Databases. Databases store the most sensitive information in companies/organizations
|
|
- Hope Benson
- 8 years ago
- Views:
Transcription
1 Database Security
2 Databases Databases store the most sensitive information in companies/organizations Larger organizations have often thousands of databases distributed through the entire organization Database software has a similar complexity to operating systems Database vendor ignored security for a long time Patching is complicated (side effects, time intensive)
3 Agenda Presentation is divided into 3 parts Top-5 Security Problems of Databases Controls to Patch Top 5 Security Problems Typical Database Attackers
4 Top 5 Database Problems (Weak) passwords No database inventory Segregation of duties Missing patches Insecure code inside the database
5 (Weak) Passwords 99% of all companies/organizations have weak passwords (password=user, password=companyname,...) Passwords are identical through all databases (know one system password and connect to all DBs) No database vendor has a default tool to check for weak passwords DBAs are not allowed/able to change weak passwords (to avoid side effects) It often takes years to change weak passwords (see next example)
6 The ivory tower architecture Security and Business Rules Simple architecture Clients accessing a database via application server No direct access to the database Security and business rules are enforced in the application server Password change on database and application server
7 The ivory tower solution in the real world S&B rules You have nice data, we will use it Some people must connect with special tools like TOAD New project Another project We need a reporting solution We just do a database link Yet another project Real World Complex architecture All types of clients are accessing the database Security and business rules only enforced in the first application server Passwords are stored in many places. Normally not documented
8 Database Inventory In larger organizations it is normally unknown how many databases there are and what versions/ databases are used. No reliable (single) method to find all databases. Even the database vendors have difficulties to find them during a license audit. There is a average 5-10% rate of unknown databases Most of these development/staging databases are clones of production systems (with real unobfuscated data)
9 Segregation of Duties Different players and responsibilities OS Administrator (responsible for OS Patches, setup,...) DBA (responsible for DB Patches, setup, ) Backup-Administrator (responsible for Backups) Application Administrator (Application itself) Developers (bug fixes code, )
10 Missing patches Applying database (security) patches is often complicated, time-consuming and error-prone A typical Oracle security patch takes on average 4h time to apply (coordination + applying the patch itself) (1,000 DB * 4 h * 4 patches/yr = 16,000 hours) This time does NOT include the time to test the application
11 Insecure Code in the DB Usage of too many privileges Common security flaws like SQL Injection allowing privilege escalation The owner of this custom code (e.g. inhouse developer or 3 rd party SW vendor) is responsible for fixing this problem.
12 Controls to Patch Top 5 Security Problems (Weak) passwords No database inventory Segregation of duties Missing patches Insecure code inside the database
13 Weak Passwords - Controls Perform regular password checks for database and application passwords Document the usage of databases (Who is accessing what/when/ ) to be able change passwords without risk Start analysis (reverse engineering) of database access (e.g. using Triggers or Auditing). Takes often 3-6 months. Divide responsibility for password changes to responsible person DBAs for DBA accounts End user for their accounts Application owner for application accounts
14 Database Inventory - Controls Create an inventory of all databases and keep this inventory up-to-date Document usage of obfuscation of critical data in development /staging and production databases.
15 Segregation of Duties - Controls Train the different groups in database security to increase the awareness of the different groups Create secure coding policies to avoid insecure code from the beginning Add a section to contracts with 3 rd -party software companies to avoid that security patches are handled as change request
16 Missing Patches - Controls Install missing patches as soon as possible Use only supported versions of databases to minimize the amount of database versions Reduce the number of supported DB/OS combinations. Less combinations are easier to test and maintain.
17 Insecure Code in the DB - Controls Secure development training for developers Create secure coding policies Secure coding policies should be part of the contract for 3 rd -party SW-companies Regular review of critical applications Peer review of code
18 Classifcation of Attackers Curious DBA or Employee DBA covering its own faults Criminal employee Leaving employee External hacker Intelligence agency
19 Curious DBA or Employee Type: Curious DBA or employee Scenario: Interested in private/ sensitive information. Samples: Looking up for salary of colleagues, private numbers, s, account status of politician, Supporting private investigators (PI) Known incidents: Miles & More (Employee was looking up what politicians Identification: Mostly select statements, Few/No traces without audit, Difficult to spot
20 Curious DBA or Employee Example: Search data of colleagues SQL> select * from hr.emp where salary > 10000; Example: Search data of celebrities SQL> select * from customers where nachname='tom' and vorname = 'Cruise'; Tom Cruise, , Account 123,123.00
21 Curious DBA or Employee Example: Disable Oracle Auditing and select data SQL> oradebug poke 0x060041BA8 2 0 SQL> select * from hr.emp where salary > 10000;
22 DBA covering it's own fault Type: DBA covering it's own fault Scenario: Try to remove evidence about a (serious) fault. Probably it's not a good approach to ask the DBA to do the forensics Samples: Deleted the wrong user, killed the wrong database session, changed the wrong password Identification: Easier because timeframe is defined, backups / archive logs disappear, Modification of audit-table,
23 Criminal Employee Type: Criminal employee Scenario: Interested to earn money, damage the company, blackmail,. Samples: Getting insider information (stocks, merger&acquisition) Get company secrets (formulas, algorithm, source code, ) Blackmailing companies (with customer data, e.g. black money) Reset bills of friends and families Known incidents: LGT Bank Liechtenstein, Coca Cola recipe, Identification: Attackers invest time/ resources to hide, modifying data (invoice), Longer period affected
24 Example Reset bill of friends aka Friends & Family SQL> update billing set amount=34 where userid=47111; Change Health Insurance account number and bypass SAP completely SQL> update sapr3.tsd1k set blzzs=' ', KNRZS = '35921' where KUSCH=17;
25 Example It is normally easy to follow financial transactions. That s a challenge in (perfect) computer crimes. The following approach steals money without leaving financial traces. The attacker is not stealing money, instead of he is deleting his debts. Apply for credit for a house (e.g. 750,000 CHF) Get the money from the bank and buy the house Pay the rates for the credit for a few months. Set the credit to zero.
26 Leaving Employees Type: Leaving employees Scenario: Get as much data/ information for the new job as possible. Most common attack Samples: Export the production database Get customer reports, pricelists, Identification: Longer timeframe (1-3 month before they left the company), no/little experience in removing traces
27 Leaving Employees Example Extract sensitive data (e.g. using Excel, normal reports ) select * from customers Export entire Database (especially developers) exp.exe userid=grips/grips@grips full=y
28 External Hacker Type: External Hacker Scenario: Steal interesting stuff. Samples: Steal data for a competitor Steal credit card information Steal Source Code Break in just for fun Known Incidents: TJX, Cardsystems, Cisco Sourcecode, Identification: Many traces on the way into the system, attackers often lazy
29 Example SQL Injection
30 Intelligence Agency / Organized Crime Type: Intelligence Agency / Organized Crime Scenario: Get valuable information (military, economic) to protect the country Samples: Steal military data Intercept proposals, financial data, Known Incidents: Lopez/Volkswagen (CIA), ICE (France), Whitehouse/ Bundestag/ (China) Known Suspects: China, France, Israel, Russia, US
31 Intelligence Agency / Organized Crime Examples Buy customer lists with black money (Germany vs. Liechtenstein/Switzerland Stuxxnet
32 Thank you Contact: Red-Database-Security GmbH Bliesstr. 16 D Neunkirchen Germany
Live-Hacking von Oracle- Datenbanken
Live-Hacking von Oracle- Datenbanken Agenda Introduction Typical Database Attackers Exploits Countermeasure Databases in the real world The ivory tower architecture Security and Business Rules Simple architecture
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationHow To Secure A Database From A Leaky, Unsecured, And Unpatched Server
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions
More informationMcAfee Database Security. Dan Sarel, VP Database Security Products
McAfee Database Security Dan Sarel, VP Database Security Products Agenda Databases why are they so frail and why most customers Do very little about it? Databases more about the security problem Introducing
More informationDatabase Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions
Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional
More informationComprehensive Approach to Database Security
Comprehensive Approach to Database Security asota@hotmail.com NYOUG 2008 1 What will I discuss today Identify Threats, Vulnerabilities and Risk to Databases Analyze the drivers for Database Security Identify
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationSAP Secure Operations Map. SAP Active Global Support Security Services May 2015
SAP Secure Operations Map SAP Active Global Support Security Services May 2015 SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation
More informationWorldwide Trends in Database Threats and Database Security jacob@sentrigo.com
Worldwide Trends in Database Threats and Database Security jacob@sentrigo.com The basics No-one is going to say to a DBA: "Congratulations, no-one stole data from us this year. Here s a 10% pay raise"
More informationDatabase security issues PETRA BILIĆ ALEXANDER SPARBER
Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationSecuring Data in Oracle Database 12c
Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/ Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationHow Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant
How Security Testing can ensure Your Mobile Application Security Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant Once More Consulting & Advisory Services IT Governance IT Strategic
More informationGuardium Change Auditing System (CAS)
Guardium Change Auditing System (CAS) Highlights. Tracks all changes that can affect the security of database environments outside the scope of the database engine Complements Guardium's Database Activity
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More information1 2011 Oracle Corporation
1 2011 Oracle Corporation Hackers and Hacking. Demonstration 2. SQL Injection Hacks Stuart Sharp, Information Security Sales Consultant, Oracle 2 2011 Oracle Corporation Insert Information Protection Policy
More informationEC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
More informationDatabase Assessment. Vulnerability Assessment Course
Database Assessment Vulnerability Assessment Course All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/ 2 Agenda Introduction Configuration
More informationSecond CRM CRM Solution for Small Companies
Second CRM CRM Solution for Small Companies Technologize Your Business TM Introductory Presentation June 2010 Agenda Second CRM On Demand CRM Solution Introduction Second CRM Features Pricing, Implementation
More informationPREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES
PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES Ira Winkler Codenomicon Session ID: MBS-W05 Session Classification: Intermediate Zero Day Attacks Zero day attacks are rising in prominence They tend to be
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationIT Security Risks & Trends
IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health
More informationOracle Audit in a Nutshell - Database Audit but how?
Oracle Audit in a Nutshell - Database Audit but how? DOAG + SOUG Security-Lounge Stefan Oehrli Senior Consultant Discipline Manager Trivadis AG Basel 24. April 2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF
More informationSelecting a Database
Computers & Operating System versions: What types of computers and operating systems (OS) does your agency use? What OS versions? For example, Windows XP or Mac OS X? Which are supported by the database?
More informationState of Wisconsin Database Hosting Services Roles and Responsibilities
State of Wisconsin Hosting Services oles and esponsibilities Document evision History (Major Post Publishing evisions Only) Date Version reator Notes 12/9/2010 1.0 This document describes the Hosting Services
More informationCircumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms. Alexander Kornbrust 28-July-2005
Circumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms Alexander Kornbrust 28-July-2005 Alexander Kornbrust, 28-Jul-2005 V1.06 1 Agenda 1. Motivation 2. Key
More informationObtaining Value from Your Database Activity Monitoring (DAM) Solution
Obtaining Value from Your Database Activity Monitoring (DAM) Solution September 23, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation
More informationTop Ten Fraud Risks in the Oracle E Business Suite
Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationOWASP Top Ten Backdoors
OWASP Top Ten Backdoors 1 Yaniv Simsolo, COMSEC Consulting The news about the above agreement was posted on Cisco site in mid 1998. Shortly this news was removed from Cisco website. Gradually all this
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationBEST PRACTICES. Systems Management. www.kaspersky.com
BEST PRACTICES www.kaspersky.com 2 YOUR GUIDE TO SYSTEMS MANAGEMENT BEST PRACTICES. Enhance security and manage complexity using centralized IT management tools. Unpatched vulnerabilities in popular applications
More information1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Proteggere i dati direttamente nel database Una proposta tecnologica Angelo Maria Bosis Sales Consulting Senior Manager
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationOracle Database Security
Oracle Database Security Paul Needham, Senior Director, Product Management, Database Security Target of Data Breaches 2010 Data Breach Investigations Report Type Category % Breaches
More information31 Ways To Make Your Computer System More Secure
31 Ways To Make Your Computer System More Secure Copyright 2001 Denver Tax Software, Inc. 1. Move to more secure Microsoft Windows systems. Windows NT, 2000 and XP can be made more secure than Windows
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationMatriXay Database Vulnerability Scanner V3.0
MatriXay Database Vulnerability Scanner V3.0 (DAS- DBScan) - - - The best database security assessment tool 1. Overview MatriXay Database Vulnerability Scanner (DAS- DBScan) is a professional tool with
More informationMicrosoft SQL Server Security & Auditing. March 23, 2011 ISACA Chapter Meeting
Microsoft SQL Server Security & Auditing March 23, 2011 ISACA Chapter Meeting Agenda Introduction SQL Server Product Description SQL Security Basics Security System Views Evolution of Tool Set for Auditing
More informationHacking Database for Owning your Data
Hacking Database for Owning your Data 1 Introduction By Abdulaziz Alrasheed & Xiuwei Yi Stealing data is becoming a major threat. In 2012 alone, 500 fortune companies were compromised causing lots of money
More informationPenetration Testing in Romania
Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationOracle Database Security. Nathan Aaron ICTN 4040 Spring 2006
Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is
More informationFacilitating Efficient Data Management by Craig S. Mullins
Facilitating Efficient Data Management by Craig S. Mullins Most modern applications utilize database management systems (DBMS) to create, store and manage business data. The DBMS software enables end users
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationCONSIDERATIONS BEFORE MOVING TO THE CLOUD
CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part II By Debbie C. Sasso Principal In part I, we discussed organizational compliance related to information technology and what
More informationInformation Technology Solutions. Managed IT Services
Managed IT Services System downtime, viruses, spyware, lost productivity; if these problems are impacting your business, it is time to make technology work for you. At ITS, we understand the importance
More informationOracle Audit Vault and Database Firewall
Oracle Audit Vault and Database Firewall Angelo Maria Bosis Sales Consulting Director Oracle Italia Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with
More informationOracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation
Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts May 15, 2014 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationStrategies for Monitoring Large Data Centers with Oracle Enterprise Manager. Ana McCollum Consulting Product Manager
Strategies for Monitoring Large Data Centers with Oracle Enterprise Manager Ana McCollum Consulting Product Manager The following is intended to outline our general product direction. It is intended for
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationVendor Audit Questionnaire
Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be
More informationThat Point of Sale is a PoS
SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationDATABASE ADMINISTRATION (DBA) SERVICES
DATABASE ADMINISTRATION (DBA) SERVICES Expert, Cost-effective DBA Services As An Extension of Your IT Staff Connectria s Database Administration Services allow you to free your staff and resources to focus
More informationImplementing Database Security and Auditing
Implementing Database Security and Auditing A guide for DBAs, information security administrators and auditors Ron Ben Natan ELSEVIER DIGITAL PRESS Amsterdam Boston Heidelberg London New York Oxford P
More informationAttachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.
Attachment E RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive. Questions Support for Information Security 1. The Supplier
More informationITPS AG. Aplication overview. DIGITAL RESEARCH & DEVELOPMENT SQL Informational Management System. SQL Informational Management System 1
ITPS AG DIGITAL RESEARCH & DEVELOPMENT SQL Informational Management System Aplication overview SQL Informational Management System 1 Contents 1 Introduction 3 Modules 3 Aplication Inventory 4 Backup Control
More informationThe Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org
The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services gaskell@infosecservices.com 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify
More information<Insert Picture Here> Oracle Database Vault
Oracle Database Vault Kamal Tbeileh Senior Principal Product Manager, Database Security The following is intended to outline our general product direction. It is intended for information
More informationHow To Secure An Extended Enterprise
Data Security Initiatives The Layered Approach Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Intel Case Study Asia North
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen jppereze@onapsis.com May 23 rd, 2012 HITB Conference, Amsterdam Disclaimer This publication is copyright 2012
More information3 rd InfoCom Security, Athens, 10 Arpil 2013
3 rd InfoCom Security, Athens, 10 Arpil 2013 Kostas Kolokotronis Manager, Security Architecture Services CISSP, PCI DSS QSA 2001-2013 Encode S.A. All rights reserved. Encode logo & Extrusion Testing is
More informationCentralized Oracle Database Authentication and Authorization in a Directory
Centralized Oracle Database Authentication and Authorization in a Directory Paul Sullivan Paul.J.Sullivan@oracle.com Principal Security Consultant Kevin Moulton Kevin.moulton@oracle.com Senior Manager,
More informationDatabase Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com
Database Auditing: Best Practices Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Verizon 2009 Data Breach Investigations Report: 285 million records were compromised
More informationBest Practices for Oracle Databases Hardening Oracle 10.2.0.3 / 10.2.0.4
Best Practices for Oracle Databases Hardening Oracle 10.2.0.3 / 10.2.0.4 Alexander Kornbrust Table of Content Passwords (Security) Patches Database Settings PUBLIC Privileges Database Trigger Compiling
More informationSecuring Data on Microsoft SQL Server 2012
Securing Data on Microsoft SQL Server 2012 Course 55096 The goal of this two-day instructor-led course is to provide students with the database and SQL server security knowledge and skills necessary to
More informationAgenda. 3 2012, Palo Alto Networks. Confidential and Proprietary.
Agenda Evolution of the cyber threat How the cyber threat develops Why traditional systems are failing Need move to application controls Need for automation 3 2012, Palo Alto Networks. Confidential and
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationDatabase Security Guide
Institutional and Sector Modernisation Facility ICT Standards Database Security Guide Document number: ISMF-ICT/3.03 - ICT Security/MISP/SD/DBSec Version: 1.10 Project Funded by the European Union 1 Document
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationIBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop
Planning a data security and auditing deployment for Hadoop 2 1 2 3 4 5 6 Introduction Architecture Plan Implement Operationalize Conclusion Key requirements for detecting data breaches and addressing
More informationThe Cloud App Visibility Blind Spot
WHITE PAPER The Cloud App Visibility Blind Spot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Line-of-business leaders everywhere are bypassing IT departments
More informationOracle Security Auditing
Introduction - Commercial Slide. RISK 2008, Oslo, Norway, April 23 rd 2008 Oracle Security Auditing By Pete Finnigan Written Friday, 25th January 2008 Founded February 2003 CEO Pete Finnigan Clients UK,
More informationOracle Security Auditing
RISK 2008, Oslo, Norway, April 23 rd 2008 Oracle Security Auditing By Pete Finnigan Written Friday, 25th January 2008 1 Introduction - Commercial Slide. Founded February 2003 CEO Pete Finnigan Clients
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationMS-55096: Securing Data on Microsoft SQL Server 2012
MS-55096: Securing Data on Microsoft SQL Server 2012 Description The goal of this two-day instructor-led course is to provide students with the database and SQL server security knowledge and skills necessary
More informationAll Things Oracle Database Encryption
All Things Oracle Database Encryption January 21, 2016 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda Database Encryption
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationComplete Database Security. Thomas Kyte http://asktom.oracle.com/
Complete Database Security Thomas Kyte http://asktom.oracle.com/ Agenda Enterprise Data Security Challenges Database Security Strategy Oracle Database Security Solutions Defense-in-Depth Q&A 2 Copyright
More informationDatabase Security & Auditing
Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat
More informationInformation Security & Privacy Solutions Enabling Information Governance
Information Security & Privacy Solutions Enabling Information Governance LYNDA KEITANY IM SALES SPECIALIST July 11, 2012 What s at Stake? Damage to company reputation Brand equity damage; negative publicity
More informationHOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES
HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES The Office of the Government Chief Information Officer of The Government of the Hong Kong Special Administrative Region issued its IT Security
More informationOracle Security on Windows
Introduction - commercial slide. UKOUG Windows SIG, September 25 th 2007 Oracle Security on Windows By Pete Finnigan Written Friday, 07 September 2007 Founded February 2003 CEO Pete Finnigan Clients UK,
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales The 1995-2014 Security Landscape Regulatory Landscape HIPAA, SOX (2002),
More informationOracle Database Security Services
Oracle Database Security Services BUSINESS CHALLENGES Public announcements of major IT security breaches have become an almost daily occurrence. The causes of publicized breaches are diverse and include
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationImplementing HIPAA Compliance with ScriptLogic
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
More information