[81892] in cryptography@c2.net mail archive
some thoughts about Oracle's security breach (by SAP)
daemon@ATHENA.MIT.EDU (Alex Alten)
Fri Mar 23 17:47:02 2007
Date: Fri, 23 Mar 2007 14:29:14 -0800
To: cryptography@metzdowd.com
From: Alex Alten <alex@alten.org>
It seems to me that this could have been prevented (or better damage
control) by:
1) encrypting the files
2) putting in place good access controls (policy adjudication and enforcement)
examples: if more than 100 files / week then raise alert
if customer access incorrect areas /directories
raise an alert
3) possibly better auditing in place to assist after-the-fact forensics
(this might have
reduced the scope of the theft by allowing a more timely response)
In other words a good security system to secure and protect the customer
support
files against insider attack (a hacker using a legitimate customer login).
http://www.nytimes.com/reuters/business/business-rpt-update.html
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/03/22/BUG32OPUKU7.DTL
http://www.oracle.com/sapsuit/index.html
- Alex
--
Alex Alten
alex@alten.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
