Sunday, October 30, 2005

More from Oracle's CSO

Wow. Note how she says that she researches "hacking techniques" as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the "big picture" strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.


-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of InfoSec News
Sent: Wednesday, October 19, 2005 12:03 AM
To: [email protected]
Subject: [spam]::[ISN] Davidson: Lessons of warfare for IT security

By Mary Ann Davidson
Oct. 17, 2005

As a security professional, I research the latest issues, threats and
hacking techniques. For pleasure, however, I read mostly military
history, which shapes my view of information security. As a result, I
offer the following lessons from military history for federal agency
information technology security professionals.

Most security professionals attempt to implement programs to defend
all access points because intruders need to find only one way in. But
because agency resources are finite, boundaries typically exceed
resources. To best apply limited resources to maximize defense
success, carefully select your turf.

Risk management approaches to security must move beyond identifying
and defending the most important assets to include an analysis of a
network's strategic points where intruders could attack.

Here are some IT security lessons from military history.

* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of
World War II in the Pacific rim. The victory hinged partly on U.S.
code crackers' breaking JN25 naval cipher to learn that the Japanese
planned to attack Midway. Adm. Chester Nimitz, commander of the U.S.
Pacific fleet, sent two carrier task forces to Midway to ambush the
Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.

Security professionals have many means of defense at their disposal.
Through network mapping, they can determine the landscape of their
networks. Knowing how many systems are locked down and adequately
patched, they can assess their readiness. Using intrusion-detection
systems, they can know the types of probes the enemy has attempted.

But some organizations don't use or act on the intelligence they have.
Many turn off their auditing systems, fail to review the logs or
ignore alarms. A military parallel is Pearl Harbor, the attack in
which the United States ignored radar detecting the incoming Japanese

* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and
extranet access have surged. The model of hardened perimeters and
wide-open interiors is no longer adequate.

During the 1879 defense of Rorke's Drift in South Africa, about 150
British soldiers held off 4,000 Zulus by defending the inherently
indefensible. They created makeshift barricades from grain sacks and
biscuit boxes to secure the perimeter. They had fallback positions and
used them.

Security professionals can learn from this example. A network is not
defensible if attackers breach the perimeter and the rest of the
network is wide open.

Today, administrators segment networks with interior firewalls.
Tomorrow, networks may be able to create dynamic barriers in response
to worm and virus invasions.

Admirals and generals set strategies, but individuals who make
tactical decisions and take the initiative win battles. Every federal
agency employee has a responsibility to make IT security a priority.

Davidson is Oracle's chief security officer.

1 comment:

  1. Doesn't it make you feel secure knowing Oracle recently acquired Oblix?
    Hopefully the security program for Oblix won't "merge" with it's parent via the typical acquisition model i.e. be replaced by the parent...