Questions you may want to start with when moving to the #cloud

Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. The results of this meeting turned into a list of questions forwarded the customers executive staff and also a set of questions for the cloud vendor.

This Cloud vendor is providing a COTS solution storing personally identifiable information tax and other very sensitive information. Because of this a number of the questions focus on the protection of PII and the destruction of unneeded copies of data.

I have redacted customer and vendor information from this list of questions,  these questions may serve as a baseline for your organization to come up with questions for your Cloud vendors. Point of note the answers to these questions will more likely than not cause follow-up questions.

Here is the list of questions for the customers executive staff to address.


As <REDACTED> moves towards cloud based computing solutions, <REDACTED> must consider the following to create standards for all cloud based systems going forward:

  • Will <REDACTED> require TLS on day 1? If not, vendor must have a plan and a deadline to get off SSL and on to TLS?
  • Will <REDACTED> require DISA STIG standards (Fed DOD standard) for all off site cloud data?
  • Will <REDACTED> require PENetration testing and at what frequency (Federal standard is 1 year)?
  • What level of data destruction is required for <REDACTED>’s secure/PII data being stored on a cloud based system controlled by non-<REDACTED> vendors?
  • Will <REDACTED> hold AES256 as the minimum encryption standard for cloud based systems?
  • Will <REDACTED> require 3DES minimum 168 bits?
  • Will <REDACTED> require a minimum of 7 wipes for secure/PII data stored on cloud based systems?
  • Will <REDACTED> require in sales contract with stated frequencies, independent audits to ensure <REDACTED>’s stated audit, encryption and data destruction plans are in effect and compliant?
  • Will <REDACTED> require internal <REDACTED> audits and/or legislative audits be performed on <REDACTED> systems?
  • The sales contract must state the “break up” plan for all <REDACTED> data including the delivery back to <REDACTED>, the destruction of the data on vendor systems and the certification that all data has been destroyed according to the <REDACTED> standards. Independent audit to verify results.
  • Will <REDACTED> require all data stay within the United States, with no data ever leaving the US?
  • What will <REDACTED> require regarding the vetting standard for cloud vendor trusted inside employees?
  • What will <REDACTED> require regarding liability insurance in the event of a security incident?

Here is a list of questions for the cloud vendor.


As <REDACTED> data is highly sensitive and contains a great deal of PII for each firm, the following are questions to be answered:

1.    Regarding the destruction of sensitive/PII data on <REDACTED> systems, how will you destroy unnecessary copies of data and ensure the necessary copies are encrypted and secure?

2.    Is the use of AES256 and 3DES encryption consistent throughout <REDACTED> enterprise as referenced on page 10 of the Security Management Plan? How many bits are used for 3DES?

3.    Initial Source Data/Document Load files (via sftp per <REDACTED> docs): Controls/Audit – <REDACTED> should know exactly who touched the load files and for what purpose via audit reports.

4.    Additionally, after migration is complete, <REDACTED> to certify (via independent audit) that all source data has been destroyed and no ghost data remains on servers or work stations.

5.    Cross boarder – will the data leave the United States for any reason at any time?

6.    What analytics software packages are in use to monitor account activity for our <REDACTED> employees as well as <REDACTED> trusted inside employees? How will audit reports be delivered to <REDACTED>?

7.    What does “in compliance with Cyber Security Standard” refer to as mentioned on page 6 of the <REDACTED> Security Management Plan? Is this a subset or superset of NIST?

8.    On page 7 of the <REDACTED> Security Management Plan in reference to Export Servers under System Architecture, how is the use of these Export Servers audited and after the export is no longer required, how will you certify that the data has been destroyed? If used, can an unencrypted copy of the export be made?

9.    Will all backups be encrypted with 3DES and at what bit level? How will <REDACTED> certify the destruction of old backups?

10.   What is the plan for <REDACTED>’s system using TLS?

11.   Does <REDACTED> harden sqlserver to DISA STIG standards? If not, is it a superset or a subset?

12.   What is the end of contract plan for all <REDACTED> data including the delivery back to <REDACTED>, the destruction of the data on <REDACTED> systems and the certification that all data has been destroyed according to the <REDACTED> standards.

13.   In the event of a security incident, does <REDACTED> have liability insurance to cover associated losses?

14.    How are your trusted inside employees are vetted (DBA’s, System Admins, Network Admins, etc)?

15.   If you perform PEN testing, what is the frequency of the testing and will <REDACTED> get a redacted copy of the results of each test?

Demo code for Ghost Data in Indexes

NOTE: all demo data is fake.

This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat.

  1. start with dropping the old test objects.
  2. create two small tablespaces small_idx and dat.
  3. create the customers_tst table as a subset of customers.
  4. create an index on customers_tst(ssn)
  5. alter the table customers_tst to add encryption to ssn and cc_nbr. Because ssn has an index we are not using salt.
  6. We then alter the index to rebuild. Because Oracle marks block as free and does not erase them, the old index still exists.
  7. We check for ghost data in small_indx.dbf and dat.dbf.
  8. We confirm that there is ghost data and then drop the index.
  9. Once we drop the tablespace, we can then turn our attention on shredding the ghost data.

1 DROP TABLE customers_tst; 2 DROP MATERIALIZED VIEW customer_sales; 3 DROP TABLESPACE small_idx INCLUDING CONTENTS; 4 DROP TABLESPACE dat INCLUDING CONTENTS; 5 -- rm /opt/oracle/oradata/DEV/datafile/small_idx.dbf 6 -- rm /opt/oracle/oradata/DEV/datafile/dat.dbf 7 CREATE TABLESPACE small_idx DATAFILE '/opt/oracle/oradata/DEV/datafile/small_idx.dbf' SIZE 10M; 8 CREATE TABLESPACE dat DATAFILE '/opt/oracle/oradata/DEV/datafile/dat.dbf' SIZE 10M; 9 10 -- create a test table from customers. 11 CREATE TABLE customers_tst 12 tablespace dat 13 as (select * 14 from customers 15 where rownum <= 1000); 16 17 -- we are going to build an index on SSN 18 CREATE INDEX customers_ssn_idx ON customers_tst(ssn) TABLESPACE small_idx; 19 20 ALTER TABLE customers_tst MODIFY 21 (ssn encrypt USING 'AES256' NO SALT, 22 cc_nbr encrypt USING 'AES256'); 23 24 -- now lets do an index rebuild and test for ghost data 25 ALTER INDEX customers_ssn_idx REBUILD; 26 27 -- in root container run flush the buffer cache 28 29 -- in shell run strings /opt/oracle/oradata/DEV/datafile/small_idx.dbf 30 -- in shell run strings /opt/oracle/oradata/DEV/datafile/dat.dbf 31 32 SELECT * FROM customers_tst 33 where ssn = '347631761'; 34 35 drop index customers_ssn_idx; 36 37 DROP TABLESPACE small_idx; 38 -- in the shell shread the datafile 39 -- in the shell shred /opt/oracle/oradata/DEV/datafile/small_idx.dbf 40 -- in the shell rm /opt/oracle/oradata/DEV/datafile/small_idx.dbf 41 -- we are going to build an index on region so support FK to regions. 42 create tablespace small_idx datafile '/opt/oracle/oradata/DEV/datafile/small_idx.dbf' size 10M; 43 44 -- a small tablespce to hold a materialized view. 45 CREATE TABLESPACE dat 46 DATAFILE '/opt/oracle/oradata/DEV/datafile/dat.dbf' SIZE 10M; 47 48 -- now lets recreate our test data and encrypt it. 49 50 CREATE TABLE customers_tst 51 tablespace dat 52 as (select * 53 from customers 54 where rownum <= 1000); 55 56 ALTER TABLE customers_tst MODIFY 57 (ssn encrypt USING 'AES256' NO SALT, 58 cc_nbr encrypt USING 'AES256'); 59 60 -- we are going to build an index on SSN 61 CREATE INDEX customers_ssn_idx ON customers_tst(ssn) TABLESPACE small_idx; 62 63 64 CREATE MATERIALIZED VIEW CUSTOMER_SALES 65 TABLESPACE DAT 66 NOCACHE 67 PARALLEL 68 USING INDEX 69 REFRESH 70 START WITH SYSDATE NEXT SYSDATE + 1/24 71 COMPLETE 72 WITH ROWID 73 USING DEFAULT ROLLBACK SEGMENT 74 DISABLE QUERY REWRITE AS 75 SELECT 76 c.fname, 77 c.lname, 78, 79 c.state, 80, 81 c.cc_nbr, -- cc_nbr is sensitive and encrypted. 82 c.ssn, -- ssn is sensitive and encrypted. 83 s.price, 84 s.sales_date, 85 86 FROM customers_tst c, 87 sales_tst s, 88 products p 89 where = s.cust_id 90 and s.product_id =; 91 92 CREATE INDEX CUSTOMER_SALES_IDX ON CUSTOMER_SALES (SSN) TABLESPACE small_idx; 93 CREATE INDEX CUSTOMER_SALES_IDX2 ON CUSTOMER_SALES (cc_nbr) tablespace small_idx; 94 95 --DROP MATERIALIZED VIEW customer_sales; 96 97 -- lets check for sensitive data in the datafiles. 98 -- in shell strings /opt/oracle/oradata/DEV/datafile/dat.dbf 99 -- in shell strings /opt/oracle/oradata/DEV/datafile/small_idx.dbf 100 DROP MATERIALIZED VIEW customer_sales; 101 DROP TABLESPACE small_idx INCLUDING CONTENTS; 102 DROP TABLESPACE dat INCLUDING CONTENTS; 103 -- in shell shred /opt/oracle/oradata/DEV/datafile/dat.dbf 104 -- in shell shred /opt/oracle/oradata/DEV/datafile/small_idx.dbf 105 -- in shell rm /opt/oracle/oradata/DEV/datafile/dat.dbf 106 -- in shell rm /opt/oracle/oradata/DEV/datafile/small_idx.dbf 107 108 CREATE TABLESPACE small_idx DATAFILE '/opt/oracle/oradata/DEV/datafile/small_idx.dbf' SIZE 10M; 109 CREATE TABLESPACE dat DATAFILE '/opt/oracle/oradata/DEV/datafile/dat.dbf' SIZE 10M; 110 111 112 CREATE TABLE customers_tst 113 (ID, 114 FNAME, 115 LNAME, 116 CITY, 117 STATE, 118 ZIP, 119 DISCOUNT, 120 CC_NBR ENCRYPT USING 'AES256', 121 REGION, 122 SSN ENCRYPT USING 'AES256' NO SALT) 123 TABLESPACE dat 124 AS 125 (select * 126 from customers 127 where rownum <= 1000); 128 129 130 -- we are going to build an index on SSN 131 CREATE INDEX customers_ssn_idx ON customers_tst(ssn) TABLESPACE small_idx; 132 133 134 -- we are going to recreate the materialized view, this time 135 -- we will add the encrypt clause. 136 137 CREATE MATERIALIZED VIEW CUSTOMER_SALES 138 ( fname, 139 lname, 140 city, 141 state, 142 zip, 143 cc_nbr encrypt USING '3DES168', 144 ssn encrypt USING '3DES168' NO SALT, -- because ssn has an index we will not use salt. 145 price, 146 sales_date, 147 product_name ) 148 TABLESPACE DAT 149 AS 150 (SELECT 151 c.fname, 152 c.lname, 153, 154 c.state, 155, 156 c.cc_nbr, 157 c.ssn, 158 s.price, 159 s.sales_date, 160 161 FROM customers_tst c, 162 sales_tst s, 163 products p 164 WHERE c.ID = s.cust_id 165 and s.product_id =; 166 167 CREATE INDEX CUSTOMER_SALES_IDX ON CUSTOMER_SALES (SSN) tablespace small_idx; 168 CREATE INDEX CUSTOMER_SALES_IDX2 ON CUSTOMER_SALES (ZIP) TABLESPACE small_idx; 169 170 -- in shell strings /opt/oracle/oradata/DEV/datafile/dat.dbf 171 -- in shell strings /opt/oracle/oradata/DEV/datafile/small_idx.dbf

Oracle DBA Interview tips

I have spent the past several weeks interviewing potential Senior Oracle DBAs. Most did not make the cut. Why.

  1. Resume:
    1. If you have 10 years experience at 10 different places that tells me you will most likely quit or be fired in a year. Job hopping is not impressive. Now that said, if you are working in a consulting capacity (contract to contract) that is pretty normal. Please indicate that on your resume.
    2. Putting a PhD in public policy from a diploma mill will not impress me. We may invite you to the phone interview just to figure out who you are. But then you better perform like a PhD.
    3. If you put <name your technology> Expert on your resume, you better be able to back that up in the interview. I will ask hard questions on the things you say you are an expert on.
  2. Technical questions.
    1. BS your way through the answer. It’s okay to not know the answer. These questions are designed to learn how you think. What I’m looking to hear if you do not know the answer is to say “I don’t know the answer, this is how I would go about finding out the answer.” It’s okay to think out loud, that gives us an idea on how you solve problems. And  NO saying I would open an SR for every problem you have is not the right way to solve a problem.
    2. Once you have answered the question, indicate you are ready for the next question. Don’t ramble on, please, I just start hearing “bla bla bla.”
  3. Energy
    1. OMG, we did an interview today where we were wondering if the person suffered from depression. Okay, you have been out of work, you feel bad about yourself, get over it. We need someone who will come in and be ready to work. So please get yourself pumped up, be happy to talk to us, be professional. Even if it’s the ninth phone interview you did this week and everyone said no. You need to convince me and my coworkers you are ready to come in and get the job done.
    2. Watch Amy Cuddy  explaining how body language shapes who you are.
  4. Attitude
    1. There is a difference between, confidence and condescending. One gentleman was quite condescending about our current environment. Then rolled his eyes when we talked about how we are starting a consolidation effort. (this is what we were interviewing him for)

Who did we invite back for a face to face?

  1. She showed energy: the young lady spent five minutes explaining to us her history and was proud of her work. (we were wondering if she had one too many espressos) She then followed up the interview with a thank you email addressed to each one of us and summarized why she is a good fit for our team.  She showed us that she believes in herself.  She missed a couple of questions but indicated she did not know the answer off the top of her head and talked through the logic. Hey you get a lot of points with me if you show me you can think.
  2. He said, “I have not worked with TDE so I can’t answer those questions; so I would to the Oracle Documentation and look it up.”  He showed us that he knows what he does not know.

That’s pretty much it. Once you start talking, you have about seven seconds to get my attention. Show your are competent, show that you know what you don’t know and for peats sake, show some energy. Show us that you believe in yourself. We want to hire you. We want you to succeed. 

#infosec issues on moving to the #cloud #DBaaS

Last week I was at Oracle Cloud World working at the ODTUG booth. This gave me the opportunity to talk to a lot of people who are seriously looking at moving their environment to the cloud. While chatting with these people, I started to pull together some thoughts on the security issues that come with moving to the cloud. Many of those issues are the same for hosting your own database applications. There are several issues with moving to the cloud and if you don’t address them it can become dark and stormy.

What security questions do you need to address prior to moving to the cloud? Note: many of these issues also applies to hosting your own databases! This subject is complex and I’m just touching on some of the issues.  If you don’t do your due diligence you will get burned.


Will and How will your data be encrypted? First off, all of your data should be encrypted by default. I am also of the <OPINION> cloud provider should not even offer to store your information unencrypted. </OPINION>. With the advent of hardware encryption modules, encryption performance is a non-issue.

There are a couple of options on encrypting your data, both have strengths and both have weaknesses. First of the easiest encryption option to implement is tablespace encryption. This option is used to encrypt all of your data stored in the tablespaces.  The down side is the data is unencrypted in the SGA.

The other option is column encryption.  This requires a bit of work upfront to setup. You are going to need to identify the atomic pieces of data that need to be encrypted then go through your indexing scheme to make sure you have not put indexes on columns that are encrypted with salt, and you don’t have foreign key constraints on columns that are encrypted. The upside of column encryption is the data stays encrypted in the SGA.

Will your backups be encrypted? Again, the answer must be yes and this is where it gets a bit tricky. RMAN backups are block level copies of the data files, so if your data is encrypted, your backups will be encrypted. However, if someone runs a datapump export of your data to refresh a lower environment and they do not specify encryption in the options, then your data will be saved unencrypted. The cloud provider must audit for this event and if it does happen, then you need to be informed and the cloud provider must make every effort to find and destroy that datapump file and any copies that have been made of it. You notice I used the word destroy as apposed to delete. Well there is good reason for that, if you delete a file there is still ghost data that can be recovered. So that or those file(s) will need to destroyed by a utility such as Linux shred.

The trusted insider attack surface has changed. <OPINION> It is safe to assume Oracle and other Tier 1 cloud providers will vet their system administrators. </OPINION> However; people change, that is just a fact of life. I frequently use the example of Edward Snowden. Prior to his leaking NSA documents he had gone through polygraph examinations, and his entire background put under a microscope, then he changed.

How will your cloud provider protect you against their trusted insider? The concept is easy, wall off your data from being seen by the system administrator. I’ve been a DBA for decades and can tell you with complete honesty, the DBA or SA does not need access to your data in order to do their job. <OPINION> Oracle has a great product Database Vault that is designed to wall off your data from the SAs. Any cloud solution should include the implementation of Database Vault. </OPINION>

Your cloud provider must provide a proven tool that protects your information from trusted insiders at the cloud provider.

Your cloud provider must also provide an integrated audit solution that tracks all audit events and allows you to report on audit events. Oracle Audit Vault comes with BI. You can use caned reports and customize those reports for your requirements.

Can you make customization’s to the security? Oracle Real Application Security (RAS) gives you, Redaction, Virtual Private Databases and audit on all connections. A full discussion of RAS is beyond the scope of this paper.

<OPIONION> At the very least, you should be able to implement, Virtual Private Databases, and Redaction to protect your data from the normal use of you applications. </OPINION> (I say normal use of you applications. Using different tools and grants it is possible to bypass these features.)

Will the cloud provider implement and configure Database Firewall. Database Firewall is a good tool to defend against sql injection attacks. It takes a lot of work to properly configure it especially if you are using a custom application. Will the cloud provider be responsible for the configuration of database firewall?

How are you going to get your data back if you decide to break up with your cloud provider?

If your cloud provider is using Oracle 12C multitennant an encryption key is generated with the container database and that is used to decrypt the encryption key for the pluggable database. I’m not going to dive too deep into this. The cloud provider can unplug your database and provide you with a set of keys to decrypt your data.

Then the worst happens, there is a data breach. You need to know, how will your cloud provider make you whole. The truth is, your customers will be upset with you and maybe your cloud provider.

End the end, you are the steward of your customers data and with that stewardship comes responsibilities.

#sqldev #outline

Do you spend a lot of time in sql developer working your very large package? Have a look at the quick outline from Jeff Smith of Oracle SQL Developer fame.  Besides being a great Product Manager (hey Uncle Larry, give Jeff a raise) he is an all around good guy.

My recommendations for making 2016 insanely successful.

We all make new years resolutions but frequently we wind up abandoning them. So make a list of what you want to accomplish. I carry around with me a notebook that I am constantly writing in. 20160101_130500What is my top piece of advice. Carry a notebook around and write out every idea you have, big and small.

My notebook includes: 1) check list of things I need to get done either today or in the future.

2) charts to measure the importance of something or the risk of taking an action.

3) Random mind maps. When I get an idea and I can’t quite nail it down, I normally start with a mind map and let things flow where they may.

4) Big ideas and bold steps. I try to always have at least three bold things I want to do listed.  I then break down by big ideas and bold steps into manageable chunks and make a check list of what I want to accomplish every day to turn my big ideas into reality.

5) Doodles of where I am today, and where I want to be in one year. I go back and redoodle this frequently in order to ingrain the goal into my mind.

6) Blog posts and ideas. Okay, I’m old school, I still hand write my blog post before sitting down at the computer. Its much more relaxing to be sitting in a comfortable chair writing then sitting at the computer writing. 20160101_131840Besides, some of the writing techniques I use don’t adapt to the computer very well. When writing I frequently go off on a tangent (that’s my ADD) hey, shinny thing. Well, tangents frequently lead to big ideas that take the initial form of a mind map. The other real big reason I start with pencil and paper is my dyslexia.  When writing on the computer all my misspelled words wind up having squiggly red underlining and my OCD makes me fix that before moving on.  That breaks my chain of thought. The only way I’ll get the squiggly red underline on paper is if I pick up a red pen and put it there myself.

7) Nudges. It’s hard to turn a battleship around, it’s much easier to make small corrections.  When I learn of my mistakes, (and I sure make quite a few) I write out the mistake and analysis of the mistake.  I then come up with a series of nudges to correct my mistakes and improve my overall life.

8) The to-be list. Really this is my list of what I am going to do to relax and enjoy my life. Spend a day working in the garden with Candy, Tea with Martin and the Queen, polish the plane. Sit on the beach and and listen for this hiss when the sun goes down and touches the ocean.

2015 #InfoSec in review. We get a big fat “F”

We are stewards of our customers data and need to do better. <OPINION> I would give us a big fat “F” for data security in 2015.</OPINION> What happened and what needs to be improved? We saw weak passwords, lack of encryption, malware and social engineering over and over again. One very sad aspect of these attacks is once the system was compromised, the attack went on for months, even years prior to the attack being uncovered. So again we really need to do better, reading the logs, doing analytics on system behavior and locking down the data.

High level the attack vectors have not changed much over the years. Malware payloads are still being delivered by drive by downloads and infected emails. Businesses and medical groups are still leaving sensitive data unencrypted, trusted insiders can still get to sensitive information. We are also seeing encrypted connections being made to unknown servers and allowing that traffic to go through our firewalls.

I’m going to do my best to keep my opinion clear by using the <OPINION> </OPINION> tags so you know what my personal opinion is. I’m also not going to go through every attack that happened in 2015. In here I will also let you know what I think should / could have been done to mitigate the attacks.

1) IRS Data breach

In IRS’s effort to make things easy for users to access their data they exposed very sensitive tax and financial data to hackers. Over 100,000 people were compromised with this system and $50,000,000 is false tax refunds have been stolen from the US Government.

When we design systems, one of the top requirements we have are user experience. If we make it to hard to access the systems they will not be used, make it to easy and the data can be compromised. We need to weigh the value of the data with user experience. The users expect their information to be respected and protected.

2) OPM data breach

The OPM hack impacted me personally along with my wife. The impact was over 22 million people had full background and biometric information leaked to a foreign intelligence agency. I watched the congressional hearings and was very disappointed by the <OPINION>incompetence of the people </OPINION> testifying. The Director of OPM resigned but <OPINION> the CIO of OPM should have been walked out the door. </OPINION> it was her job to make sure this information was secure. I still don’t know why this information was not stored on the classified network as it should have been. <OPINION> As an added insult, the government is offering two years of credit monitoring. As if a foreign intelligence agency is really interested in taking out credit cards in our names. The big threat is we are now at risk for blackmail. </OPINION>

The OPM breach was malware that was making encrypted connections to unknown servers. This is a case where black listing IP’s would not work, but white listing connections would work. Sensitive data should only be transmitted over trusted paths and <OPINION> if encrypted connections are being made, then those connections should be treated as sensitive. </OPINION>

3) UCLA Medical

UCLA Medical lost 4.5 million records of unencrypted patient data including PII and medical information. There is no excuse to not encrypt sensitive data. I still hear the old excuse of there is a performance impact of encryption. With the availability of hardware encryption modules, this argument does not hold water.

After encrypting data, we still have to be careful about ghost data and data leakage. A DBA can still run database pump and get an unencrypted copy of the data then copy that data to another location. We do this all the time to refresh an environment. Controls need to be placed on data pump copies so any information that is exported from the database will stay encrypted and the location of those copies are known. When moving data from unencrypted to encrypted, all ghost data must be shredded.

4) Ashley Madison

This one did not really interest me very much other then the disrespect Ashley Madison showed their customer base. This hack ruined some reputations and exposed a large number of people to blackmail. Yes credit card numbers were encrypted, but geolocation and email addresses was not encrypted. <OPINION> The large number of people who used their work and government email addresses was shocking. These people who are so blind to opsec deserve to be caught. </OPINION>

5) Hyatt

Just recently we learned about the Hyatt payment processing data breach. Not much is known at this time other then malware sent encrypted data to an unknown server. This is yet another case of needing to have a trusted path for sensitive data by using white list and denying access to any unknown IP address.

6) Trump Hotels

Trump Hotels, in a year long campaign, credit card and security code information was stolen from customers of Trump properties. I’m going to keep beating this drum, you need a trusted path from point of sales to the processing database, so <OPINION> implement white lists and deny any encrypted traffic to unknown ip’s.</OPINION>

7) T-Mobile and Experian

T- Mobile placed their trust in Experian and suffered a massive breach of 15 million customers full name, social security number and date of birth and some passport numbers. In this case no payment card data was compromised. Yet this is still enough information for identity theft. Not a lot of information has been provided on the attack vector used.

In December 2013 T-Mobile suffered another data breach with vendor Decisioning Solutions that is owned by Experian. In both of these cases, T-Mobile is offering credit monitoring through ProtectMyID that is owned by Experian. <OPINION> Why does T-Mobile continue doing business with Experian? </OPINION>

This is not an exhaustive list of breaches for 2015.


VTECH the toy manufacturer exposed data on 4.8 million customers due to password insecurity.

9) Securus

Securus lost 70 million call logs and recorded conversations of people in prison. These recordings also included attorney client privileged conversations.

10) FBI

The FBI LEO Portal was hacked, the attack vector and damage is still classified.

11) Scott Trade

Scott Trade lost data on 4.6 million customers under a two year campaign. Krebs on Security reported that the data was used for stock scams.

12) Excellus Blue Cross Blue Shield.

Excellus Blue Cross Blue Shield lost data on 10 million customers. The attack started in 2013 and was not discovered until 2015.

13) Anthem

Anthem lost data on 78.8 million customers. I have read the count was actually 80 million customers and 19 million rejected customers.

14) Anonymous vs ISIS.

I only add this because of the interest in ISIS. After the Paris attacks Anonymous started OpParis that is turning into a interesting game of wack a mole. Anonymous is using brute force to shut down ISIS controlled accounts and servers. The results are debatable, <OPINION> it would be better to allow some of the systems to stay online to gather intelligence on ISIS. By shutting them down you are forcing them onto the dark web where it’s harder to gather intelligence.</OPINION>

<OPINION> Sadly, many times after a breach the offending company offers one year or two years of credit monitoring. The customer will be exposed for the rest of their life. Two yours of credit monitoring is wholly inadequate./OPINION>

What do we need to do.

  1. Secure the data. Encrypt data at rest so if the data is compromised then it will be useless to the criminal.
  2. Encrypt the data on the network when there is sensitive data going through it. Man in the middle attacks happen.
  3. Build trusted paths for sensitive information. All sensitive information must go through that path.  If an encrypted session is being built to an unknown server, deny that connection.
  4. Secure the parameter. We are letting encrypted traffic go to unknown servers. This has to stop by using white list. If a workstation or node can process sensitive data, then that workstation or node should not be able to access unknown servers.
  5. Secure programming practices. I still see first hand sloppy programming that is vulnerable to sql injection. Organizations must impalement secure coding practices with code reviews that also include looking to vulnerability. A couple months ago, I came across a piece of code that was vulnerable to sql injection, when I brought it up to program management I was told, going back to fix the problem would put the program behind schedule, move forward and we will fix it after going production. <OPINION> This is the wrong attitude. </OPINION>If the program had standards in place before coding started, then the problem would not have gotten as far as it did.
  6. Secure the data from trusted insiders. I wont get into the political issues of Bradly Manning or Edward Snowden. Both of them were vetted and had access to sensitive information, they broke their trust and stole information that did incalculable damage.
  7. Routinely review audit logs to look for unusual behavior. I’m still seeing audit logs get ignored until there is a problem. Products like Oracle Audit Vault, brings all of your audit into one package where you can create BI dashboards to find out when something is happening that is outside of the norm.

Oraclewizard 2015 In Review

2015 was a great year for me. I finished a project with FDIC heading up the DBA group  then took some time to do some studying, writing and speaking at events. I was also able to take some time out to head down to Atlanta for the Exadata Administration Workshop. In September I took a one year contract with a new customer in West Virginia whom is keeping me very busy.

In September I was named and Oracle ACE.  I want to thank Jeff Smith and John King for the recommendation. Being named an ACE is truly an honor. O_ACELogo_clr
I was able to get out to Tallinn Estonia for Harmony15 and Hollywood Florida for KSCOPE15 to speak on Holistic Database Security.  Then in October I was able to get over to San Francisco for Open World to collect the Oracle Developers Choice Award for Database Development. Steven Feuerstein-Oracle, Laura Ramsey-Oracle and crew did a fabulous job putting together the presentation, award and generally keeping everything going smooth.  The competition was stiff, Heli

and Michelle Kolbe also won; to be able to share the stage with these two talented people made all the hard work worth it.


2016 is already looking to be very busy for me.  I have been booked to speak on Holistic Database Security in London at the UKOUG SIG in January, then in Denver at RMOUG Training Days in February followed by IOUG Collaborate in Las Vegas in April followed by KSCOPE16 in Chicago in April.  There are two others where the details are getting finalized, NOUG in Oslo in March and Harmony16 in May.


I plan on continuing improving the Holistic Database Security, TDE, some fresh presentations that are in the works along with some blog posts that will help you secure your crown jewels (aka the database) from bad actors. For the second half of the year, I plan on sending in abstracts to DOAG and BGOUG for their fall conferences.


Along with all of this, continue to deliver high quality services to my customers.  Because without my customers I would not be able to work with the Oracle Community.