RE: MS Defender for OL7 Oracle DB servers

And automated rebuild is good for more than just malware prevention. In the event of even a MINOR "disaster", if you can't efficiently rebuild the same system, you're "planning to fail".

Hypothetical - How many companies could build an EXACT duplicate of (even one of) their existing "platforms", (OS, database software (not the data) and application software) on "bare metal", WITHOUT using "backups" and how long would it take?

Clay Jackson

-----Original Message-----
From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of Tim Gorman Sent: Monday, March 7, 2022 8:45 AM
To: oracle-l_at_freelists.org
Subject: Re: MS Defender for OL7 Oracle DB servers

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Scheduled automated VM rebuilds work just fine with multi-TB databases, on-prem or in the cloud. Data storage is detached from the soon-to-be-destroyed VMs, then re-attached to newly-rebuilt VMs and binaries. Don't confuse a requirement to rebuild code and systems with a requirement to rebuild data.

Certainly there is a possibility that the very tools used for security become an attack vector; that is the whole point of the exercise, by forcing a small number of carefully scanned and trusted images to be propagated throughout. If one can't automate rebuild, then one is stuck with predominance of ever-more-fragile house-of-cards with undetected malware festering within indefinitely.

Think it through, think of alternatives, and think a couple moves ahead...

On 3/5/2022 4:33 PM, Mladen Gogala wrote:
> On 3/5/22 15:44, Tim Gorman wrote:
>> Just a heads-up as to where (I think) the world is heading...
>>
>> Years ago, I was working at a large US telecom, and one of the goals
>> of their virtualization efforts (i.e. moves to VMs on-prem, moves to
>> containers, moves to cloud, etc) is to enable themselves to rebuild
>> every virtual machine from a trusted image every week.
>>
>> If a VM becomes "infected" with anything, then that will last for
>> only a finite period before it is wiped out by a scheduled automated
>> rebuild, if it is not detected sooner and then wiped out by a
>> manually-initiated automated rebuild.
>>
>> This doesn't mean that other preventative or protective efforts are
>> reduced in any way, just that this is a last protective measure, for
>> when all else fails. And, as we know, all else will indeed fail,
>> eventually.
>>
>> Back then, they included a requirement for automated rebuild from a
>> trusted image to be scheduled every 6-9 months for all newly-built
>> infrastructure. As their skills improve, the stated plan was to
>> gradually reduce the scheduled frequency from 6-9 months down to one
>> week.
>>
>> So, if you're wondering about your organization's push to automation,
>> to virtualization, to containers, or to cloud, then it's not
>> necessarily because these things are "shiny" and "new", or somehow
>> less expensive in themselves. It is because these technologies are
>> seen as stepping stones to a possibly-as-yet-unstated goal in the
>> never-ending arms race of infoSec.
>
> Well, I am not so sure how would that function with a terabyte sized
> database in the cloud. Also, there is a very real possibility (see
> SolarWinds) that the tools used for monitoring network would be used
> as an attack vector. The only thing that can prevent the data from
> being stolen by a rogue actor acquiring access rights is encryption.
> And we don't encrypt nearly enough data. Also, phishing attacks are
> getting more and more sophisticated. The good old times of a Nigerian
> prince in need of bank transfer or "winning Microsoft lottery" are
> long gone. Acquiring credentials is easier than ever, unless MFA is
> used. The problem isn't infecting the server with anything, the
> problem is data theft. Your database server doesn't necessarily need
> to be infected with anything. The tables ACCOUNTS, CUSTOMERS and
> ADDRESSES can be dumped to CSV files using a script and the damage is
> done.
>
> Unfortunately, MS Defender doesn't do nearly good enough job to
> protect your servers. And neither does any other software. I have
> recently received several quite well crafted spear phishing attempts.
> No warning from MS Defender or McAffee. The only real defense is our
> security awareness.
>
> --
> Mladen Gogala
> Database Consultant
> Tel: (347) 321-1217
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwh
> isperer.wordpress.com%2F&amp;data=04%7C01%7Cclay.jackson%40quest.com%7
> C75d75ffbb0414630c7ca08da0059c78a%7C91c369b51c9e439c989c1867ec606603%7
> C0%7C1%7C637822682854369073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=isJ3
> mH7j%2FX4G0J41wKRk0OMxgOaaIezKNSPZ8tmk5%2Fs%3D&amp;reserved=0
> --
> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> reelists.org%2Fwebpage%2Foracle-l&amp;data=04%7C01%7Cclay.jackson%40qu
> est.com%7C75d75ffbb0414630c7ca08da0059c78a%7C91c369b51c9e439c989c1867e
> c606603%7C0%7C1%7C637822682854369073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;s
> data=5pl896Su1zHBtX9TR6Zzf2WljuEpl3eL5M80NiVMT%2Bk%3D&amp;reserved=0

--
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freelists.org%2Fwebpage%2Foracle-l&data=04%7C01%7Cclay.jackson%40quest.com%7C75d75ffbb0414630c7ca08da0059c78a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822682854369073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=5pl896Su1zHBtX9TR6Zzf2WljuEpl3eL5M80NiVMT%2Bk%3D&reserved=0


--
http://www.freelists.org/webpage/oracle-l