And automated rebuild is good for more than just malware prevention. In the
event of even a MINOR "disaster", if you can't efficiently rebuild the same
system, you're "planning to fail".
Hypothetical - How many companies could build an EXACT duplicate of (even one
of) their existing "platforms", (OS, database software (not the data) and
application software) on "bare metal", WITHOUT using "backups" and how long
would it take?
Clay Jackson
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> On Behalf
Of Tim Gorman
Sent: Monday, March 7, 2022 8:45 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: MS Defender for OL7 Oracle DB servers
CAUTION: This email originated from outside of the organization. Do not follow
guidance, click links, or open attachments unless you recognize the sender and
know the content is safe.
Scheduled automated VM rebuilds work just fine with multi-TB databases, on-prem
or in the cloud. Data storage is detached from the soon-to-be-destroyed VMs,
then re-attached to newly-rebuilt VMs and binaries. Don't confuse a
requirement to rebuild code and systems with a requirement to rebuild data.
Certainly there is a possibility that the very tools used for security become
an attack vector; that is the whole point of the exercise, by forcing a small
number of carefully scanned and trusted images to be propagated throughout. If
one can't automate rebuild, then one is stuck with predominance of
ever-more-fragile house-of-cards with undetected malware festering within
indefinitely.
Think it through, think of alternatives, and think a couple moves ahead...
On 3/5/2022 4:33 PM, Mladen Gogala wrote:
On 3/5/22 15:44, Tim Gorman wrote:
Just a heads-up as to where (I think) the world is heading...
Years ago, I was working at a large US telecom, and one of the goals
of their virtualization efforts (i.e. moves to VMs on-prem, moves to
containers, moves to cloud, etc) is to enable themselves to rebuild
every virtual machine from a trusted image every week.
If a VM becomes "infected" with anything, then that will last for
only a finite period before it is wiped out by a scheduled automated
rebuild, if it is not detected sooner and then wiped out by a
manually-initiated automated rebuild.
This doesn't mean that other preventative or protective efforts are
reduced in any way, just that this is a last protective measure, for
when all else fails. And, as we know, all else will indeed fail,
eventually.
Back then, they included a requirement for automated rebuild from a
trusted image to be scheduled every 6-9 months for all newly-built
infrastructure. As their skills improve, the stated plan was to
gradually reduce the scheduled frequency from 6-9 months down to one
week.
So, if you're wondering about your organization's push to automation,
to virtualization, to containers, or to cloud, then it's not
necessarily because these things are "shiny" and "new", or somehow
less expensive in themselves. It is because these technologies are
seen as stepping stones to a possibly-as-yet-unstated goal in the
never-ending arms race of infoSec.
Well, I am not so sure how would that function with a terabyte sized
database in the cloud. Also, there is a very real possibility (see
SolarWinds) that the tools used for monitoring network would be used
as an attack vector. The only thing that can prevent the data from
being stolen by a rogue actor acquiring access rights is encryption.
And we don't encrypt nearly enough data. Also, phishing attacks are
getting more and more sophisticated. The good old times of a Nigerian
prince in need of bank transfer or "winning Microsoft lottery" are
long gone. Acquiring credentials is easier than ever, unless MFA is
used. The problem isn't infecting the server with anything, the
problem is data theft. Your database server doesn't necessarily need
to be infected with anything. The tables ACCOUNTS, CUSTOMERS and
ADDRESSES can be dumped to CSV files using a script and the damage is
done.
Unfortunately, MS Defender doesn't do nearly good enough job to
protect your servers. And neither does any other software. I have
recently received several quite well crafted spear phishing attempts.
No warning from MS Defender or McAffee. The only real defense is our
security awareness.
--
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwh
isperer.wordpress.com%2F&data=04%7C01%7Cclay.jackson%40quest.com%7
C75d75ffbb0414630c7ca08da0059c78a%7C91c369b51c9e439c989c1867ec606603%7
C0%7C1%7C637822682854369073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=isJ3
mH7j%2FX4G0J41wKRk0OMxgOaaIezKNSPZ8tmk5%2Fs%3D&reserved=0
--
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
reelists.org%2Fwebpage%2Foracle-l&data=04%7C01%7Cclay.jackson%40qu
est.com%7C75d75ffbb0414630c7ca08da0059c78a%7C91c369b51c9e439c989c1867e
c606603%7C0%7C1%7C637822682854369073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&s
data=5pl896Su1zHBtX9TR6Zzf2WljuEpl3eL5M80NiVMT%2Bk%3D&reserved=0