Do you spend a lot of time in sql developer working your very large package? Have a look at the quick outline from Jeff Smith of Oracle SQL Developer fame. Besides being a great Product Manager (hey Uncle Larry, give Jeff a raise) he is an all around good guy.
We all make new years resolutions but frequently we wind up abandoning them. So make a list of what you want to accomplish. I carry around with me a notebook that I am constantly writing in. What is my top piece of advice. Carry a notebook around and write out every idea you have, big and small.
My notebook includes: 1) check list of things I need to get done either today or in the future.
2) charts to measure the importance of something or the risk of taking an action.
3) Random mind maps. When I get an idea and I can’t quite nail it down, I normally start with a mind map and let things flow where they may.
4) Big ideas and bold steps. I try to always have at least three bold things I want to do listed. I then break down by big ideas and bold steps into manageable chunks and make a check list of what I want to accomplish every day to turn my big ideas into reality.
5) Doodles of where I am today, and where I want to be in one year. I go back and redoodle this frequently in order to ingrain the goal into my mind.
6) Blog posts and ideas. Okay, I’m old school, I still hand write my blog post before sitting down at the computer. Its much more relaxing to be sitting in a comfortable chair writing then sitting at the computer writing. Besides, some of the writing techniques I use don’t adapt to the computer very well. When writing I frequently go off on a tangent (that’s my ADD) hey, shinny thing. Well, tangents frequently lead to big ideas that take the initial form of a mind map. The other real big reason I start with pencil and paper is my dyslexia. When writing on the computer all my misspelled words wind up having squiggly red underlining and my OCD makes me fix that before moving on. That breaks my chain of thought. The only way I’ll get the squiggly red underline on paper is if I pick up a red pen and put it there myself.
7) Nudges. It’s hard to turn a battleship around, it’s much easier to make small corrections. When I learn of my mistakes, (and I sure make quite a few) I write out the mistake and analysis of the mistake. I then come up with a series of nudges to correct my mistakes and improve my overall life.
8) The to-be list. Really this is my list of what I am going to do to relax and enjoy my life. Spend a day working in the garden with Candy, Tea with Martin and the Queen, polish the plane. Sit on the beach and and listen for this hiss when the sun goes down and touches the ocean.
We are stewards of our customers data and need to do better. <OPINION> I would give us a big fat “F” for data security in 2015.</OPINION> What happened and what needs to be improved? We saw weak passwords, lack of encryption, malware and social engineering over and over again. One very sad aspect of these attacks is once the system was compromised, the attack went on for months, even years prior to the attack being uncovered. So again we really need to do better, reading the logs, doing analytics on system behavior and locking down the data.
High level the attack vectors have not changed much over the years. Malware payloads are still being delivered by drive by downloads and infected emails. Businesses and medical groups are still leaving sensitive data unencrypted, trusted insiders can still get to sensitive information. We are also seeing encrypted connections being made to unknown servers and allowing that traffic to go through our firewalls.
I’m going to do my best to keep my opinion clear by using the <OPINION> </OPINION> tags so you know what my personal opinion is. I’m also not going to go through every attack that happened in 2015. In here I will also let you know what I think should / could have been done to mitigate the attacks.
1) IRS Data breach
In IRS’s effort to make things easy for users to access their data they exposed very sensitive tax and financial data to hackers. Over 100,000 people were compromised with this system and $50,000,000 is false tax refunds have been stolen from the US Government.
When we design systems, one of the top requirements we have are user experience. If we make it to hard to access the systems they will not be used, make it to easy and the data can be compromised. We need to weigh the value of the data with user experience. The users expect their information to be respected and protected.
2) OPM data breach
The OPM hack impacted me personally along with my wife. The impact was over 22 million people had full background and biometric information leaked to a foreign intelligence agency. I watched the congressional hearings and was very disappointed by the <OPINION>incompetence of the people </OPINION> testifying. The Director of OPM resigned but <OPINION> the CIO of OPM should have been walked out the door. </OPINION> it was her job to make sure this information was secure. I still don’t know why this information was not stored on the classified network as it should have been. <OPINION> As an added insult, the government is offering two years of credit monitoring. As if a foreign intelligence agency is really interested in taking out credit cards in our names. The big threat is we are now at risk for blackmail. </OPINION>
The OPM breach was malware that was making encrypted connections to unknown servers. This is a case where black listing IP’s would not work, but white listing connections would work. Sensitive data should only be transmitted over trusted paths and <OPINION> if encrypted connections are being made, then those connections should be treated as sensitive. </OPINION>
3) UCLA Medical
UCLA Medical lost 4.5 million records of unencrypted patient data including PII and medical information. There is no excuse to not encrypt sensitive data. I still hear the old excuse of there is a performance impact of encryption. With the availability of hardware encryption modules, this argument does not hold water.
After encrypting data, we still have to be careful about ghost data and data leakage. A DBA can still run database pump and get an unencrypted copy of the data then copy that data to another location. We do this all the time to refresh an environment. Controls need to be placed on data pump copies so any information that is exported from the database will stay encrypted and the location of those copies are known. When moving data from unencrypted to encrypted, all ghost data must be shredded.
4) Ashley Madison
This one did not really interest me very much other then the disrespect Ashley Madison showed their customer base. This hack ruined some reputations and exposed a large number of people to blackmail. Yes credit card numbers were encrypted, but geolocation and email addresses was not encrypted. <OPINION> The large number of people who used their work and government email addresses was shocking. These people who are so blind to opsec deserve to be caught. </OPINION>
Just recently we learned about the Hyatt payment processing data breach. Not much is known at this time other then malware sent encrypted data to an unknown server. This is yet another case of needing to have a trusted path for sensitive data by using white list and denying access to any unknown IP address.
6) Trump Hotels
Trump Hotels, in a year long campaign, credit card and security code information was stolen from customers of Trump properties. I’m going to keep beating this drum, you need a trusted path from point of sales to the processing database, so <OPINION> implement white lists and deny any encrypted traffic to unknown ip’s.</OPINION>
7) T-Mobile and Experian
T- Mobile placed their trust in Experian and suffered a massive breach of 15 million customers full name, social security number and date of birth and some passport numbers. In this case no payment card data was compromised. Yet this is still enough information for identity theft. Not a lot of information has been provided on the attack vector used.
In December 2013 T-Mobile suffered another data breach with vendor Decisioning Solutions that is owned by Experian. In both of these cases, T-Mobile is offering credit monitoring through ProtectMyID that is owned by Experian. <OPINION> Why does T-Mobile continue doing business with Experian? </OPINION>
This is not an exhaustive list of breaches for 2015.
VTECH the toy manufacturer exposed data on 4.8 million customers due to password insecurity.
Securus lost 70 million call logs and recorded conversations of people in prison. These recordings also included attorney client privileged conversations.
The FBI LEO Portal was hacked, the attack vector and damage is still classified.
11) Scott Trade
Scott Trade lost data on 4.6 million customers under a two year campaign. Krebs on Security reported that the data was used for stock scams.
12) Excellus Blue Cross Blue Shield.
Excellus Blue Cross Blue Shield lost data on 10 million customers. The attack started in 2013 and was not discovered until 2015.
Anthem lost data on 78.8 million customers. I have read the count was actually 80 million customers and 19 million rejected customers.
14) Anonymous vs ISIS.
I only add this because of the interest in ISIS. After the Paris attacks Anonymous started OpParis that is turning into a interesting game of wack a mole. Anonymous is using brute force to shut down ISIS controlled accounts and servers. The results are debatable, <OPINION> it would be better to allow some of the systems to stay online to gather intelligence on ISIS. By shutting them down you are forcing them onto the dark web where it’s harder to gather intelligence.</OPINION>
<OPINION> Sadly, many times after a breach the offending company offers one year or two years of credit monitoring. The customer will be exposed for the rest of their life. Two yours of credit monitoring is wholly inadequate./OPINION>
What do we need to do.
- Secure the data. Encrypt data at rest so if the data is compromised then it will be useless to the criminal.
- Encrypt the data on the network when there is sensitive data going through it. Man in the middle attacks happen.
- Build trusted paths for sensitive information. All sensitive information must go through that path. If an encrypted session is being built to an unknown server, deny that connection.
- Secure the parameter. We are letting encrypted traffic go to unknown servers. This has to stop by using white list. If a workstation or node can process sensitive data, then that workstation or node should not be able to access unknown servers.
- Secure programming practices. I still see first hand sloppy programming that is vulnerable to sql injection. Organizations must impalement secure coding practices with code reviews that also include looking to vulnerability. A couple months ago, I came across a piece of code that was vulnerable to sql injection, when I brought it up to program management I was told, going back to fix the problem would put the program behind schedule, move forward and we will fix it after going production. <OPINION> This is the wrong attitude. </OPINION>If the program had standards in place before coding started, then the problem would not have gotten as far as it did.
- Secure the data from trusted insiders. I wont get into the political issues of Bradly Manning or Edward Snowden. Both of them were vetted and had access to sensitive information, they broke their trust and stole information that did incalculable damage.
- Routinely review audit logs to look for unusual behavior. I’m still seeing audit logs get ignored until there is a problem. Products like Oracle Audit Vault, brings all of your audit into one package where you can create BI dashboards to find out when something is happening that is outside of the norm.
2015 was a great year for me. I finished a project with FDIC heading up the DBA group then took some time to do some studying, writing and speaking at events. I was also able to take some time out to head down to Atlanta for the Exadata Administration Workshop. In September I took a one year contract with a new customer in West Virginia whom is keeping me very busy.
|In September I was named and Oracle ACE. I want to thank Jeff Smith and John King for the recommendation. Being named an ACE is truly an honor.|
|I was able to get out to Tallinn Estonia for Harmony15 and Hollywood Florida for KSCOPE15 to speak on Holistic Database Security. Then in October I was able to get over to San Francisco for Open World to collect the Oracle Developers Choice Award for Database Development. Steven Feuerstein-Oracle, Laura Ramsey-Oracle and crew did a fabulous job putting together the presentation, award and generally keeping everything going smooth. The competition was stiff, Heli
and Michelle Kolbe also won; to be able to share the stage with these two talented people made all the hard work worth it.
2016 is already looking to be very busy for me. I have been booked to speak on Holistic Database Security in London at the UKOUG SIG in January, then in Denver at RMOUG Training Days in February followed by IOUG Collaborate in Las Vegas in April followed by KSCOPE16 in Chicago in April. There are two others where the details are getting finalized, NOUG in Oslo in March and Harmony16 in May.
I plan on continuing improving the Holistic Database Security, TDE, some fresh presentations that are in the works along with some blog posts that will help you secure your crown jewels (aka the database) from bad actors. For the second half of the year, I plan on sending in abstracts to DOAG and BGOUG for their fall conferences.
Along with all of this, continue to deliver high quality services to my customers. Because without my customers I would not be able to work with the Oracle Community.
One of my favorite channels on youtube; numberphile explains RSA Encryption better then I could.
I’m honored and humbled. Last month I received an email from Steven Feuerstein letting me know I was selected as a finalist in the Oracle Developers Choice Awards for my work in Database Security and outreach to the community. This in an of itself is a great honor. The folks who selected the finalist are people whom I have a great deal of respect for.
Everyone who made finalist is seriously good at what they do and I’m happy to call many of them friends. The first conference I spoke at was Harmony when Candy and I met Heli for the first time. My second time to Harmony, I took my mother so she could see Finland and Heli took it on herself to see that my mother enjoyed herself. Heli is a graceful and classy lady who is as sharp as they come.
Now part of me understands wanting “your candidate” to win. Heck, every time the Steelers play the Ravens I secretly hope the first string quarterback get knocked off the field. I get it; however this is a contest among ladies and gentlemen. Voting someone down so your candidate will win, well that’s just not cricket.
What amazes me about this community is some of the things you never hear, like “RTFM” (Read the fine manual) I’ve never hear, “you don’t know that, what are you stupid.” I’ve worked in shops where it was common to here these phrases. None of us are Tom Kyte (unless your Tom and you happen to be reading this.) so we don’t have encyclopedic knowledge and there are people in the DB Security and design arena who are much better then me. I ask them questions all the time when I can’t figure something out.
What do I hear a lot of from this community. “How can I help you?” “Don’t know the answer, lets figure it out.” “Well the answer is it depends.” This community got me away from using ROT, and uttering the phrase <EVIL EXPRESSION> Best Practice </EVIL EXPRESSION>. This community also gave me a passion for my work, along with many friends who I look forward to seeing at every conference. It is the community that gave me back my passion for my work and the community that keeps me striving to improve and continue helping. Thank you very much.
I want to take this opportunity to thank Jennifer Nicholson, Laura Ramsey and Steve Feuerstein along with everyone else for their hard work to put together the YesSQL event and the Oracle Developers Choice Awards. I also want to thank everyone who voted in the first Oracle Developers Choice Awards. These are your awards where you can recognize the people who have helped you.
Again thank you very much, I’m honored and humbled.
Get the words best practice out of your vocabulary.” I have been at many customer sites that needed my expertise, and someone says to me in a meeting, “well what is the best practice to secure our information.” I’m going to tell you right now, the bad guys are reading the same best practice white papers and poking holes through them left and right. In addition, that audit report you received saying you are in compliance with <state your regulation> may be factually correct at that moment in time, but your information is still not secure.
For each of your systems, bring five of your senior system administrators into a room and ask them a simple question. “How would you compromise your system?” Then sit back and listen. If they are good inside of thirty minutes you are going to start hearing things that will scare you. Let me give you some examples from my life.
We are generating audit reports but no one is actually reviewing them. At one customer, I generated audit reports that showed invalid logins’, ip address and username logins when the the connections were simultaneous, and a host of other audit reports. I then went to our security people and asked them how often they wanted this report, daily, or weekly. I was told to review them and only bring things up to them when I find something interesting. Well for one, under the concept of separation of duties your SA should not have sole responsibility for reviewing audit logs. Yes, they should but a copy needs to be sent out for review. As the Oracle DBA I can logon as oracle or logon as sys, I am god. I can do almost anything I want and cover my tracks. Can you spell Edward Snowden? Can you say with complete confidence that you do not have an Edward Snowden in your shop?
The patch schedule is to drawn out. One shop we were twelve months behind in our Oracle CPU patches because of the perception that patching the database would impact the development schedule. This is one of those times where I got maybe a little bit forceful in a meeting and pushed for getting everything patched. But the customer was adamant, “you will not do anything that will slowdown development and testing.” We finally got everything patched when it was announced there was going to be an audit. The audit happened, and there was no findings. Our immediate management was happy, me, I was not so happy. When a patch comes out, the bad guys are reading what is being fixed and they are quite adapt at exploiting the weaknesses that are being patched.
A webserver that is miss-configured, I walked into one customer and as I was setting up my audit scripts, I noticed there were over a thousand invalid login attempts from a handful of webservers every thirty minutes. The DBAs were not talking to the webserver SA’s and the webserver SA’s would allow the invalid login attempts to continue if the application that webserver supported was no longer in use and again, no one was actually reviewing the audit logs. In fact this was a known issue that was explained as “normal” to the security group. This is the perfect way to hide password cracking attempts. One of the webservers that was in the DMZ had not been used for over a six months, but was still running. When I dug into the audit trail to see what was actually going on, I found several attempts to connect to the database as sys, system, admin, sa, root and a host of other attempts. That server had been compromised along with a few others. When I brought the evidence up to management they were shocked. Finally passwords were changed on the webservers and those webservers that were no longer in use were pulled from the network and a complete scan of the network was completed.
Excessive privileges to developers and developers using a common development account. Yup, this still happens. I walk into a shop, and given the application username password to do all my work. Folks your audit trail is now toast. At that same shop all developers have the passwords for sys and system. I never got a good reason for this. NO ONE should ever logon at sys. Application accounts should never be used for development.
This is just a small fraction of the issues I have seen in different shops.
All of these shops either followed “best practices” or modified their practice when the learned there was going to be an audit. Everyone of those shops are staffed with professional SA’s who can tell you where the weakness is. And every shop I have ever worked in has weaknesses. Your job in the C suite is to ask these professional SA’s to come into a meeting and have a safe and secure conversation on how they would crack the system. If they can not come up with anything you are either working at NSA, they are trying to hide something or you need smarter SA’s.
And don’t just do this once and say, we’re done, schedule these meetings either quarterly or semiannually. This is a conversation between the C suite and your professional SA’s. You need to understand where your risk are, these people are real smart and if you listen to them they can tell you what’s wrong and what needs to be done to fix it.
Once you have this information, give your professional SA’s and their management the tools and resources they need to close these security holes.
Please vote in the Oracle Developers Choice Awards. You need to log into your OTN account. You don’t have to vote for me, but I would appreciate it.
Here is the link for database design that is the category I’m in
The list of people who helped me get to where I am is way to long. But I would like to thank John King and Jeff Smith for the Oracle #ACE nomination and recommendation. Cary Millsap for always being able to bounce ideas off of. Heli from Finland for her grace and how she made my mom feel at comfortable when we were in Helsinki.
Sponsored by @ODTUG
Here is a teaser for the Oracle Transparent Data Encryption presentation
We look at having an existing table with existing indexes. A policy comes out that says we need to encrypt SSN and Credit Card Numbers. Once we encrypt the columns and rebuild the indexes, does the unencrytped data in the index get encrypted?
Watch and find out.