some thoughts about Oracle's security breach (by SAP)
Alex Alten
alex at alten.org
Fri Mar 23 18:29:14 EDT 2007
It seems to me that this could have been prevented (or better damage
control) by:
1) encrypting the files
2) putting in place good access controls (policy adjudication and enforcement)
examples: if more than 100 files / week then raise alert
if customer access incorrect areas /directories
raise an alert
3) possibly better auditing in place to assist after-the-fact forensics
(this might have
reduced the scope of the theft by allowing a more timely response)
In other words a good security system to secure and protect the customer
support
files against insider attack (a hacker using a legitimate customer login).
http://www.nytimes.com/reuters/business/business-rpt-update.html
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/03/22/BUG32OPUKU7.DTL
http://www.oracle.com/sapsuit/index.html
- Alex
--
Alex Alten
alex at alten.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list