Pratum Blog

The Department of Homeland Security (DHS) stated recently that the agency will hire up to 1000 cybersecurity professionals over the next three years. This is good and bad.

Let’s start with the good. Anytime an organization realizes they have a significant a deficiency in a skill set and then commits to remedying it, I give them credit. The fact that DHS recognizes it is lacking professionals skilled in information security undoubtedly comes from the poor grades they received on their Federal Information Systems Management Act (FISMA) reports in earlier years. While last year the official score was a "B", the agency stated they felt they were closer to a "C" grade.

While FISMA isn’t really a good assessment of security in an organization, it is helping to identify some gaps. They don’t always get fixed because fixing it may or not improve their overall grade. Let’s face it; we do the things that allow us to check the box and get the passing grade.

So while the idea of hiring more security professionals sounds good, I have to wonder what roles those positions will play in effecting significant change in the organization. Will these roles be just added worker bees that identify gap after gap, only to have it de-prioritized by management? Or will these people actually be given responsibility AND authority to bring about change? Will they sit in key management positions or individual contributor roles? If so, I think this could be a great boost for the organization. If all they do is increase the bureaucracy by generating more reports and intelligence which is never acted on then they have failed.

I wish them all the best but history is not on their side.

October is National Cybersecurity Awareness Month. While we've traditionally used October as the month to promote security awareness, this is the first time it has been declared by the federal government. I applaud the administration for attempting to raise awareness by this official proclamation.

The question now is what do we do about it? Take this opportunity to get in front of your executive leadership and piggyback on this while the hype is hot. Typically executives keep tabs on things coming out of the White House and they may have questions. Seize the moment.

Next is to volunteer to provide some education at a library, school, church or other civic organization to help parents and kids learn the dangers lurking on the internet. If we as professionals don’t step up and offer some real solutions to the problems our kids face, we will wind up with the same type of battles we faced in the ‘80’s with trying to put the expanding drug problem to rest.

While this may seem like a small step, awareness really has to be the first step. Until people know they need to protect their data and privacy they will continue to misuse it. Identifying the problem and getting people to recognize and accept it must be our first battle. We’re doing OK today but we need to do better.

For this last point on securing Oracle E-Business Suite (11i) I want to talk about the infrastructure. My last couple of posts have been database specific from a software perspective. I now want to look at securing our databases from a hardware perspective.

Lots of companies deploy internet facing firewalls. They create a DMZ or demilitarized zone which houses their web, email, DNS and other internet facing servers. This DMZ area is virtual wasteland. It’s more secure than the internet but less secure than our internal networks. In essence it really shouldn’t be trusted.

Our internal networks however are usually fully trusted and considered safe and secure. You couldn’t be more wrong. It’s akin to putting up a privacy fence all the way around your property and locking the gate. In this scenario, you assume that your yard on the inside is more secure than the street on the outside but you still lock your front door. Even inside your house you may have important areas secured such as a small safe, file cabinet, jewelry or firearm storage, you get the picture.

What we often do in securing our networks is to put up a fence, lock the gate, lock the front door and then leave the cash, bank info, jewelry, firearms and other valuables out on the living room floor with a huge sign reading “All the good stuff is right here, take what you need.”

Databases are treasure troves of information yet we rarely wrap additional protection around them on internal networks. I recommend every database server should be placed behind a firewall. The access control list (ACL) should explicitly allow only connections from the application servers, backup servers or other critical components. In today’s environments, end users should rarely need direct access to the actual database. They will typically get their access via a web application of some sort.

By limiting direct access to the database you are reducing the chance that someone who can bypass your application and database level logical controls, such as usernames/password, granted privileges, roles, etc. the ability to interface with it on a hardware or system level. Just like putting your jewelry in a safe inside your locked house. Not everyone who needs access to your network needs access to your databases.

As we start to realize that our internal networks aren’t a whole lot safer than the DMZ or even the internet, we need to provide additional security zones. This will help provide another layer of protection for our most critical assets. Does this create a little more administrative work? Does it cost a little more money? Sure. Is it worth it? Only your risk assessment can tell you that. You have done a risk assessment haven’t you?

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.