SlideShare ist ein Scribd-Unternehmen logo

Oracle tech db-02-hacking-neum-15.04.2010

Oracle BH
Oracle BH
1 von 42
Downloaden Sie, um offline zu lesen
The myth of hacking Oracle <Insert Picture Here> Michał Jerzy Kostrzewa Central and Southern Eastern Europe Database Director Michal.Kostrzewa@Oracle.com
More data than ever… Growth Doubles Yearly 1,800 Exabytes 2006 2011 Source: IDC, 2008 2
More breaches then ever… Data Breach Once exposed, the data is out there – the bell can‘t be un-rung PUBLICLY REPORTED DATA BREACHES 630% Increase Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, 2009 3
More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2009. 5
Market Overview: IT Security In 2009 There has been a clear and significant shift from what was the widely recognized state of security just a few years ago. Protecting the organization's information assets is the top issue facing security programs: data security (90%) is most often cited as an important or very important issue for IT security organizations, followed by application security (86%). 6
The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
Where does the attacks come from ? WHERE WHO HOW PROTECTION Insiders Source: Verizon Data Breach Report 2009
Official Statistics Industry relation WHERE WHO HOW PROTECTION Source: Verizon Data Breach Report 2009
The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
Who is attacking us ? WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
Information Security Has Changed 1996 2009 • Hobby Hackers • Rentable • Web Site Defacement professional • Viruses Hackers • Infrequent Attacks • Criminals • Denial of Service • Identity Theft • Constant Threat
Underground naming conventions Scene O O O O O Whitehats Greyhats Blackhats (increasing) Script Kiddies Criminality
Underground organisation Organized Computer Crime Flexible Spam Espionage Sabotage business models Marketender Group Logistican Orgnisations (fast exchange) Programer
Hacking Steps Preparation Phase Planing Phase HACK • Targeting • Detailed plannings • Attack • Information collection • Risk analysis • Backdoor installation • Social engeneering • Staffing • Track cleaning • Social networking • Alternative plans • Underground scene consolidation • Methodes • Technics • Choose precautions legal ilegal observation take down
Official statistics Secret Service Germany Dramatical increas of the computer crime since the last 12 years (professionalism) Bigest damage by insiders (sabotage, spying, Information selling) Typical Hacker is male and over 21; BUT starts with 14 !!! Source: BND Sicherheitsreport 2008
Profiling Hack3rs Criminal Energie Prof. Hackers Classic Industry Spy Criminal Secret Service Insider discovered Hacks by police and secret service Script Kiddies Interested Classic computer users Hacker Know How
Short Facts 87 % of all Databases are compromised over the Operating System 80 % of the damage is caused by insiders 1% of all professional hacks are only recognized 10 % of all ―standard hacks‖ are made public
Highscore List Source: Black Hat Convention 2008 40sec Windows XP SP2 55sec Windows Vista 63sec Windows NT4.0 WKST, SP4 70sec Windows 2003 Server 140sec Linux Kernel 2.6. 190sec Sun Solaris 5.9 with rootkit ... List includes also AIX, HPUX, OS2, OSX, IRIX, …
Shopping List 2007/2008 Source: heise security, DEFCON 2008, BlackHat 2008 50.000 $ Windows Vista Exploit (4000$ for WMF Exploit in Dec2005) 7 $ per ebay-Account 20.000 $ medium size BOT network 30.000 $ unknown security holes in well known applications 25-60 $ per 1000 BOT clients / week
Crisis Shopping List 2009 Source: heise security, DEFCON 2009, BlackHat 2009 100.000 $ Destruction of competitor image 250.000 $ Full internal competitor database 25 $ per credit card account (+sec code + valid date) 20.000 $ medium size BOT network (buy or rent) 2000 $ stolen VPN connection 5000 $ contact to ―turned around‖ insider
WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
Insider examples !!! European headlines 2008/2009: - lost top secret document about Al Quaida (public train) - stolen data of thousand prisoners and prison guards - personal information of 70Mio people unencrypted on DVD‗s lost - bank employee gambled with 5.4Bio US$ - 88% of admins would steal sensitive corporate informations - Industry espionage by insiders increased dramatically - biggest criminal network (RBN) still operating - Tousends of stolen hardware equipement @ US Army - US Army lost 50.000 personal data of former soliers - Chinas „Red Dragon― organization cracked german gov network - Lichtenstein Affaire – Insider vs. Secret Service - .. -.
Insider Threat Outsourcing and off-shoring trend Large percentage of threats go undetected - huge internal know how - powerful privileges - track cleaning - „clearance― problem - foreign contact persons / turnovers Easier exchange of sensitive data (hacker‗s ebay, RBN, paralell internet, dead postboxes...)
The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
How we get attacked WHERE Active Passive WHO Hack Hack Over 80% of HOW all hacks are done from Internal External internal Hack Hack PROTECTION At the moment one Technical Nontechnical of the most dangerous and Hack Hack effectives methode in the scene
How we get attacked -- REALITY >90% - Standard configuration WHERE - Misconfiguration - Misunderstanding of security WHO - Human errors HOW - Process/Workflow errors - ―old‖ versions / no patches PROTECTION - Known/published wholes/bugs/workarounds - Downloadable cracking software (script kiddies) - Real hacks/cracks
The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
Protection WHERE WHO > 90% HOW of our security problems PROTECTION could be solved !!!
Think … Security is a „race―, if you stop running you‗ll lose Security IS NOT a product; it‗s an ongoing living process Train your employees Security IS an intelligent combination of more areas -> „Big picture― Focus on your data, not only on the technic Start with the basics
Think about Solutions… Problem Oracle Solution Oracle Security Product • External Attackers • Separation of duties • Advanced Security Options (ASO) • Internal Threats • Insider threat protection • Network encryption • Image Damage • Strong access authentication • Transparent data encryption • Internal Security Regulations • Strong encryption (DB/OS/Net) • Strong authentication • Regulatory Compliances • Fine grained real time external • Database Vault auditing • .. • Audit Vault • Data consolidation control • . • Secure Backup • High availability + Security • Virtual Privat Database (VPD) combination • Oracle Label Security (OLS) • Data Masking • Total Recall Oracle Differentiator / no competition
Oracle Security Solutions Summary REPORTING & ALERTING Identity Directory Administration Services Access Management IDENTITY • User Provisioning • Scalable LDAP • Risk-based Authorizat. • Role Management Storage • Entitlements Managem. AND ACCESS • Virtual Directory • Self-Service driven • Single Sign-On MANAGEMENT • Directory • Federation Synchronization • Inform. Rights Mgmt Activity Access Control and Encryption and Data Monitoring Authorization Masking • Unauthorized • Privileged User • Transparent Data DATABASE Activity Detection Controls Encryption SECURITY • Automated • Multi-Factor • De-identification Compliance Reports Authorization for Non-Production • Secure Configuration • Classification • Built-In Key Audit Control Management IT MANAGEMENT & INTEGRATION
Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48
Oracle Advanced Security Transparent Data Encryption Disk Backups Exports Application Off-Site Facilities • Complete encryption for data at rest • No application changes required • Efficient encryption of all application data • Built-in key lifecycle management 39
Oracle Advanced Security Network Encryption & Strong Authentication • Standard-based encryption for data in transit • Strong authentication of users and servers (e.g. Kerberos, Radius) • No infrastructure changes required • Easy to implement 40
Oracle Data Masking Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 • Remove sensitive data from non-production databases • Referential integrity preserved so applications continue to work • Sensitive data never leaves the database • Extensible template library and policies for automation 41
Oracle Database Vault Separation of Duties & Privileged User Controls Procurement HR DBA Application Finance select * from finance.customers • DBA separation of duties • Limit powers of privileged users • Securely consolidate application data • No application changes required 42
Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Rebates Application • Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • Out-of-the box policies for Oracle applications, customizable 43
Oracle Label Security Data Classification for Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in other policies 44
Oracle Audit Vault Automated Activity Monitoring & Audit Reporting ! Alerts HR Data Built-in CRM Data Reports Audit Data Custom ERP Data Reports Policies Databases Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting • Centralized audit policy management
Oracle Total Recall Secure Change Management select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘ • Transparently track data changes • Efficient, tamper-resistant storage of archives • Real-time access to historical data • Simplified forensics and error correction 46
Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48
Thank You!

Empfohlen

Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Shahar Geiger Maor
 
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...Andris Soroka
 
Cyber Crime - Who do you call?
Cyber Crime - Who do you call?Cyber Crime - Who do you call?
Cyber Crime - Who do you call?East Midlands Cyber Security Forum
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Network Insights of Dyre and Dridex Trojan Bankers
Network Insights of Dyre and Dridex Trojan BankersNetwork Insights of Dyre and Dridex Trojan Bankers
Network Insights of Dyre and Dridex Trojan BankersBlueliv
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Paranoia or risk management 2013
Paranoia or risk management 2013Paranoia or risk management 2013
Paranoia or risk management 2013Henrik Kramshøj
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 

Empfohlen

Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Shahar Geiger Maor
 
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...Andris Soroka
 
Cyber Crime - Who do you call?
Cyber Crime - Who do you call?Cyber Crime - Who do you call?
Cyber Crime - Who do you call?East Midlands Cyber Security Forum
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Network Insights of Dyre and Dridex Trojan Bankers
Network Insights of Dyre and Dridex Trojan BankersNetwork Insights of Dyre and Dridex Trojan Bankers
Network Insights of Dyre and Dridex Trojan BankersBlueliv
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Paranoia or risk management 2013
Paranoia or risk management 2013Paranoia or risk management 2013
Paranoia or risk management 2013Henrik Kramshøj
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Tor talk-prosa-screen
Tor talk-prosa-screenTor talk-prosa-screen
Tor talk-prosa-screenHenrik Kramshøj
 
Deep web
Deep webDeep web
Deep webJANNAULIT
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksMehrdad Jingoism
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39Felipe Prado
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Atlantic Security Conference
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 BrochureDominic Vogel
 
The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020Jayna Mistry
 
Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!Robin M Austin
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 
2012 Interactive Marketing Trends
2012 Interactive Marketing Trends2012 Interactive Marketing Trends
2012 Interactive Marketing TrendsCementMarketing
 
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центровРынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центровТвоя столица
 
FAFSA 2010-2011
FAFSA 2010-2011FAFSA 2010-2011
FAFSA 2010-2011lyinside420
 

Weitere ähnliche Inhalte

Was ist angesagt?

Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksMehrdad Jingoism
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39Felipe Prado
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Atlantic Security Conference
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020Jayna Mistry
 
Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!Robin M Austin
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 

Was ist angesagt? (19)

Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protection
 
Tor talk-prosa-screen
Tor talk-prosa-screenTor talk-prosa-screen
Tor talk-prosa-screen
 
Deep web
Deep webDeep web
Deep web
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networks
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 Brochure
 
The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020The ClearScore Darkpaper: The danger of the dark web 2020
The ClearScore Darkpaper: The danger of the dark web 2020
 
Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!Your Smart Devices Could Be Killing You!
Your Smart Devices Could Be Killing You!
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 

Andere mochten auch

2012 Interactive Marketing Trends
2012 Interactive Marketing Trends2012 Interactive Marketing Trends
2012 Interactive Marketing TrendsCementMarketing
 
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центровРынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центровТвоя столица
 
Mobile Tools for Journalists
Mobile Tools for JournalistsMobile Tools for Journalists
Mobile Tools for JournalistsMandy Jenkins
 
2 d4.poslovna analitika_160410
2 d4.poslovna analitika_1604102 d4.poslovna analitika_160410
2 d4.poslovna analitika_160410Oracle BH
 
Sales Pad Overview
Sales Pad OverviewSales Pad Overview
Sales Pad Overviewloripauly
 
Curation and Crowdsourcing for Journalists
Curation and Crowdsourcing for JournalistsCuration and Crowdsourcing for Journalists
Curation and Crowdsourcing for JournalistsMandy Jenkins
 
Música a la prehistòria
Música a la prehistòriaMúsica a la prehistòria
Música a la prehistòriajordibm2
 
Social Media & Thought Leadership - ICFJ
Social Media & Thought Leadership - ICFJSocial Media & Thought Leadership - ICFJ
Social Media & Thought Leadership - ICFJMandy Jenkins
 
Государственный и муниципальный заказ в Российской Федерации: возможности, по...
Государственный и муниципальный заказ в Российской Федерации: возможности, по...Государственный и муниципальный заказ в Российской Федерации: возможности, по...
Государственный и муниципальный заказ в Российской Федерации: возможности, по...Karim
 
Podcast, Blogs, Wikis, and more
Podcast, Blogs, Wikis, and morePodcast, Blogs, Wikis, and more
Podcast, Blogs, Wikis, and morenick trakas
 
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010Oracle BH
 
#Smc070 #smm5 state_of_social_media_for_web_201112
#Smc070 #smm5 state_of_social_media_for_web_201112#Smc070 #smm5 state_of_social_media_for_web_201112
#Smc070 #smm5 state_of_social_media_for_web_201112SMC070
 
Swedbank ver02
Swedbank ver02Swedbank ver02
Swedbank ver02SNS
 
Presentazione La Roche
Presentazione La RochePresentazione La Roche
Presentazione La RocheDavide
 
Mixed-use: проекты смешанного формата
Mixed-use: проекты смешанного форматаMixed-use: проекты смешанного формата
Mixed-use: проекты смешанного форматаТвоя столица
 
Ssmc dg-2-discipleship groups
Ssmc dg-2-discipleship groupsSsmc dg-2-discipleship groups
Ssmc dg-2-discipleship groupsSSMC
 
Interview Klaas Bakker (TenneT tso) FMM september 2011
Interview Klaas Bakker (TenneT tso) FMM september 2011Interview Klaas Bakker (TenneT tso) FMM september 2011
Interview Klaas Bakker (TenneT tso) FMM september 2011Gerben Wassink
 
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.0
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.01 d2.an neum_bh_treasury_systems_development_perspectives_v1.0
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.0Oracle BH
 

Andere mochten auch (20)

2012 Interactive Marketing Trends
2012 Interactive Marketing Trends2012 Interactive Marketing Trends
2012 Interactive Marketing Trends
 
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центровРынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
Рынок офисной недвижимости. Тенденции и перспективы строительства бизнес-центров
 
FAFSA 2010-2011
FAFSA 2010-2011FAFSA 2010-2011
FAFSA 2010-2011
 
Mobile Tools for Journalists
Mobile Tools for JournalistsMobile Tools for Journalists
Mobile Tools for Journalists
 
2 d4.poslovna analitika_160410
2 d4.poslovna analitika_1604102 d4.poslovna analitika_160410
2 d4.poslovna analitika_160410
 
Sales Pad Overview
Sales Pad OverviewSales Pad Overview
Sales Pad Overview
 
Curation and Crowdsourcing for Journalists
Curation and Crowdsourcing for JournalistsCuration and Crowdsourcing for Journalists
Curation and Crowdsourcing for Journalists
 
Música a la prehistòria
Música a la prehistòriaMúsica a la prehistòria
Música a la prehistòria
 
Social Media & Thought Leadership - ICFJ
Social Media & Thought Leadership - ICFJSocial Media & Thought Leadership - ICFJ
Social Media & Thought Leadership - ICFJ
 
Государственный и муниципальный заказ в Российской Федерации: возможности, по...
Государственный и муниципальный заказ в Российской Федерации: возможности, по...Государственный и муниципальный заказ в Российской Федерации: возможности, по...
Государственный и муниципальный заказ в Российской Федерации: возможности, по...
 
Podcast, Blogs, Wikis, and more
Podcast, Blogs, Wikis, and morePodcast, Blogs, Wikis, and more
Podcast, Blogs, Wikis, and more
 
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
 
#Smc070 #smm5 state_of_social_media_for_web_201112
#Smc070 #smm5 state_of_social_media_for_web_201112#Smc070 #smm5 state_of_social_media_for_web_201112
#Smc070 #smm5 state_of_social_media_for_web_201112
 
Swedbank ver02
Swedbank ver02Swedbank ver02
Swedbank ver02
 
Presentazione La Roche
Presentazione La RochePresentazione La Roche
Presentazione La Roche
 
Mixed-use: проекты смешанного формата
Mixed-use: проекты смешанного форматаMixed-use: проекты смешанного формата
Mixed-use: проекты смешанного формата
 
Hyundai Genesis Coupe
Hyundai Genesis CoupeHyundai Genesis Coupe
Hyundai Genesis Coupe
 
Ssmc dg-2-discipleship groups
Ssmc dg-2-discipleship groupsSsmc dg-2-discipleship groups
Ssmc dg-2-discipleship groups
 
Interview Klaas Bakker (TenneT tso) FMM september 2011
Interview Klaas Bakker (TenneT tso) FMM september 2011Interview Klaas Bakker (TenneT tso) FMM september 2011
Interview Klaas Bakker (TenneT tso) FMM september 2011
 
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.0
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.01 d2.an neum_bh_treasury_systems_development_perspectives_v1.0
1 d2.an neum_bh_treasury_systems_development_perspectives_v1.0
 

Ähnlich wie Oracle tech db-02-hacking-neum-15.04.2010

Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking OracleErmando
 
Evolución de la Ciber Seguridad
Evolución de la Ciber SeguridadEvolución de la Ciber Seguridad
Evolución de la Ciber SeguridadCristian Garcia G.
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial SectorLIFARS
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityAPNIC
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationIntel IT Center
 
Seguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable DataSeguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable DataCristian Garcia G.
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsLinkurious
 

Ähnlich wie Oracle tech db-02-hacking-neum-15.04.2010 (20)

Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking Oracle
 
Evolución de la Ciber Seguridad
Evolución de la Ciber SeguridadEvolución de la Ciber Seguridad
Evolución de la Ciber Seguridad
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial Sector
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and Compliance
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
On Demand Cloud Services Coury
On Demand Cloud Services CouryOn Demand Cloud Services Coury
On Demand Cloud Services Coury
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User Authentication
 
Seguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable DataSeguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable Data
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising Deck
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analytics
 

Mehr von Oracle BH

2 d3.javne nabavke_neum160410
2 d3.javne nabavke_neum1604102 d3.javne nabavke_neum160410
2 d3.javne nabavke_neum160410Oracle BH
 
2 d2.casemgmt
2 d2.casemgmt2 d2.casemgmt
2 d2.casemgmtOracle BH
 
2 d1.hcm neum_160410
2 d1.hcm neum_1604102 d1.hcm neum_160410
2 d1.hcm neum_160410Oracle BH
 
1 d3.cob neum150410
1 d3.cob neum1504101 d3.cob neum150410
1 d3.cob neum150410Oracle BH
 
1 d1.reforma it_u_javnoj_upravi
1 d1.reforma it_u_javnoj_upravi1 d1.reforma it_u_javnoj_upravi
1 d1.reforma it_u_javnoj_upraviOracle BH
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
Sun welcome middleware_overview 0324101_bosnia
Sun welcome middleware_overview 0324101_bosniaSun welcome middleware_overview 0324101_bosnia
Sun welcome middleware_overview 0324101_bosniaOracle BH
 
Sun welcome middleware_overview 0324101_bosnia(2)
Sun welcome middleware_overview 0324101_bosnia(2)Sun welcome middleware_overview 0324101_bosnia(2)
Sun welcome middleware_overview 0324101_bosnia(2)Oracle BH
 
Exadata 11-2-overview-v2 11
Exadata 11-2-overview-v2 11Exadata 11-2-overview-v2 11
Exadata 11-2-overview-v2 11Oracle BH
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Oracle tech fmw-03-cloud-computing-neum-15.04.2010
Oracle tech fmw-03-cloud-computing-neum-15.04.2010Oracle tech fmw-03-cloud-computing-neum-15.04.2010
Oracle tech fmw-03-cloud-computing-neum-15.04.2010Oracle BH
 
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle BH
 
Oracle tech db-05-sun-servers.and.storage-16.04.2010
Oracle tech db-05-sun-servers.and.storage-16.04.2010Oracle tech db-05-sun-servers.and.storage-16.04.2010
Oracle tech db-05-sun-servers.and.storage-16.04.2010Oracle BH
 
Oracle tech db-04-cost-effective-neum-16.04.2010
Oracle tech db-04-cost-effective-neum-16.04.2010Oracle tech db-04-cost-effective-neum-16.04.2010
Oracle tech db-04-cost-effective-neum-16.04.2010Oracle BH
 

Mehr von Oracle BH (14)

2 d3.javne nabavke_neum160410
2 d3.javne nabavke_neum1604102 d3.javne nabavke_neum160410
2 d3.javne nabavke_neum160410
 
2 d2.casemgmt
2 d2.casemgmt2 d2.casemgmt
2 d2.casemgmt
 
2 d1.hcm neum_160410
2 d1.hcm neum_1604102 d1.hcm neum_160410
2 d1.hcm neum_160410
 
1 d3.cob neum150410
1 d3.cob neum1504101 d3.cob neum150410
1 d3.cob neum150410
 
1 d1.reforma it_u_javnoj_upravi
1 d1.reforma it_u_javnoj_upravi1 d1.reforma it_u_javnoj_upravi
1 d1.reforma it_u_javnoj_upravi
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
Sun welcome middleware_overview 0324101_bosnia
Sun welcome middleware_overview 0324101_bosniaSun welcome middleware_overview 0324101_bosnia
Sun welcome middleware_overview 0324101_bosnia
 
Sun welcome middleware_overview 0324101_bosnia(2)
Sun welcome middleware_overview 0324101_bosnia(2)Sun welcome middleware_overview 0324101_bosnia(2)
Sun welcome middleware_overview 0324101_bosnia(2)
 
Exadata 11-2-overview-v2 11
Exadata 11-2-overview-v2 11Exadata 11-2-overview-v2 11
Exadata 11-2-overview-v2 11
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010
 
Oracle tech fmw-03-cloud-computing-neum-15.04.2010
Oracle tech fmw-03-cloud-computing-neum-15.04.2010Oracle tech fmw-03-cloud-computing-neum-15.04.2010
Oracle tech fmw-03-cloud-computing-neum-15.04.2010
 
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
 
Oracle tech db-05-sun-servers.and.storage-16.04.2010
Oracle tech db-05-sun-servers.and.storage-16.04.2010Oracle tech db-05-sun-servers.and.storage-16.04.2010
Oracle tech db-05-sun-servers.and.storage-16.04.2010
 
Oracle tech db-04-cost-effective-neum-16.04.2010
Oracle tech db-04-cost-effective-neum-16.04.2010Oracle tech db-04-cost-effective-neum-16.04.2010
Oracle tech db-04-cost-effective-neum-16.04.2010
 

Oracle tech db-02-hacking-neum-15.04.2010

  • 1. The myth of hacking Oracle <Insert Picture Here> Michał Jerzy Kostrzewa Central and Southern Eastern Europe Database Director Michal.Kostrzewa@Oracle.com
  • 2. More data than ever… Growth Doubles Yearly 1,800 Exabytes 2006 2011 Source: IDC, 2008 2
  • 3. More breaches then ever… Data Breach Once exposed, the data is out there – the bell can‘t be un-rung PUBLICLY REPORTED DATA BREACHES 630% Increase Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, 2009 3
  • 4. More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2009. 5
  • 5. Market Overview: IT Security In 2009 There has been a clear and significant shift from what was the widely recognized state of security just a few years ago. Protecting the organization's information assets is the top issue facing security programs: data security (90%) is most often cited as an important or very important issue for IT security organizations, followed by application security (86%). 6
  • 6. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  • 7. Where does the attacks come from ? WHERE WHO HOW PROTECTION Insiders Source: Verizon Data Breach Report 2009
  • 8. Official Statistics Industry relation WHERE WHO HOW PROTECTION Source: Verizon Data Breach Report 2009
  • 9. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  • 10. Who is attacking us ? WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
  • 11. Information Security Has Changed 1996 2009 • Hobby Hackers • Rentable • Web Site Defacement professional • Viruses Hackers • Infrequent Attacks • Criminals • Denial of Service • Identity Theft • Constant Threat
  • 12. Underground naming conventions Scene O O O O O Whitehats Greyhats Blackhats (increasing) Script Kiddies Criminality
  • 13. Underground organisation Organized Computer Crime Flexible Spam Espionage Sabotage business models Marketender Group Logistican Orgnisations (fast exchange) Programer
  • 14. Hacking Steps Preparation Phase Planing Phase HACK • Targeting • Detailed plannings • Attack • Information collection • Risk analysis • Backdoor installation • Social engeneering • Staffing • Track cleaning • Social networking • Alternative plans • Underground scene consolidation • Methodes • Technics • Choose precautions legal ilegal observation take down
  • 15. Official statistics Secret Service Germany Dramatical increas of the computer crime since the last 12 years (professionalism) Bigest damage by insiders (sabotage, spying, Information selling) Typical Hacker is male and over 21; BUT starts with 14 !!! Source: BND Sicherheitsreport 2008
  • 16. Profiling Hack3rs Criminal Energie Prof. Hackers Classic Industry Spy Criminal Secret Service Insider discovered Hacks by police and secret service Script Kiddies Interested Classic computer users Hacker Know How
  • 17. Short Facts 87 % of all Databases are compromised over the Operating System 80 % of the damage is caused by insiders 1% of all professional hacks are only recognized 10 % of all ―standard hacks‖ are made public
  • 18. Highscore List Source: Black Hat Convention 2008 40sec Windows XP SP2 55sec Windows Vista 63sec Windows NT4.0 WKST, SP4 70sec Windows 2003 Server 140sec Linux Kernel 2.6. 190sec Sun Solaris 5.9 with rootkit ... List includes also AIX, HPUX, OS2, OSX, IRIX, …
  • 19. Shopping List 2007/2008 Source: heise security, DEFCON 2008, BlackHat 2008 50.000 $ Windows Vista Exploit (4000$ for WMF Exploit in Dec2005) 7 $ per ebay-Account 20.000 $ medium size BOT network 30.000 $ unknown security holes in well known applications 25-60 $ per 1000 BOT clients / week
  • 20. Crisis Shopping List 2009 Source: heise security, DEFCON 2009, BlackHat 2009 100.000 $ Destruction of competitor image 250.000 $ Full internal competitor database 25 $ per credit card account (+sec code + valid date) 20.000 $ medium size BOT network (buy or rent) 2000 $ stolen VPN connection 5000 $ contact to ―turned around‖ insider
  • 21. WHERE Hack3rs  20 % WHO HOW Insiders  80 % PROTECTION
  • 22. Insider examples !!! European headlines 2008/2009: - lost top secret document about Al Quaida (public train) - stolen data of thousand prisoners and prison guards - personal information of 70Mio people unencrypted on DVD‗s lost - bank employee gambled with 5.4Bio US$ - 88% of admins would steal sensitive corporate informations - Industry espionage by insiders increased dramatically - biggest criminal network (RBN) still operating - Tousends of stolen hardware equipement @ US Army - US Army lost 50.000 personal data of former soliers - Chinas „Red Dragon― organization cracked german gov network - Lichtenstein Affaire – Insider vs. Secret Service - .. -.
  • 23. Insider Threat Outsourcing and off-shoring trend Large percentage of threats go undetected - huge internal know how - powerful privileges - track cleaning - „clearance― problem - foreign contact persons / turnovers Easier exchange of sensitive data (hacker‗s ebay, RBN, paralell internet, dead postboxes...)
  • 24. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  • 25. How we get attacked WHERE Active Passive WHO Hack Hack Over 80% of HOW all hacks are done from Internal External internal Hack Hack PROTECTION At the moment one Technical Nontechnical of the most dangerous and Hack Hack effectives methode in the scene
  • 26. How we get attacked -- REALITY >90% - Standard configuration WHERE - Misconfiguration - Misunderstanding of security WHO - Human errors HOW - Process/Workflow errors - ―old‖ versions / no patches PROTECTION - Known/published wholes/bugs/workarounds - Downloadable cracking software (script kiddies) - Real hacks/cracks
  • 27. The Myth of Hacking Oracle WHERE WHO HOW PROTECTION
  • 28. Protection WHERE WHO > 90% HOW of our security problems PROTECTION could be solved !!!
  • 29. Think … Security is a „race―, if you stop running you‗ll lose Security IS NOT a product; it‗s an ongoing living process Train your employees Security IS an intelligent combination of more areas -> „Big picture― Focus on your data, not only on the technic Start with the basics
  • 30. Think about Solutions… Problem Oracle Solution Oracle Security Product • External Attackers • Separation of duties • Advanced Security Options (ASO) • Internal Threats • Insider threat protection • Network encryption • Image Damage • Strong access authentication • Transparent data encryption • Internal Security Regulations • Strong encryption (DB/OS/Net) • Strong authentication • Regulatory Compliances • Fine grained real time external • Database Vault auditing • .. • Audit Vault • Data consolidation control • . • Secure Backup • High availability + Security • Virtual Privat Database (VPD) combination • Oracle Label Security (OLS) • Data Masking • Total Recall Oracle Differentiator / no competition
  • 31. Oracle Security Solutions Summary REPORTING & ALERTING Identity Directory Administration Services Access Management IDENTITY • User Provisioning • Scalable LDAP • Risk-based Authorizat. • Role Management Storage • Entitlements Managem. AND ACCESS • Virtual Directory • Self-Service driven • Single Sign-On MANAGEMENT • Directory • Federation Synchronization • Inform. Rights Mgmt Activity Access Control and Encryption and Data Monitoring Authorization Masking • Unauthorized • Privileged User • Transparent Data DATABASE Activity Detection Controls Encryption SECURITY • Automated • Multi-Factor • De-identification Compliance Reports Authorization for Non-Production • Secure Configuration • Classification • Built-In Key Audit Control Management IT MANAGEMENT & INTEGRATION
  • 32. Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48
  • 33. Oracle Advanced Security Transparent Data Encryption Disk Backups Exports Application Off-Site Facilities • Complete encryption for data at rest • No application changes required • Efficient encryption of all application data • Built-in key lifecycle management 39
  • 34. Oracle Advanced Security Network Encryption & Strong Authentication • Standard-based encryption for data in transit • Strong authentication of users and servers (e.g. Kerberos, Radius) • No infrastructure changes required • Easy to implement 40
  • 35. Oracle Data Masking Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 • Remove sensitive data from non-production databases • Referential integrity preserved so applications continue to work • Sensitive data never leaves the database • Extensible template library and policies for automation 41
  • 36. Oracle Database Vault Separation of Duties & Privileged User Controls Procurement HR DBA Application Finance select * from finance.customers • DBA separation of duties • Limit powers of privileged users • Securely consolidate application data • No application changes required 42
  • 37. Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Rebates Application • Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • Out-of-the box policies for Oracle applications, customizable 43
  • 38. Oracle Label Security Data Classification for Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in other policies 44
  • 39. Oracle Audit Vault Automated Activity Monitoring & Audit Reporting ! Alerts HR Data Built-in CRM Data Reports Audit Data Custom ERP Data Reports Policies Databases Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting • Centralized audit policy management
  • 40. Oracle Total Recall Secure Change Management select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘ • Transparently track data changes • Efficient, tamper-resistant storage of archives • Real-time access to historical data • Simplified forensics and error correction 46
  • 41. Database Defense-in-Depth Monitoring • Configuration Management • Audit Vault • Total Recall Access Control • Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking 48