Re: Fw: OT - Getting fired for database oops
From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Thu, 28 May 2009 22:55:26 +1000
Message-ID: <4A1E89BE.3090600_at_iinet.net.au>
Frits Hoogland wrote,on my timestamp of 28/05/2009 5:37 AM:
> But even if it's done in the most perfect way, if not *all* components
> involved (network, operating system, database, applications) are tightly
> secured, a mistake in another layer could easily lead to compromise.
> Also, in the cases I encountered, the security auditor has no/little
> technical knowledge, which means that with some suggesting and some
> omitting of details it's quite easy to pass the audit.
>
> It reminds me of a saying in the network world about firewalls: 'the
> harder on the outside, the softer on the inside'. At least until two
> years ago, the default operator interface of networking components like
> switches and routers, but disturbingly even firewalls is telnet. SSH
> (encrypted) access is an option...
>
Date: Thu, 28 May 2009 22:55:26 +1000
Message-ID: <4A1E89BE.3090600_at_iinet.net.au>
Frits Hoogland wrote,on my timestamp of 28/05/2009 5:37 AM:
> But even if it's done in the most perfect way, if not *all* components
> involved (network, operating system, database, applications) are tightly
> secured, a mistake in another layer could easily lead to compromise.
> Also, in the cases I encountered, the security auditor has no/little
> technical knowledge, which means that with some suggesting and some
> omitting of details it's quite easy to pass the audit.
>
> It reminds me of a saying in the network world about firewalls: 'the
> harder on the outside, the softer on the inside'. At least until two
> years ago, the default operator interface of networking components like
> switches and routers, but disturbingly even firewalls is telnet. SSH
> (encrypted) access is an option...
>
Good points. It's always surprised me in some sites to see intranet security trusted almost exclusively to the firewall. Then when asked about intruder detection, the reply is "uh?". Many others as well trust monitoring/management to SNMP over UDP...
Then again, how far does one take the paranoia? ("paranoia" in the sense of obsession over security, not the clinical one) Like someone else said: the biggest danger is often internal!
-- Cheers Nuno Souto in sunny Sydney, Australia dbvision_at_iinet.net.au -- http://www.freelists.org/webpage/oracle-lReceived on Thu May 28 2009 - 07:55:26 CDT