international conference on cyber security, hide and go seek
DESCRIPTION
TRANSCRIPT
![Page 1: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/1.jpg)
A Pragmatic Approach to a Secure Information Environment
David KnoxVP TechnologyOracle National Security Group
Insert Picture Here
![Page 2: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/2.jpg)
Pharming and Phishing
Ways to obtain phood
The Devil's Infosec DictionaryCSO online (http://www.csoonline.com/read/080105/debrief.html)
![Page 3: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/3.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
Lessons Learned from Childhood
Ready or not, here they come– Need to know why you are doing what you are doing
– Assumptions, motivations, and approach to complexity
Hidden in plain sight– Strategies exist for defense and detect, tools exist, need practical balance
Safety on base using the basics– Policies, enforcements, governance
– Security thought of not as simple user, role, resource but based on holistic context
![Page 4: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/4.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Cyber Security is a Complex Topic
Forensics
Network security – FWs, IDS, IPS, Encryption, Mobile …
& what this discussion is not about
![Page 5: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/5.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Breached using weak or stolen credentials
Preventable with basic controls
76%
97%
Records breached from servers67%
Over 1.1B Served Discovered by an external party69%
![Page 6: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/6.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Data
Protection in Context
Privacy &integrity ofdata
Monitoring & auditing
Privacy &integrity ofcommunications
uthenticateNetwork
Authentication Accesscontrol
KNOX 12029
KYTE 17045
CAREY 12032
HOECHST18029
PIERMAR 17170
SCOTT 14220
KING 18031
SMITH
gAMES
fONES
MIER
ByAgE
SCOjd
sfINGOrg 10
Org 20
Admin
Org 30
![Page 7: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/7.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Ready or Not!
![Page 8: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/8.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
What’s Driving Security
for “normal” people
![Page 9: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/9.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
![Page 10: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/10.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
“A” is for Assets
![Page 11: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/11.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
“B” is for Brand
![Page 12: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/12.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Sarbanes-Oxley
Patriot Act
PCAOB Audit
PA SB 705
IL SB 1479
ND SB 2251
WA SB 6043
PIPEDA
OFACNIST
HSPD-12
FTC 16 CFR 314
FISMA PL107-347FERPA
FIPS 140-1 & 201
EU Privacy
GLB
21CFR Part 11 CA SB 1386
Basel II
BSA
HIPAA
Compliance
![Page 13: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/13.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
“You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….”
Anatomy of an Attack
Uri RivnerCTO, RSA (Security Division of EMC)
Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.
![Page 14: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/14.jpg)
Mission Critical
Term used to help hackers identify their targets
![Page 15: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/15.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Basic Assumptions Provide the Foundation
Kerckhoff’s Principle/Shannon’s maxim: The enemy knows the system
The malicious persons/code have infiltrated your environment
Insider attack has to be addressed
Establish the mindset
![Page 16: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/16.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Checkpoint
Assume compromise
ABC’s– Threats often incomparable
– Impact: Resulting damage can be the same
Looking for solutions which apply to all dimensions:– Cyber
– IT Security
– Risk & Compliance
– Privacy
![Page 17: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/17.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Hidden in Plain Sight:Defining the Approach
![Page 18: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/18.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
A Simplified FrameworkPolicy Driven Security Description Possible States
Define Policies • Rules that govern what people can and cannot do
• Exist/Don’t Exist
• Ambiguous
• Ignored
Enforce Policies • IT controls to ensure compliance to policies
• Preventive measures put in place to proactively defend IT and information assets
• Exist/Don’t Exist
• Enforced/Unenforced
• Effective/Ineffective (Impractical)
• Intentionally bypassed/Unintentionally bypassed
Manage & Monitor Policies • Governance: Ability to control and understand who has access to what
• Provisioning/de-provisioning based on least privileges and separation of duties
• Automation to ensure policy enforcements
• Exist/Don’t Exist
• Complete/Incomplete
• Practiced/not practiced
![Page 19: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/19.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State
Disclosure of sensitive material
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored • Effective• Practiced
• Unintentionally bypassed
Unauthorized access to sensitive material
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Unauthorized access to databases
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
![Page 20: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/20.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State
Disclosure of sensitive material
• Exists • Exists• Exists
• Unambiguous • Enforced• Complete
• Ignored • Effective• Practiced
• Unintentionally bypassed
Unauthorized access to sensitive material
• Exists • Exists• Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Unauthorized access to databases
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
![Page 21: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/21.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Two Questions
1. Are the enforcements linked to the policies?
2. Do the system components function as a system?
![Page 22: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/22.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Password Policy Example
Cannot be similar to user’s name Cannot be easily guessable Must be at least 12 characters in length Contains upper and lower case characters Contains at least one special character Contains at least one number Rotated every 90 days Cannot be re-used for 5 years
My current password:
“This1is2Hard!”
![Page 23: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/23.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Passwords
Authentication tool that, when properly implemented, drives growth at the help desk
![Page 24: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/24.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Balancing the Business
Usability
PerformanceSecurity
x
![Page 25: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/25.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Practicing Good Cyber Security HygieneWe already know how to do this!
Defensible Systems– Integrated security controls
– Full stack instrumentation
– Establish and attest a secure environment
Resilient Systems– No SPOF: Fault tolerant, agile
– Graceful degradation
– Quickly recoverable
Containment– Isolation
– Virtualization
– Detect & response
![Page 26: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/26.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Safety on Base:Using the Basics
![Page 27: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/27.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Securing Today’s Enterprise InformationFocus on securing the operational environment transparently
Data
Security
Enforcement
Administrators
Users
Developers
1. User’s session establishes key factors for security decisions
2. Centralized decision point used for authorizations of tasks
3. Enforcement points can verify, validate and add context
4. Monitor for anomalous actions5. Audit critical actions
![Page 28: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/28.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Concluding Points
Understand and secure human-data interactions
Need to know why you’re doing what you are doing– Approach & Principles
– Keep it simple, intuitive
New security is not based on users & roles but signatures, context & services
Security components should not be separated, disjoint from enforcement– Policies, enforcements, governance all have to work together.
Deny All; Allow Legitimate
![Page 29: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/29.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Final, Final Concluding Points
Ready or Not– The perfect is the enemy of the good
– Need good perception and agility
Hiding in Plain Sight– The enemy may not be obvious
– You should not be obvious
Safe on Base– Know your digital economy
– Apply proven, natural and intuitive practices
![Page 30: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/30.jpg)
Recursive
See Recursive
![Page 31: International Conference on Cyber Security, Hide and Go Seek](https://reader033.vdocuments.site/reader033/viewer/2022051609/5461e9a2af7959422a8b4af3/html5/thumbnails/31.jpg)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31