Tag Archives: SoD

Anthem Hacked – The call for ‘More of Everything’ grows louder

19 February 2015

Just some thoughts about the call for more technology, encryption, pen testing, etc.

The big question is: Would database encryption have slowed down or stopped the attackers? From my experience with Transparent Data Encryption (TDE) in the Oracle universe I can only answer: Definitely Not!

If it’s properly set up TDE works very well to prevent unauthorized access to data in rest. Administrators and users are not able to read or copy database files when e.g. the database is shut down.

But as long as the database is started TDE works transparent for all users and the administrators: They can access the data with applications or SQL tools without any restriction.

If you like to keep the administrators away from the data you must set up Oracle Database Vault on top of TDE. Database Vault acts as a firewall between the users and the administrators. Administrators can run their administrative tasks, but they could no longer access the data. In addition, the Separation of Duties principle is enforced for security critical operations like definition of users.

But what’s about malicious insiders? Malicious insiders are responsible for about two-third of all attacks, but neither TDE nor Vault would stop them from accessing all data. With Label Security a fine-grain access control system is available that gives data admins the opportunity to restrict a user to individual data sets in a table.

Sounds like rocket science, doesn’t it? Far from it. Most of this products are for several years in the market, but they are widely unknown, and, the effort for implementation is high.

That’s it for today.

For further reading please see

Anthem Cyber Hack: 5 Fast Facts You Need to Know

Anthem Breach Should Convince Healthcare To Double Down On Security

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

Howto secure business critical data? – The admin challenge or {U} ∩ {A} = ∅

17 July 2014

Unfortunately, sometimes administrative privileges are required for operation of the systems and services inside the Core Data Services Network (CDSN). This is very annoying because administrators are always an inherent risk. To be honest, I look forward to the day when servers could be operated without any system privileges.

Until then, we must try to reduce the risk through consequent application of the Separation of Duties (SoD) principle. Let’s do some basic set theory first.

Let {U} be the set of all employees in the company, {D} ⊂{U} the set of all employees with authorized access to the core data and {A} ⊂{U} the set of all IT Administrators in the company.

The Separation of Duties (SoD) principle requires:

 {U} ∩ {A} = ∅

This translates into the following basic principle:

Employees with authorized access to core business data must never have the privileges for administration of systems and services in the entire company network.

Could a data manager have privileged access with a special account? This question was asked in a meeting some days ago. Although there may be good reasons to do this, the answer is No. Never! Employees with authorized access to data must never have privileged access, no matter what account is used.

Note bene: The SoD principle should be applied to all services at all system, application and infrastructure levels. Let me clarify this by the means of two examples:

  1. Data managers should never have the privileges for account or database administration because this would allow them to grant privileges to themselves.
  2. Terminal service administrators must never have the privileges to configure the firewalls between the CDSN and the company network. This would allow them to authorize other computer for access to the CDSN.

Simple, but effective.

Will IT security technology solve the Snowden Problem?

10 July 2014

In the year one after Edward Snowden discussions about the why and the how are well under way. In the past month all suppliers of IT security technology made proposals how to tackle the Snowden problem. Additional technology like an integrated Tagging/Encryption/DLP system seems to be a solution to the Snowden problem. But would the data theft have been prevented by such a solution?

Since Snowden had legitimate access to classified information the answer is: Definitely Not!

We have to dig somewhat deeper into IT security concepts to get to the root of the problem.

The big questions are:

  • Why has an employee with legitimate access to classified information the right to create copies of this information?
  • Why is he authorized to bring the information outside the organization?

The concepts and processes for handling of classified information were designed more than 40 years ago and remained nearly unchanged over the years. Because technology developed rapidly during this time we face a constantly increasing gap between the technology used for attacks and the concepts we use to secure our information.

Although we patched our outdated concepts and processes with advanced technology during the years, we never got the most of this new technology. In a poorly designed environment even the best technology will deliver poor results only.

In order to bridge the gaps the entire system and process architecture must be re-designed from scratch. The Separation of Duties principle and the Principle of Least Privilege must be strictly applied to the very last detail during design, and state-of-the-art technology must be used for implementation.

But we are so busy firefighting with new technology that we have no time to make strategies.

What might have stopped Snowden? I think a more fine-grained authorization concept, designed in strict application of the Separation of Duties principle, would have prevented the data theft.

Sounds easy, doesn’t it?

SearchSecurity.com: How to Thwart Privilege Creep with Access Reviews

5 July 2014

How to Thwart Privilege Creep with Access Reviews

In this E-Guide from SearchSecurity.com, industry expert Peter H. Gregory talks about privilege creep and the concepts to solve this problem.

The accumulation of privileges is bad enough but, things turn really bad if privilege creep undermines the Separation-of-Duties (SoD) or Four-Eyes principle. In this case employees could grant themselves unwanted privileges which could result in serious compliance problems.

When employees leave their job or retire we face a similar Problem. In the best case HR promptly notifies the IT group to deactivate the employee account. But privileges are very often excluded  for fall-back purposes because it takes a long time before a successor is fully able to work. In the worst case, if you are in a hurry, all those messy privileges are just copied without any review.

A regular review of privileges is the best measure to tackle these problems. Even manually reviews could be implemented with moderate effort. A IAM solution with direct link to the HR system is the definitely the best approach for a large company.

In addition, I recommend to expand job profiles by security profiles. When a new employee starts his work, the job related security profile could be easily implemented and thus privilege creep prevented.

Security profiles must be maintained to track changes in the job profile. A security profile comprises all roles and privileges to all applications, systems and information an employee needs to do his job.

In addition, the employee orientation plan must be expanded by information security related topics. Create awareness and train employees how to adequately respond to information security related incidents will raise the overall security Level.