Tag Archives: Security

Lessons in Oracle Cloud Password Management

07 Monday May 2018

Posted by in General, Oracle, Technology

1 Comment

Tags

, , , , ,

Oracle Cloud is growing and maturing at a tremendous rate if the breadth of PaaS capabilities is any indication.  However, there are a few gotchas out there, that can cause some headaches if they get you. These typically relate to processes that impact across different functional areas. A common middleware stack (API CS, SOA CS, OIC etc) will look something like the following:

cloudPassword

As the diagram shows when you build the cloud services, the layers get configured with credentials to the lower layers needed (although Oracle have in the pipeline the Oracle managed version of many services where this is probably going to be hidden from us). Continue reading

Equifax Security Breach – Time for a Change In Mindset

27 Friday Oct 2017

Posted by in General, Technology

Leave a comment

Tags

,

I was reading a blog post from the Cloud Security Alliance (here) about the on-going mess and disinformation around Equifax’s security breach.

The article makes a very good point. Sadly Security is seen as just a cost, and whilst people have that mindset we will see decisions being made that favours ‘high share value now’ over long time assurance of sensitive data which means that ‘now value doesnt nose dive’.


The article goes on to show the approximate cost to the US public of the breach. But if we can quantify the costs, can we not quantify the value of protection?

Even with today’s legislation in many countries it is a legal obligation to disclose the details of a security breach. The only problem here, is ignorance is bliss, if I don’t know I’m being compromised then nothing to report. The blog post also points out that often the only time security investment is recognised is, and often that information doesn’t propergate within an organisation. This got me to thinking why can’t companies also disclose how many attempts on their security have been mitigated on in the same way companies have to declare profit and loss.

It could produce some interesting information, as you could compare data from different companies of similar profile. When plotting the data, any outliers suggest something maybe wrong. But it would give consumers a means to decide do they trust their data with X over Y when they get a chance to influence the decision.  But we’re now moving into the territory where security is becoming a positive measure.  If nothing else it may engender an ‘arms war’ of who has the best protection.

As with all things, they way you measure something influences behaviour. This sort of measurement may encourage companies to invest in more ‘white hat’ attacks. That’s no bad thing as if a white hat attack suceeds – the vulnerability has been found.

The interesting thing is that, the article points out that Equifax and other large companies that have been breached have been certified as ISO 9001 compliant, PCI DSS compliant and so on. The issue here is, that these accreditations have a strong emphasis on process and policy, and are down to the auditor spotting non-compliance. In a large organisation the opportunity to steer the auditor towards what is good exists. But more importantly, process requires people to know and follow it. Following process and being prepared to uphold the processes requires an organizational culture that genders its adherence. I can have a rulebook as big as the Encyclopedia Britannica but if my boss, and his boss apply constant pressure to say we have to deliver and there is no repercutions to bending the rules – well then I’m going to start bending.

Leaders like Gray understand the value of an organization’s culture. This can be defined as the set of deeply embedded, self-reinforcing behaviors, beliefs, and mind-sets that determine “how we do things around here.” People within an organizational culture share a tacit understanding of the way the world works, their place in it, the informal and formal dimensions of their workplace, and the value of their actions. Though it seems intangible, the culture has a substantial influence on everyday actions and on performance.

https://www.strategy-business.com/article/11108?gko=f4e8d

This brings us back to the idea – hard data on the execution (not that i have a process for execution) will give strong indications of compliance. This kind of data is difficult to fudge and with a good sample set, then fudges  are more likely to stand out.

Practical? I don’t know, but worth exploring? If we are to change security thinking then yes.

Cloud Document Security

30 Monday Nov 2015

Posted by in General, Technology

Leave a comment

Tags

, ,

So an interesting piece of research was published by the Cloud Security Alliance. The research shows the growth of document sharing in the enterprise through the use of cloud services.  The interesting thing is one of the positives of adopting SaaS and PaaS is easing the challenge of ensuring environments are patched for security. But at the same time the need to educate the wider employee community even more on being security aware.

It also raises the question of managing the accidental or deliberate leakage in such an environment. As the article says, some sharing of documents to the public or 3rd parties to enable cross business collaboration may well be legitimate so businesses are going to need strategies to address this.

Just trusting security to VPNs

20 Thursday Aug 2015

Posted by in General, Technology

Leave a comment

Tags

, ,

I regularly encounter arguments where people justify relaxed security in a design with the argument of – well the connection between systems will be protected by a VPN (Virtual Private Network) – so everything is fine.

Trying to dissuade a someone like a project manager or business end user that just trusting to just a VPN is challenging, after all private networks are safe aren’t they. So I have tried to identify a few resources – that can simply and clearly explain why this approach alone is not good. Just pointing to the principle of ‘security in depth’ is difficult to sell. So hopefully the following will help:

Some Good Security Resources

29 Friday May 2015

Posted by in General

Leave a comment

Tags

, , ,

As a result of working my through several books (published and unpublished at present) I’ve come across a number of really useful security resources. So I thought i’d bring them together (as much for my own reference) as anything else. The following list provides a brief description of the resource and its link.

  1. SANS Institute (http://www.sans.org/reading-room/) site providing a alot of documentation security and research findings, in addition to more commercial arrangements such as training
  2. OWASP (https://www.owasp.org) guides on threat types and characteristics and guidance on developing secure solutions includes a training tool called webgoat
  3. CXOWare (http://www.cxoware.com/) – home of FAIR risk analysis process and guidance
  4. Metasploit (http://www.offensive-security.com/metasploit-unleashed/Main_Page) a site that provides free security training to help understand how hack attacks work. includes free tools
  5. RadioLabs (http://www.radiolabs.com/stations/wifi_calc.html) provides the means to calculate how far a wifi signal will carry. Important if you don’t want people parking up outside your home/office and hacking your wifi
  6. PolicyTool (http://socialmedia.policytool.net/) provides the means to create fair and reasonable polices for the use of social media in a work environment
  7. TrustedSec’s Atillery (https://www.trustedsec.com/downloads/artillery/) open source tool for detecting security attacks
  8. OSSEC (http://www.ossec.net/) open source intrusion detection system.
  9. NIST (http://csrc.nist.gov/) standards institute with a lot of information on security.
  10. CERT (http://www.cert.org/cert/) SEI’s security activities
  11. Stride (http://msdn.microsoft.com/en-us/library/ee823878) Microsoft’s threat assessment model

Free Network Security eBook

23 Tuesday Dec 2014

Posted by in Books, Technology

Leave a comment

Tags

, , , , , ,

I came across the following promotion via LinkedIn. The book isn’t that new, but looking at Amazon reviews suggests that there maybe some value still:

Network Security For Dummies — eBook (usually $22.99) FREE until January 1st!

Get quick, easy, low-cost solutions to all your network security concerns.

CNN is reporting that a vicious new virus is wreaking havoc on the world’s computer networks. Somebody’s hacked one of your favorite Web sites and stolen thousands of credit card numbers. The FBI just released a new report on computer crime that’s got you shaking in your boots. The experts will tell you that keeping your network safe from the cyber-wolves howling after your assets is complicated, expensive, and best left to them. But the truth is, anybody with a working knowledge of networks and computers can do just about everything necessary to defend their network against most security threats.

Whether your network consists of one computer with a high-speed Internet connection or hundreds of workstations distributed across dozens of locations, you’ll find what you need to confidently:

  • Identify your network’s security weaknesses
  • Install an intrusion detection system
  • Use simple, economical techniques to secure your data
  • Defend against viruses
  • Keep hackers at bay
  • Plug security holes in individual applications
  • Build a secure network from scratch

– Download from: http://opensourceuniverse.tradepub.com/free/w_wile145/?p=w_wile145#sthash.i4fHNQgA.dpuf

Adopting Collaboration Tools in the Workplace

14 Sunday Sep 2014

Posted by in General, Technology

Leave a comment

Tags

, , ,

I was recently reading an article from MIT Sloan about the use of collaboration tools in the enterprise. The article made the point that collaboration tools are being introduced into the workplace, but not being effectively leveraged and people continuing to use email. I think there is a correlation here to some of the statistics for mobile and web applications.

So let me start with some facts, and some thoughts before I bring it back to the point about office collaboration.

We know from research from organisations such as PEW (general view of use, older generation view) that there is a correlation between age and use of mobile devices, and mobile apps. This I believe reflects on technology in general. As collaboration technology goes, it is a fairly young set of ideas. Although many will associate collaboration with social – there is a difference when social is more simply just sharing information. Collaboration is not just sharing but collectively working on assets such as documents.

Add to this a view of the demographics of any enterprise leadership (although IT is something of an exception) and you will see that leadership is an older generation (illustrated by this FT article). So, understandably less likely to lead an organisation into technology adoption.

Add to this the constant noise and increased pressure on information security, remembering that the most harmful security compromises originate internally. So with this sort of consideration you’re likely to see downward pressure to keep things tightly controlled. Such tight reigns seriously impact collaboration from my experience.

The last key thread, is the fastest way to encourage adoption of something is for the executive and senior leadership visibly adopt something. Organisational role comes with an inferred command (a well established piece of psychology) best illustrated by a story where a chief exec wanted to motivate staff, so spent time wondering around talking with his staff, and in doing so made observations and suggestions to people thinking he was helping. But as his role inferred a level of command, he sound discovered that those suggestions and ideas had been read as instructions and his staff where rapidly implementing such suggestions.

So here you have a recipe, where executives potentially don’t get the power of collaborative technology, potentially nervous of the security implications and least of all not using position to leverage it. You can see why the technologies aren’t being effectively exploited.

What is worse, is that you will see hotspots of collaboration which will be established by those who get the ideas and will inspire their colleagues. This is the true risk of collaboration as it is unlikely to controlled or properly secured with no contingency or remedial actions in the event of a security breach as those situations aren’t being dealt with by

Evaluating SSL certificates for SaaS

29 Tuesday Jul 2014

Posted by in General, Technology

Leave a comment

Tags

, , , , ,

So when looking at SaaS solutions one of the things we consider is the strength of the SSL certificate, and when using a small provider who the Certificate Authority as commercial authorities will provide insurance for a breach which can go to paying some of the cleanup costs (assuming the breach isn’t from negligence).

So how to evaluate SSL certificates in terms of robustness (i.e. cryptographic strength) after all some people will talk. About 128 bit certificates and others such as Google mention 2048 which on the surface don’t seem comparable.

So the bit length is to do with the cryptographic algorithm used of which there are several such as AES, 3DES and so on. No I’m no expert on this so I won’t presume to explain the pros and cons of the different algorithms, there are other resources on the web for that (such as this document).

The point I have been working towards is that NIST (National Institute of Standards and Technology)(aside from being a good resource on security) have tables  that recommends the size of the key used to help build the certificate (the document is here and tables 1 & 2 contain the key details, more here). The tables shown below takes into account the algorithm (therefore a comparator on key size) but also a recommended growth in key size.

 

NISTTable2 NISTTable

 

An alternative representation of the same information can be found here and the 1st table here.

So why grow a key size well one of the factors in driving key size is that as computing power increases the time and effort to brute force crack of a key shrinks. So every time the key size increases so does the effort to brute force the cracking of the key.

This leads to secondary consideration – that of the certificate life i.e. how long the certificate is valid for. This is in effect to potentially greatest period of exposure based on the fact that someone may brute force your certificate and then simply listen to the traffic so you never know of the compromise. Obviously you can revoke the certificate at any time.

Finally remember the need and level of security should be informed by assessing the data being transferred (in motion). Data security should also be considered for data at rest I.e being stored (data loss from a data store is likely to be far more damaging).

Pure REST is not always a good thing

05 Saturday Jul 2014

Posted by in General, Technology

2 Comments

Tags

, , , , ,

So following REST web service best practice is not always a good thing, but of a controversial statement. That said I came across a situation that beautifully illustrated it.

I was recently asked for my opinion on a web solution that had to interact with customer data. The developers concerned implemented the functionality using REST web services and followed the principles to the letter. Except one of the services needed to locate a unique customer object. To do this the service enough customer details are provided in the URL to obtain a unique record.

So regardless of the security Implemented using strong SSL and payload encryption in the solution implementation we have just exposed every element in the network that can log URIs to DPA levels of security (not to mention information commissioner requests). That is before you consider man in the middle and packet URL attacks.

What to do, such sensitive web services need to be delivered without personal data in the URL, we could go via WSDL (but our use case points to REST being a better approach) or we follow the object creation pattern for REST (and pay the price of not caching the results on the web tier although if we are concerned about security then this isn’t such a bad thing and we can still get performance on the DB tier. Using the payload is probably the right thing to do.

Oracle Fusion Applications Development and Extensibility Handbook Chapters 3 & 4

23 Sunday Mar 2014

Posted by in Book Reviews, Books, General, Oracle, Oracle Press, Technology

6 Comments

Tags

, , , , , , , ,

Continuing with the review of Oracle Fusion Applications Development and Extensibility Handbook (Oracle Press) I’m going to look at chapters 3 & 4. Chapter 3 looks at the different types of Flex Fields from the well known Dynamic Flexfields (DFF) and the more advanced EFFs and KFFs (different ways to provide more advanced flex values such as linking other tables of data).

The book describes briefly the steps to utilise many of the capabilities with some screenshots but don’t mistake this for a detailed key this value followed by click that button combined with screenshots of every step for all aspects (if you did that we’d probably trying to read 5000 pages not 500). So if you want to see and feel all the different aspects explained you will need to have an instance of Fusion apps to try the techniques out with. For me, this is no bad thing, I want to understand what the capabilities are and a sense of the effort and complexity involved – if I want to have blow by blow guide I’d turn to OTN and the tutorial video clips being made available everyday by Oracle on YouTube.

The book also recognises not all strategies are available with all Fusion apps and what can therefore be done. Either by implementing the capability yourself, or asking Oracle to prioritise feature development in the Fusion apps domain.

Unusually rather than continuing with customisation capabilities in Chapter 4 we look at Security. This is no bad thing as if you want to achieve security in depth you need to understand how it can be incorporated at every level as you go rather than as an after thought at the end. But as you go through this chapter you’ll see just how central the security framework is to working with Fusion Apps.

The security perspective comes primarily from an authentication and authorisation (A&A) perspective so bringing in OAM and OID along with related tooling (including APM which is a central tool for Fusion Apps Security). The A&A framework provides an advanced hierarchy of roles and permissions as the capability to integrate extensions with it. The book again provides a solid foundation on which you can build specific implementation understanding.  Security comes in two forms – functional (i.e. restricting access to Fusion app capabilities) and data (which records a user can or cant see). The fascinating aspect for me is the data view because the different organisational possibilities that can influence the data you can or can’t see – for example by value, by internal organisational structures such as departments, by suppliers/partners/customers and so on (Oracle use the terminology of sets).

Security considerations go beyond just managing major roles, but how to autoprovision users (i.e. I create an OID entry for a new employee – how to provide them with a standard set of credentials). How to interact with Fusion Apps at the web service level from inside or outside the secured FusionApps environment.

As with Chapter 3, there are illustrations on how to establish some security settings and leverage security for your own development, but not in an exhaustive click by click manner.

Both chapters, particularly Chapter 4 introduce the ideas and approaches in a succinct manner explaining both the more well known concepts but also the more advanced capabilities along with identifying some common challenges and how they can be overcome (through the provision of tooling or technique for diagnosis).

So far this has been the best introduction to Fusion Applications I have come across.