102100 how you protect your valuable data from the

10/18/2020

1

102100 How You Protect Your Valuable Data

from the “Insider Threat”

Greg KellyPeopleTools Product Management Strategy DirectorSecurity

October 2020

10/18/2020

2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

Safe Harbor

3

Agenda

4

Contributing Factors

Risk Awareness

Remediations/Access Controls

Useful Links

10/18/2020

3

5

Who are the “BAD” guys?

"Never attribute to malice that which can be adequately explained by neglect." - Hanlon's Razor

Agenda

6


Risk Awareness


Useful Links

The Fluidity of People’s Morals

10/18/2020

4


7

Moral Luck

Moral Hazard

Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”

Willful Blindness

Hubris

Disengagement/Disenchantment

Kohlberg and the “Heinz Dilemma”

Dunning–Kruger effect

Preference Cascade

Moral Luck

8

Moral Luckhttp://www.iep.utm.edu/moralluc/

"... A case of moral luck occurs whenever luck makes a moral difference. The problem of moral luck arises from a clash between the apparently widely held intuition that cases of moral luck should not occur with the fact that it is arguably impossible to prevent such cases from arising."

10/18/2020

5


9

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

Moral Hazard

10

What is moral hazard? By Andrew Beattiehttp://www.investopedia.com/ask/answers/09/moral-hazard.asp

"... The idea of a corporation being too big or too important to fail also represents a moral hazard. If the public and the management of a corporation believe that the company will receive a financial bailout to keep it going, then the management may take more risks in pursuit of profits.

Government safety nets create moral hazards that lead to more risk taking, and the fallout from markets with unreasonable risks - meltdowns, crashes, and panics - reinforces the need for more government controls. Consequently, the government feels the need to strengthen these nets through regulations and controls that increase the moral hazard in the future."

See the move “The Big Short”

10/18/2020

6


11

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

Normalization of Deviance

12

Bedford and the Normalization of Devianceby Ron Rapp on December 20, 2015http://www.rapp.org/archives/2015/12/normalization-of-deviance/

"... Social normalization of deviance means that people within the organization become so much accustomed to a deviant behavior that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety. People grow more accustomed to the deviant behavior the more it occurs.

To people outside of the organization, the activities seem deviant; however, people within the organization do not recognize the deviance because it is seen as a normal occurrence. In hindsight, people within the organization realize that their seemingly normal behavior was deviant."

Check out “The Challenger Launch Decision”

10/18/2020

7

Normalization of Deviance“Familiarity Breeds Contempt” and “Broken Windows Theory”

13

Does familiarity breed contempt?http://www.dba-oracle.com/t_familiarity_breeds_contempt.htm

In a nutshell, the "Familiarity Breeds Contempt" concept is the idea that, the more we get to know a supervisor on a personal level, the more likely we are to find fault with them. The term "familiarity breeds contempt" dates back at least 100 years, and this belief is widely noted as an absolute truth, even by famous authors.

Broken Windows Theoryhttps://study.com/academy/lesson/broken-windows-theory-definition-lesson.html

The broken window theory stems from an article written in 1982 by criminologists James Q. Wilson and George Kelling. Their theory states that signs of disorder will lead to more disorder. A building with a broken window that has been left unrepaired will give the appearance that no one cares and no one is in charge. This will lead to vandals breaking the rest of the windows and adding graffiti, because in their minds nobody cares.


14

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

8

Willful Blindness“Absence of Evidence is not Evidence of Absence”

15

Willful Blindnesshttps://www.nacdl.org/criminaldefense.aspx?id=21211

"... Willful blindness, also known as conscious avoidance, is a judicially-made doctrine that expands the definition of knowledge to include closing one's eyes to the high probability a fact exists. While the doctrine originated in the context of drug trafficking cases, it has since been expanded to a wide array of prosecutions and is increasingly used in the white collar cases.

Consistently benefiting the prosecution, a request to instruct the jury on willful blindness usually comes on the heels of weak evidence of knowledge, without any advance warning to the defense, and invites the jury to convict based on evidence of mere negligence or recklessness."


16

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

9

Hubris

17

Hubrishttp://literarydevices.net/hubris/

"... Hubris is a typical flaw in the personality of a character who enjoys a powerful position; as a result of which, he overestimates his capabilities to such an extent that he loses contact with reality. A character suffering from Hubris tries to cross normal human limits and violates moral codes. Examples of Hubris are found in major characters of tragic plays."


18

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

10


19

Employee Disengagement Underlies Saga of Sabotagehttp://inbusinessmag.com/in-business/employee-disengagement-underlies-saga-sabotage

"... Most insider threats are made, not born. Employees do not often join the world of work with overt intentions to steal from, damage or sabotage their organization. Instead, they are jaded after a sequence of disenchanting events, leaving them cynical, angry, and driven to balance the scales.

Disenchantment is not a solitary existence, but instead clusters around ineffective and damaging management practice. Managers account for nearly 70 percent of the reasons an employee is disenchanted. Organizations are often unaware of how their culture increases their vulnerability to the insider threat."


20

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

11


21

Kohlberg’s Stages of Moral DevelopmentThis states that we progress through three levels of moral thinking that build on our cognitive development.https://courses.lumenlearning.com/teachereducationx92x1/chapter/kohlbergs-stages-of-moral-development/

Lawrence Kohlberg expanded on the earlier work of cognitive theorist Jean Piaget to explain the moral development of children. Kohlberg believed that moral development, like cognitive development, follows a series of stages. He used the idea of moral dilemmas—stories that present conflicting ideas about two moral values—to teach 10 to 16 year-old boys about morality and values. The best known moral dilemma created by Kohlberg is the “Heinz” dilemma, which discusses the idea of obeying the law versus saving a life. Kohlberg emphasized that it is the way an individual reasons about a dilemma that determines positive moral development.


22

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

12


23

The Dunning-Kruger Effect Shows Why Some People Think They're Great Even When Their Work Is Terriblehttps://www.forbes.com/sites/markmurphy/2017/01/24/the-dunning-kruger-effect-shows-why-some-people-think-theyre-great-even-when-their-work-is-terrible/#462bdede5d7c

Coined in 1999 by then-Cornell psychologists David Dunning and Justin Kruger, the eponymous Dunning-Kruger Effect is a cognitive bias whereby people who are incompetent at something are unable to recognize their own incompetence. And not only do they fail to recognize their incompetence, they’re also likely to feel confident that they actually are competent.


24

Moral Luck

Moral Hazard


Willful Blindness

Hubris




Preference Cascade

10/18/2020

13

Preference Cascade

25

What is a preference cascade?https://www.quora.com/What-is-a-preference-cascade

In short, average people behave the way they think they ought to, even though that behavior might not reflect their own personal feelings.

Given a sufficient "A-HA!" moment when they discover that their personal feelings are shared by a large portion of the population their behavior may change dramatically.

Agenda

26


Risk Awareness


Useful Links

10/18/2020

14

Risk Awareness

27

Latency of Security Patches (CPU)

Scope of Privileged Users Data Classification

Attestation

Compliance with Internal Processes

Segregation of Duties

Mandatory Vacation

Job Rotation

Phishing, Ransomware

“Sextortion”

Case #1

28

$4.5M office supply scheme inside Las Vegas water district

draws FBI inquiryhttp://www.reviewjournal.com/news/las-vegas/45m-office-supply-scheme-inside-las-

vegas-water-district-draws-fbi-inquiry

... The scheme, which unfolded over three years, involved an employee in the district’s

purchasing division who fraudulently ordered office supplies through the water utility’s

vendor, then sold the items to a company in New Jersey and kept the money.

10/18/2020

15

Case #2

29

Target settles for $39 million over data breachhttp://money.cnn.com/2015/12/02/news/companies/target-data-breach-settlement/

Target agreed to a $39 million settlement with several U.S. banks on Wednesday over a

data breach that affected roughly 40 million customers.

The banks lost millions when they were forced to reimburse customers who lost money

in the massive 2013 hack of Target's database.

Case #3

30

The Trusted Grown-Ups Who Steal Millions From Youth Sportshttp://www.nytimes.com/2016/07/10/sports/youth-sports-embezzlement-by-

adults.html

Prosecutors in several states say embezzlement investigations involving youth sports

have become common.

... Across the country, people who volunteered as treasurers and other officers for Little

Leagues and sports clubs have been prosecuted for pilfering gobs of money from the

coffers: $220,000 in Washington, $431,000 in Minnesota, $560,000 in New Jersey, and

so on, according to law enforcement authorities, league officials, experts on nonprofit

organizations and news reports.

10/18/2020

16

Case #4

31

Retail ShrinkageStudy: Shrink costs U.S. retailers $42 billion;

employee theft tops shopliftinghttp://www.chainstoreage.com/article/study-shrink-costs-us-retailers-42-billion-employee-theft-tops-shoplifting

"... While shoplifting is the biggest cause of all retail shrink in 16 of the 24

countries surveyed, in the United States, employee theft ranked first at 42.9%,

with shoplifting next at 37.4%"

Self-Service Checkouts Can Turn Customers Into Shoplifters, Study Sayshttp://www.nytimes.com/2016/08/11/business/self-service-checkouts-can-turn-customers-into-shoplifters-study-says.html?_r=0

"... The scanning technology, which grew in popularity about 10 years ago, relies largely on

the honor system. Instead of having a cashier ring up and bag a purchase, the shopper is

solely responsible for completing the transaction. That absence of human intervention,

however, reduces the perception of risk and could make shoplifting more common, the

report said.“ Avocado and Pear …

Case #5

32

Stolen Proprietary SoftwareCar thefts – Two men used a pirated software running on a Laptop to steal more

than 100 carshttp://securityaffairs.co/wordpress/50070/cyber-crime/car-theft-laptop.html

"... Fiat Chrysler and the authorities are investigating the case, in particular, it is important

to understand if the crooks got access to a computerized database of codes used by

dealers, and how. Data in the database are used by auto repair shops to replace lost key

fobs."

10/18/2020

17

Case #6

33

Famous cybercrime groups and hacktivists “brands” may be a

smokescreen to cover sophisticated insider attacks.http://www.csoonline.com/article/3107987/hacktivism/fake-attack-by-insider-tries-to-fool-company.html

"... One of the company’s web portals was lightly defaced (using its admin panel

functionality) with insulting slogans, criticizing the company for globalization.

A few moments later, attackers also erased all website content they had access

to, including HTTP logs on the breached web server. A first internal notification

about the incident came from a web administrator working at the company for 15

years. It also contained a link to zone-h defacement mirror saying that hacktivists

compromised and probably backdoored the server, urging server re-installation

from scratch. As the attackers were known, he recommended skipping the formal

investigation process in order to reduce the downtime of the server. His

management gave a green light to move forward without proper system

mirroring for further forensics investigation."

Before AI/ML

10/18/2020

18

Agenda

35


Risk Awareness


Useful Links

OverviewAccess Controls

Types of Access Control

(function or purpose)

- Preventive access control

- Deterrent access control

- Detective access control

- Corrective access control

- Recovery access control

- Compensation access control

- Directive access control

Types of Access Control

(implementation)

- Administrative access controls

- Logical/technical access controls

- Physical access controls

10/18/2020

19

Function or Purpose Access ControlsPreventive access control

A preventive access control is deployed to stop unwanted or unauthorized

activity from occurring.

Examples of preventive access controls include fences, locks, biometrics,

separation of duties, job rotation, data classification, penetration testing,

access control methods, encryption, auditing, security cameras, smart

cards, callback, security policies, security awareness training, and antivirus

software.

Function or Purpose Access ControlsPreventive access control - Support

• PeopleTools

• Password Controls

• Revalidate Password (supports LDAP)

• Time of Day Permissions

• Oracle and Other Products

• Oracle Access Manager (with Multi Factor Authentication)

• Oracle Adaptive Access Manager

• Oracle Audit Vault and DB Firewall

10/18/2020

20

Function or Purpose Access ControlsDeterrent access control

A deterrent access control is deployed to discourage the violation of

security policies. Deterrent controls pick up where prevention leaves off. A

deterrent doesn’t stop with trying to prevent an action; instead, it goes

further to exact consequences in the event of an attempted or successful

violation.

Examples of deterrent access controls include locks, fences, security

badges, security guards, security cameras, intrusion alarms, separation of

duties, work task procedures, awareness training, encryption, auditing, and

firewalls.

Function or Purpose Access ControlsDeterrent access control - Support

• PeopleTools

• Change Password Frequency

• Login Page Notice

• PeopleSoft Encryption Technology


• Oracle GRC

• Log Analysis

• Critical Staff Background/Credit Checks

10/18/2020

21

Splash Screen for Login Page

This site is intended solely for use by Company's authorized users. Use of this site is subject to the Legal Notices, Terms of Use, and Privacy Statement located on this site. Use of the site by customers and partners, if authorized, is also subject to the terms of your contract(s) with Company. Use of this site by Company employees is also subject to company policies, including the Code of Conduct. By continuing to use this site, you understand all activity may be monitored and audited. Unauthorized access or breach of these terms may result in termination of your authorization to use this site and/or civil and criminal penalties.

Accept Decline

This Splash Screen can also be used to comply with EU Cookie RequirementsStrictly Necessary Cookies are ones that are only used to enable a site to work and can generally be assumed to have negligible privacy concerns attached to them. They are therefore exempt from cookie regulations around the need for consent. Often they are generated automatically by the technology platforms running most websites. However it is important to realize that these can be customized to perform additional tasks which can change their purpose..

Function or Purpose Access ControlsDetective access control

A detective access control is deployed to discover unwanted or

unauthorized activity. Often detective controls operate after the fact rather

than in real time.

Examples of detective access controls include security guards, guard dogs,

motion detectors, post incident review of security camera recordings, job

rotation, mandatory vacations, audit trails, honey pots, seeded email

distribution lists, intrusion detection systems, violation reports, supervision

and reviews of users, incident investigations, and intrusion detection

systems.

10/18/2020

22

Function or Purpose Access ControlsDetective access control - Support

• PeopleTools

• Enterprise Manager PeopleSoft plug-in

• Seeded Mailing Lists

• Workforce Practices - Vacation


• Oracle Audit Vault

• Oracle GRC (Governance, Risk and Compliance)

• IPS/IDS (Intrusion Prevention and Detection System)

Function or Purpose Access ControlsCorrective access control

A corrective access control is deployed to restore systems to normal after

an unwanted or unauthorized activity has occurred. Usually corrective

controls are simple, such as terminating access or rebooting a system.

Corrective controls have only a minimal capability to respond to access

violations.

Examples of corrective access controls include intrusion detection systems,

antivirus solutions, business continuity planning, and security policies.

10/18/2020

23

Function or Purpose Access ControlsCorrective access control - Support

• PeopleTools

• Password Controls – Account Lockout

• Active Data Guard

• Server Based Anti-virus


• IPS/IDS

• High Availability Architecture

• Attestation – Account Revalidation

Function or Purpose Access ControlsRecovery access control

A recovery access control is deployed to repair or restore resources,

functions, and capabilities after a violation of security policies. Recovery

controls have more advanced or complex abilities to respond to access

violations than corrective access controls. For example, a recovery access

control can repair damage as well as halt further damage.

Examples of recovery access controls include backups and restores, fault-

tolerant drive systems, server clustering, antivirus software, and database

shadowing.

10/18/2020

24

Function or Purpose Access ControlsRecovery access control - Support

• PeopleTools

• Lock out Password Controls

• Clustering

• Active Data Guard


• Cloning and various restore documented and tested processes

• Firewalls

• Disaster Recovery

Function or Purpose Access ControlsCompensation access control

A compensation access control is deployed to provide various options to

other existing controls to aid in enforcement and support of security policy.

Examples of compensation access controls include security policy

requirements or criteria, personnel supervision, monitoring, and work task

procedures.

10/18/2020

25

Function or Purpose Access ControlsCompensation access control - Support

• PeopleTools

• Architecture Separation

• Data in Flight Encryption

• Password Controls – Account Lockout


• Oracle Database Vault

• Oracle Database Firewall

• Oracle RUEI (Real User Experience Insight) or

Application Performance Monitoring (APM)

Function or Purpose Access ControlsDirective access control

A directive access control is deployed to direct, confine, or control the

actions of subjects to force or encourage compliance with security policies.

Examples of directive access controls include tail gating controls, security

policy requirements or criteria, posted notifications, escape route exit

signs, monitoring, supervision, work task procedures, and awareness

training.

10/18/2020

26

Function or Purpose Access ControlsDirective access control - Support

• PeopleTools

• Login Page Policy Acceptance

• Mandatory Policy ReCertification

• Log Analysis


• Oracle GRC

• Oracle RUEI or APM

• Oracle Audit Vault

Implementation Access ControlsAdministrative access controls

Administrative access controls are the policies and procedures defined by

an organization’s security policy to implement and enforce overall access

control. Administrative access controls focus on two areas: personnel and

business practices (for example, people and policies).

Examples of administrative access controls include policies, procedures,

hiring practices, background checks, data classification, security training,

vacation history, reviews, work supervision, personnel controls, and

testing.

10/18/2020

27

Implementation Access ControlsAdministrative access controls - Support

• PeopleTools

• UPK (User Productivity Kit)

• Mandatory Vacation

• Job Rotation


• Credit Checks

• Identity ReValidation

• Oracle Identity Manager

Implementation Access ControlsLogical/technical access controls

Logical access controls and technical access controls are the hardware or

software mechanisms used to manage access to resources and systems and

also provide protection for those resources and systems.

Examples of logical or technical access controls include encryption, smart

cards, passwords, biometrics, constrained interfaces, access control lists

(ACLs), protocols, firewalls, routers, intrusion detection systems.

10/18/2020

28

Implementation Access ControlsLogical/technical access controls - Support

• PeopleTools

• User Agent Validation

• Location Based Access

• PET (PeopleSoft Encryption Technology)


• Oracle Adaptive Access Manager

• ERP Firewall

• URL Request Filtering

Implementation Access ControlsPhysical access controls

Physical access controls are physical barriers deployed to

prevent direct contact with systems or portions of a facility.

Examples of physical access controls include guards, fences,

motion detectors, locked doors, sealed windows, lights, cable

protection, laptop locks, swipe cards, guard dogs, video

cameras, laptop or tablet screen filters, anti-tailgating,

“shoulder surfing” mirror, and alarms.

10/18/2020

29

Implementation Access ControlsPhysical access controls - Support

• PeopleTools

• Controlled Server Access

• Web Profile

• Time of Day Permissions


• Server Room Controls

• Oracle RUEI or APM

• Oracle Database Firewall

• “Shoulder Surfing” awareness mirror

Agenda

58


Risk Awareness

Remediations

Useful Links

10/18/2020

30

Useful Links #1

59

Information classification according to ISO 27001http://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

The Long-Term Effects of Tracking Employee Behaviorhttps://hbr.org/2016/07/the-long-term-effects-of-tracking-employee-behavior

Risk Perception and Its Impacts on Risk Governancehttp://environmentalscience.oxfordre.com/view/10.1093/acrefore/9780199389414.001.0001/acrefore-9780199389414-e-2

Insider Threat Mitigation Guidancehttps://www.sans.org/reading-room/whitepapers/monitoring/insider-threat-mitigation-guidance-36307

Background Checks - What Employers Need to Knowhttps://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm

Your Employees' Right to Privacyhttp://www.nolo.com/legal-encyclopedia/employee-privacy

Useful Links #2

60

Running Background Checks on Current Employeeshttp://blog.verifirst.com/running-background-checks-on-current-employees

Insider Threat Best Practiceshttps://www.sei.cmu.edu/search.cfm#stq=insider%20threat&stp=1

The Threat of the Malicious Insider: What Is the CFO's Responsibility?https://www.securityexecutivecouncil.com/spotlight/?sid=31306

Data Loss Prevention as a Critical Component of Cyber Insurance Strategyhttps://www.infosecurity-magazine.com/white-papers/data-loss-prevention-cyber

Rapid7 InsightIDR, Dramatically Reduces Time from Compromise to Containmenthttps://www.rapid7.com/company/news/press-releases/2016/rapid7-launches-new-security-incident-detection-and-response-solution.jsp

10/18/2020

31

CIO Update - Top 10 Cloud Computing Caveatshttps://cioupdate.com/top-10-cloud-computing-caveats/

1. Define your terms

2. Watch out for cloud washing - “everything old is new again”

3. Examine basic needs

4. Should I choose cumulus or nimbus?

i.e. public, private or hybrid cloud.

5. Nail down projected costs

6. Policy is as important as technology

7. Cloud piracy abounds

8. Know before you go

9. Start small

10. Find the right tools

A little “hacking” exercise … Guess the Pin Code!

10/18/2020

32

@[email protected]

102100 how you protect your valuable data from the

Documents