• Home

  • Documents

  • Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy...
30
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. Paul Laurent, J.D., M.S., CISSP, CISA Director of Cybersecurity Strategy Public 1 “Cyber Certainty”

Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Paul Laurent, J.D., M.S., CISSP, CISA Director of Cybersecurity Strategy

Public 1

“Cyber Certainty”

Page 2: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

An Introduction:

Page 3: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Conversations with:

- Business leadership - Security - Audit - Legal - Law Enforcement - Opposing Counsel

(Ranked in descending order of “fun”)

Page 4: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Pregame Routine:

Page 5: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

APTs

5

Page 6: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Meet PLA Unit 61398…

6

- “Quality Intrusions – Since 2006”

- >1000 Servers

- >2000 Employees

- 3 “personas”

Page 7: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Modus Operandi

7

- Spearphish - Recon

- Persistent - Privileges - Auditing

- Package up and remove EVERYTHING

Page 8: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Even If: Lone Wolves & Insiders

• Immense fallout from leaks • 3x as likely to target Public

Sector’s “Crown Jewel” Data Sets

• Curiosity, Ideology, Fame, Challenge, Advantage

Page 9: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. 9

- USPS

- Large scale health care intrusions

- USIS

- OPM

Threat Vectors: The Expanding Possible*

Page 10: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Threat Vectors: Can’t Make These Up…

Page 11: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Threat Vectors: File Under??

Page 12: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Page 13: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Hacktivists Before “The Interview” & Incentives

Page 14: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

The Day I Stopped Doing Vector Analysis…

Page 15: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

What’s More Preposterous?

Page 16: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Page 17: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Page 18: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

What’s typically missing?

18

- Clear understanding of the business objectives & priorities (risk)

- Risk Optics - The most granular unit of risk?

- “RBAC” - Impact on:

- Policy - Process - Enterprise Architecture

Page 19: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Involving Business

Page 20: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

FCC v. Pacifica Foundation

Page 21: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

The Security/Privacy Ratio

Page 22: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Having a Plan…

Page 23: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Key Takeaway 1: Even with the best statistical

chance…

Page 24: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Key Takeaway 2: “Risk” has multiple meanings

Page 25: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Key Takeaway 3: Speak the Same Language (Use Wheels)

Page 26: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Sample Objectives • Connect data to business risk • Common taxonomy for data

– Relation to business impact, not overly complex – Seek for commonality in interoperability, participation in programs, & grant

applications

• Methodology – Common risk/data taxonomy Ranks risk to confidentiality, integrity, & availability into

3 categorizations – Controls based on risk/impact

Page 27: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

A little help: Database Security Methodology Overview

Page 28: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Recommendations 1 Protect Sensitive Data

2 Enhance Auditing and Alerting of Database Activity

3 Encrypt Data at Rest

4 Password Controls

5 Separation of Duties/Control Authorized Access

6 Update Patching

7 Revoke Privileges on Sensitive Packages From “PUBLIC”

8 Server Security – file privileges

9 SQL Injection Prevention

10 Minor configuration issues

Mapped to a strategy: e.g. Value/Effort Map

Oracle Confidential - Restricted

2 3

6 7

8 10

1

9

28

5 4

Page 29: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Granular specifics & configuration detail

Page 30: Exadata X5 Field Update - British Columbia · • Connect data to business risk • Common taxonomy for data –Relation to business impact, not overly complex –Seek for commonality

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

Questions

| Oracle Confidential – Highly Restricted 30


oracle exadata stor server x3-2 cle exadata storage

oracle exadata stor server x3-2 cle exadata storage

Documents
Exadata ejecutivo

Exadata ejecutivo

Technology
COMMONALITY AND INDIVIDUALITY IN ACADEMIC WRITING …€¦ · commonality and individuality in academic writing: ... sociolinguistic studies, ... commonality and individuality in

COMMONALITY AND INDIVIDUALITY IN ACADEMIC WRITING …€¦ · commonality and individuality in academic writing: ... sociolinguistic studies, ... commonality and individuality in

Documents
Commonality in Religion

Commonality in Religion

Documents
TEOPS: “Groups, Commonality, Activity, Capabilities

TEOPS: “Groups, Commonality, Activity, Capabilities

Documents
Assgmnt 1 Commonality

Assgmnt 1 Commonality

Documents
Exadata-Weiss1--Oracle Exadata Database Machine · PDF fileTitle: Microsoft PowerPoint - Exadata-Weiss1--Oracle Exadata Database Machine Architecture.pptx Author: rweiss Created Date:

Exadata-Weiss1--Oracle Exadata Database Machine · PDF fileTitle: Microsoft PowerPoint - Exadata-Weiss1--Oracle Exadata Database Machine Architecture.pptx Author: rweiss Created Date:

Documents
Exadata troubleshooting

Exadata troubleshooting

Technology
exadata | best exadata training | oracle exadata - oracle trainings

exadata | best exadata training | oracle exadata - oracle trainings

Education
Oracle Exadata

Oracle Exadata

Documents
Commonality in the time-variation of stock–stock and ...bobconnolly.web.unc.edu/files/2017/09/Commonality-in-the-time... · Journal of Financial Markets 10 (2007) 192–218 Commonality

Commonality in the time-variation of stock–stock and ...bobconnolly.web.unc.edu/files/2017/09/Commonality-in-the-time... · Journal of Financial Markets 10 (2007) 192–218 Commonality

Documents
Exadata MAA Best Practices Series Session 10 ... - Oracle · Siebel on Exadata 3. PeopleSoft on Exadata 4. Exadata and OLTP Applications 5. Using Resource Manager on Exadata 6. Migrating

Exadata MAA Best Practices Series Session 10 ... - Oracle · Siebel on Exadata 3. PeopleSoft on Exadata 4. Exadata and OLTP Applications 5. Using Resource Manager on Exadata 6. Migrating

Documents
A Technical Overview of the Oracle Exadata Database ...hosteddocs.ittoolbox.com/dw_us_en_wp_exadatassdm.pdf · Oracle Exadata Database Machine and Exadata Storage Server . ... Exadata

A Technical Overview of the Oracle Exadata Database ...hosteddocs.ittoolbox.com/dw_us_en_wp_exadatassdm.pdf · Oracle Exadata Database Machine and Exadata Storage Server . ... Exadata

Documents
Ignite DC 7- Overly Educated, Overly Broke

Ignite DC 7- Overly Educated, Overly Broke

Documents
Shape Commonality Index

Shape Commonality Index

Documents
Exadata performance

Exadata performance

Documents
Exadata Snapshot Databases - DOAG Deutsche ORACLE … · Exadata Test Environments Cloning Exadata DBs either sacrificed Exadata features by running clones on another platform or

Exadata Snapshot Databases - DOAG Deutsche ORACLE … · Exadata Test Environments Cloning Exadata DBs either sacrificed Exadata features by running clones on another platform or

Documents
Commonality Unleashed Across Functions and Industries · Commonality Unleashed Across . Functions and Industries . ... perception that each industry is unique, ... Commonality Unleashed

Commonality Unleashed Across Functions and Industries · Commonality Unleashed Across . Functions and Industries . ... perception that each industry is unique, ... Commonality Unleashed

Documents
Exadata - DOAG

Exadata - DOAG

Documents
Praying beads, a pagan commonality

Praying beads, a pagan commonality

Spiritual
A System-of-Systems Approach to Component Commonality · For the purposes of component commonality, the systems classes are defined as follows: Class Systems Included Commonality

A System-of-Systems Approach to Component Commonality · For the purposes of component commonality, the systems classes are defined as follows: Class Systems Included Commonality

Documents
Commonality of Standards

Commonality of Standards

Education
Exadata Distinctives

Exadata Distinctives

Documents
Exadata training

Exadata training

Technology
Annah Overly Thesis

Annah Overly Thesis

Documents
ExtremeDataWarehousePerformance’ withOracle Exadata’’’Days... · ExtremeDataWarehousePerformance’ withOracle Exadata ... – Buton" Exadata,"itcan"be"controlled"effec3vely"

ExtremeDataWarehousePerformance’ withOracle Exadata’’’Days... · ExtremeDataWarehousePerformance’ withOracle Exadata ... – Buton" Exadata,"itcan"be"controlled"effec3vely"

Documents
Ault Exadata

Ault Exadata

Documents
Quest for Commonality

Quest for Commonality

Documents
Unsupervised Commonality Discovery in Images

Unsupervised Commonality Discovery in Images

Documents
Oracle Exadata X8 · 2019-06-11 · between the Oracle Exadata Database servers and the Oracle Exadata Storage servers. Oracle Exadata Smart Scan technology automatically offloads

Oracle Exadata X8 · 2019-06-11 · between the Oracle Exadata Database servers and the Oracle Exadata Storage servers. Oracle Exadata Smart Scan technology automatically offloads

Documents