Or both 😊 And to answer your question – not data I care about, which would
include almost ANY database server, not just Production.
Clay Jackson
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> On Behalf
Of Mark W. Farnham
Sent: Sunday, March 6, 2022 7:08 AM
To: gogala.mladen@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: MS Defender for OL7 Oracle DB servers
CAUTION: This email originated from outside of the organization. Do not follow
guidance, click links, or open attachments unless you recognize the sender and
know the content is safe.
Very interesting thread.
Do folks place production database servers where they can be seen with less
than MFA or VPN?
Just curious.
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Mladen Gogala
Sent: Saturday, March 05, 2022 7:33 PM
To: oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: Re: MS Defender for OL7 Oracle DB servers
On 3/5/22 15:44, Tim Gorman wrote:
Just a heads-up as to where (I think) the world is heading...
Years ago, I was working at a large US telecom, and one of the goals of their
virtualization efforts (i.e. moves to VMs on-prem, moves to containers, moves
to cloud, etc) is to enable themselves to rebuild every virtual machine from a
trusted image every week.
If a VM becomes "infected" with anything, then that will last for only a finite
period before it is wiped out by a scheduled automated rebuild, if it is not
detected sooner and then wiped out by a manually-initiated automated rebuild.
This doesn't mean that other preventative or protective efforts are reduced in
any way, just that this is a last protective measure, for when all else fails.
And, as we know, all else will indeed fail, eventually.
Back then, they included a requirement for automated rebuild from a trusted
image to be scheduled every 6-9 months for all newly-built infrastructure. As
their skills improve, the stated plan was to gradually reduce the scheduled
frequency from 6-9 months down to one week.
So, if you're wondering about your organization's push to automation, to
virtualization, to containers, or to cloud, then it's not necessarily because
these things are "shiny" and "new", or somehow less expensive in themselves.
It is because these technologies are seen as stepping stones to a
possibly-as-yet-unstated goal in the never-ending arms race of infoSec.
Well, I am not so sure how would that function with a terabyte sized database
in the cloud. Also, there is a very real possibility (see SolarWinds) that the
tools used for monitoring network would be used as an attack vector. The only
thing that can prevent the data from being stolen by a rogue actor acquiring
access rights is encryption. And we don't encrypt nearly enough data. Also,
phishing attacks are getting more and more sophisticated. The good old times of
a Nigerian prince in need of bank transfer or "winning Microsoft lottery" are
long gone. Acquiring credentials is easier than ever, unless MFA is used. The
problem isn't infecting the server with anything, the problem is data theft.
Your database server doesn't necessarily need to be infected with anything. The
tables ACCOUNTS, CUSTOMERS and ADDRESSES can be dumped to CSV files using a
script and the damage is done.
Unfortunately, MS Defender doesn't do nearly good enough job to protect your
servers. And neither does any other software. I have recently received several
quite well crafted spear phishing attempts. No warning from MS Defender or
McAffee. The only real defense is our security awareness.
--
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
https://dbwhisperer.wordpress.com<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwhisperer.wordpress.com%2F&data=04%7C01%7Cclay.jackson%40quest.com%7C44ad67f12b9f4af471c908d9ff8334d2%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637821761288541418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=FpzlKJ91UjjbbXO23Vh%2FQYwwxfWPNdnCb%2BFGn99Ego4%3D&reserved=0>
--
//www.freelists.org/webpage/oracle-l<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freelists.org%2Fwebpage%2Foracle-l&data=04%7C01%7Cclay.jackson%40quest.com%7C44ad67f12b9f4af471c908d9ff8334d2%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637821761288541418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=uW6HUzTDxXEYWj%2F44MEIX9hp2W58JoRTjTJZ4bfctek%3D&reserved=0>