Upload
fiona-faux
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
1 Copyright © 2010, Oracle. All rights reserved
Cyber Security / Cyber WarfareHype or underestimated?Bert OltmansDirector Defence, Justice and Public SafetyCEE&CIS Region
3 Copyright © 2010, Oracle. All rights reserved
Agenda
• Current Environment• Facts & Figures• Cyber Security in Defense
4 Copyright © 2010, Oracle. All rights reserved
Cyber Security is an extension of traditional IT security
that protects applications and data connected to the
internet and exposed to attack, including offensive
(cyber warfare) as well as defensive and proactive
security measures.
A Definition
5 Copyright © 2010, Oracle. All rights reserved
Threat Environment
• Cyber Warfare is a reality
• And many incidents more…and growing
6 Copyright © 2010, Oracle. All rights reserved
• The network has become the battlefield• Used for Communications, collaboration, decision support,
simulation and modeling• Provides content delivery & information sharing
Internet
JXTATM Overlay Peer-to-Peer
Network
Virtual Mapping
SCF / Field Command
SensorGrid
The Battlefield TodayThe network is the battlefield
7 Copyright © 2010, Oracle. All rights reserved
The Warfighter Challenge
NATO Doctrine:• Network Centric Operations require a “Share-to-Win”
attitude
• Cyber Security Policies mandate a “need to know” strategy
8 Copyright © 2010, Oracle. All rights reserved
The Transformation in Defense
• Cyber Security is becoming a Nationalconcern
• US Cyber Command (USCYBERCOM) created on May 21, 2010
• “The admiral said he believes a cyber attack could trigger a response in accordance with Article 5 of the NATO Charter, which states that an attack on any alliance member is an attack on all alliance members”Navy Adm. James G. Stavridis, 29 November 2010 – Time Interview
© 2010 Oracle Corporation 9
2010 Data Breach Investigations Report
Regional Cyberspace
© 2010 Oracle Corporation 10
Role of Governments
• Increased importance of National Entities like CERT’s to monitor the Nation’s Critical Infrastructures and provide guidance
© 2010 Oracle Corporation 11
FACTS & FIGURES
12 Copyright © 2010, Oracle. All rights reserved
Two Thirds of Sensitive and Regulated Data Resides in Databases…
1,800 Exabytes1,800 Exabytes
Amount of Data in Databases Doubles Yearly
Amount of Data in Databases Doubles Yearly
20112011Source: IDC, 2008
13 Copyright © 2010, Oracle. All rights reserved
Over 900M Breached Records Resulted from Compromised Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%Desktop Computer End-User Devices 21% 1%
2010 Data Breach Investigations Report
14 Copyright © 2010, Oracle. All rights reserved
How do Database Breaches Occur?Bad Guys Exploit Your Weaknesses!
48% involved privilege misuse40% resulted from hacking
38% utilized malware28% employed social tactics15% comprised physical attacks
2010 Data Breach Investigations Report
15 Copyright © 2010, Oracle. All rights reserved
Cyber Security in DefenseSome thoughts
1. Design/Procure Information Systems geared to Threat Environment (including Cyberspace)
2. Treat Information Technology as Mission Critical – not - Mission Enabling
3. Have Policies and Doctrines that acknowledge Cyber Warfare
16 Copyright © 2010, Oracle. All rights reserved
Information Systems in CyberspaceIt starts with a secure product
(1) Plan (4) Act
(2) Do (3) Check
A model for continuous improvement…
(Ref.: “PDCA Cycle”, originally developed by Walter A. Shewhart; Sometime
referred as Deming Cycle.)
1979: Project ‘Oracle’ with the CIA
1994: First vendor to complete ITSEC and TCSEC validations
Advanced Security Option
1998: First vendor to complete Common Criteria EAL4 validation
Virtual Private Database
2005: Introduction of the Critical Patch Update
2006: Database Vault
Adoption of CVSS
……
2010 Ongoing certifications
17 Copyright © 2010, Oracle. All rights reserved
Information Systems in CyberspaceAnd a Secure Implementation
TECHNOLOGY
PEOPLE PROCESSES
CYBERSPACE
18 Copyright © 2010, Oracle. All rights reserved
Software Security End User Perspectives
Vendor patch issuanceVendor patch issuance practices are most visible with customers,
… BUT…
Producing secure software requires
• Focused attention as early as the design phase
• Ongoing commitment throughout the entire development and pre-release phases
• Effective remediation procedures
Security Patches
Service Packs
Release QA
Secure Development
Security Testing
Coding Practices
Coding Standards
Design Requirements
19 Copyright © 2010, Oracle. All rights reserved
Make IT Mission Critical Include Deployment and Support
User Management
• Strong Authentication
• Fine-grained Authorizations
User Management
• Strong Authentication
• Fine-grained Authorizations
Core Platform Security
Core Platform Security
Access Control
• Controlling Privileged Users
• Custom Security Policies
• RBAC & LBAC Implementation
Access Control
• Controlling Privileged Users
• Custom Security Policies
• RBAC & LBAC Implementation
Monitoring
• Enterprise-Wide Auditing
• Configuration
Monitoring
• Enterprise-Wide Auditing
• Configuration
Data Protection
• Network Encryption
• Data Encryption
• Backup Encryption
Data Protection
• Network Encryption
• Data Encryption
• Backup Encryption
Secure Operating Environment
• Multi-Level Security
• Fault Tolerance
• Ubiquitous Support
Secure Operating Environment
• Multi-Level Security
• Fault Tolerance
• Ubiquitous Support
20 Copyright © 2010, Oracle. All rights reserved
Policies & Doctrines
• Cover Defensive and Offensive measures
• Implement down to single combat unit
21 Copyright © 2010, Oracle. All rights reserved
JICPAC Supports Coalition Forces with Access to Secure Information
SOLUTIONSJICPAC Trusted Workstation (TWS):• SunRay Ultra-thin client• Trusted Extensions for Solaris• CC EAL4 Certification on NEBS-certified Sun Servers
CHALLENGES / OPPORTUNITIES
• Security was preserved through air-gap networks (entirely disconnected) yet analyst required multiple networks and therefore 1 to 1 mapping of multiple desktop clients creating clutter and manual process
• Logging of audit trails was mostly on the “honor-system” with manual documentation
• Local clients meant far more maintenance and chance for degradation of information assurance levels
OVERVIEW
• Joint Intelligence Center of the Pacific (JICPAC) is located within the US Pacific Command (PACOM) Pearl Harbor, HI
RESULTS• Reduced acquisition costs and power
consumption through the consolidation of multiple PC clients into a single Sun Ray ultra-thin client
• Improved end-user operational efficiencies in the secure information workflows with complete audit trails through simultaneous connection to multiple networks
• Compatible with existing applications since they run in a Solaris open environment
22 Copyright © 2010, Oracle. All rights reserved
Albanian MoD Safeguards Classified Data to Prepare for NATO Accession
SOLUTIONS• Oracle Universal Content Management• Oracle Identity Management• Oracle Virtual Directory• Oracle Access Manager
CHALLENGES / OPPORTUNITIES
• Consolidate all structured and unstructured classified data on a secure, scalable, electronic platform prior to the April 2009 accession to the North Atlantic Treaty Organization (NATO)
• Enforce the highest internationally recognized standards for providing & auditing authorized access to classified Ministry of Defense (MoD) information
• Protect the integrity of sensitive military documents relating to Albania’s role in NATO operations assurance levels
OVERVIEW• Agency responsible for implementing the govt’s
defense & foreign policy objectives, & protecting the security of 3.6 million Albanian people
• Industry: Public Sector
• Employees: 500
RESULTS
• Provided a secure Web-based data storage platform to create and publish classified content
• Offered 100 users a single sign on and secure, seamless access to job-appropriate data
• Enabled the organization to set up user accounts in only a few hours
CUSTOMER PERSPECTIVE
“Oracle’s unbreakable security platform enables us to guarantee the integrity of sensitive defense data without impeding access to it by authorized personnel. We now have our data consolidated on a secure, scalable platform - enabling us to prepare for the accession to NATO.”
Genci Kokoshi, Chief of Information Technology
23 Copyright © 2010, Oracle. All rights reserved
For More Information
oracle.com/database/security
search.oracle.com
database securitydatabase security
24 Copyright © 2010, Oracle. All rights reserved
25 Copyright © 2010, Oracle. All rights reserved
26 Copyright © 2010, Oracle. All rights reserved
© 2010 Oracle Corporation 27
DiskDisk
BackupsBackups
ExportsExports
Off-SiteFacilitiesOff-SiteFacilities
Oracle Advanced SecurityProtect Data from Unauthorized Users
• Complete encryption for application data at rest to prevent direct access to data stored in database files, on tape, exports, etc. by IT Staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS
• Strong authentication of database users for greater identity assurance
ApplicationApplication
© 2010 Oracle Corporation 28
Oracle Database VaultEnforce Security Policies Inside the Database
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how using rules and factors
• Enforce least privilege for privileged database users
• Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
Procurement
HR
Finance
ApplicationDBA
select * from finance.customersDBA
SecurityDBA
Application
© 2010 Oracle Corporation 29
Oracle Audit VaultAudit Database Activity in Real-Time
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
CRM Data
ERP Data
Databases
HR Data
Audit Data
Audit Data
PoliciesPolicies
Built-inReportsBuilt-inReports
AlertsAlerts
CustomReportsCustomReports
!
AuditorAuditor
© 2010 Oracle Corporation 30
Oracle Total RecallTrack Changes to Sensitive Data
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
© 2010 Oracle Corporation 31
Oracle Database FirewallFirst Line of Defense
PoliciesPoliciesBuilt-inReportsBuilt-inReportsAlertsAlerts Custom
ReportsCustomReports
ApplicationsBlock
Log
Allow
Alert
Substitute
• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
© 2010 Oracle Corporation 32
Oracle Configuration Management Secure Your Database Environment
• Discover and classify databases into policy groups
• Scan databases against 400+ best practices and industry standards, custom enterprise-specific configuration policies
• Detect and event prevent unauthorized database configuration changes
• Change management dashboards and compliance reports
Monitor
ConfigurationManagement
& Audit
VulnerabilityManagement
Fix
Analysis &Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
© 2010 Oracle Corporation 33
Oracle Data MaskingIrreversibly De-Identify Data for Non-Production Use
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Data never leaves Database
© 2010 Oracle Corporation 34
Oracle Database Defense In Depth
• Oracle Advanced Security
• Oracle Identity Management
• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Total Recall
• Oracle Database Firewall
• Oracle Configuration Management
• Oracle Data Masking