Security Always on the Oracle Roadmap
Oracle 7
Oracle 8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
© 2008 Oracle Corporation 34
Database Security & Compliance
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
DeDe--Identifying Identifying InformationInformation
Data Data EncryptionEncryption
© 2008 Oracle Corporation 35
Directly From Our Customers…
• “The quarterly reports we need to prove SOX and HIPAA compliance take too much time to generate.”
• “Our IT auditors told us we need more internal controls -especially privileged user monitoring - for compliance.”
• “Our current homegrown solutions cannot scale and it is difficult to keep up with evolving requirements from auditors
• “We want to self-assess on a continuous basis to ensure we are in compliance before our PCI auditors show up.”
• “We have Oracle database auditing turned on but we don’t have tools for analysing the data.”
© 2008 Oracle Corporation 36
Oracle Audit Vault
Agents collect enterprise audit data into scalable secure Audit Data Warehouse
DB2Sybase
• Collect and consolidate audit data• Simplify compliance reporting• Alert on security threats• Lower IT costs with audit policies
MonitorPolicies
Reports Security
© 2008 Oracle Corporation 37
Audit Data Consolidated and Categorised
• Who: DB user, OS user, Client Identifier• What: operation, object, transaction time• Where: database identifier, machine name,
terminal identifier, IP address• More info: Before/after values, SQL text, …• Built-in reports are categorised based on
activity
© 2008 Oracle Corporation 38
Oracle Audit Vault Collectors
• Oracle Database Audit Data• Sources: Oracle Database 9iR2, 10g, 11g• Audit Data Supported:
• Audit table, OS files, syslog, XML• Transaction log• Oracle Database Vault audit data
• Automated Audit Trail clean-up after collection• Microsoft SQL Server Audit Data
• Sources: Microsoft SQL Server 2000 & 2005• Audit Data Supported:
• Server side trace• Windows event audit• C2
• Also: IBM UDB2 and Sybase
© 2008 Oracle Corporation 39
Oracle Audit Vault Warehouse
• Scalable• Built-in partitioning• Oracle RAC certified
• Flexible • Open warehouse schema • Oracle Business Intelligence Publisher • Oracle Application Express• Custom or 3rd party tools
• Secure• Data encrypted in transit from source to Audit Vault• Audit data automatically deleted from source after collection• Separation of Duty – Administrator v. Auditor• Database Vault protects the audit data
© 2008 Oracle Corporation 40
Oracle Audit Vault Reporting
• Built-in customisable compliance reports• Privileged user activity, role grants• DDL activity
• User defined reports• What privileged users did on the financial
database?• What user ‘A’ did across multiple databases?
© 2008 Oracle Corporation 41
Oracle Audit Vault Customised Reports
• Filter audit data• Highlight audit records using condition values• Create charts and graphs• Save and share custom reports
© 2008 Oracle Corporation 42
Unified Reports Across All Databases
• Audit data normalised for consolidated reporting
© 2008 Oracle Corporation 43
Oracle Audit Vault Alerts
• Efficient scanning• Inbound audit data scanning
• Alerts can be defined for• Direct views of sensitive data• New user creation• Role grants• “DBA” grants• Failed logins• Table drops• Other enterprise-defined security
policies
© 2008 Oracle Corporation 44
Oracle Audit Vault Policy Management
• Policy Definition• Named, centrally managed, collection
of audit settings• SOX, HIPAA, PCI• Settings can be extracted from any
database with auditing configured• Policy Provisioning
• Policy audit settings can be applied to databases from the central Audit Vault console
• Policy maintenance• Compare and contrast approved policy
with current settings• Detect and correct policy exceptions
SOX Audit Settings
Privileged User Audit Settings
Privacy Audit Settings
Financial Database
Customer Database
HR Database
Oracle Audit Vault
© 2008 Oracle Corporation 45
What Do You Need To Audit?Database
Audit RequirementsSOX PCI
DSS HIPAA Basel II FISMA GLBA
Accounts, Roles & PermissionsDo you have visibility of GRANT and REVOKE activities?
● ● ● ● ● ●
Failed LoginsDo you have visibility of failed logins and other exception activities?
● ● ● ● ● ●
Privileged User Activity Do you have visibility of users activities?
● ● ● ● ● ●
Access to Sensitive DataCan you have visibility into what information is being queried (SELECTs)?
● ● ● ● ●
Schema ChangesAre you aware of CREATE, DROP and ALTER Commands that are occurring on identified Tables / Columns?
● ● ● ● ● ●
Data ChangesDo you have visibility into Insert, Update, Merge, Delete commands?
● ●
© 2008 Oracle Corporation 46
Oracle Audit Vault
D E M O N S T R A T I O N
© 2008 Oracle Corporation 47
Audit Vault Demo Summary
• Audit sensitive tables on source databases• Use alerts to detect policy violations in near-real-time • View alert reports and optionally setup email to be
sent to security team when an alert is triggered• View specific SQL statements executed by users• View the before/after values of sensitive data changes• Create customised reports to highlight sensitive table
access
© 2008 Oracle Corporation 48
Database Vault
Oracle Database Security Solutions
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall