Re: Security Attack

From: Tim Gorman <tim.evdbt_at_gmail.com>
Date: Tue, 9 Jan 2024 10:21:41 -0800
Message-ID: <862682c6-3025-44a1-85d8-5b0706ff8113_at_gmail.com>

I often see at least two approaches to dealing with these threats, based on the certainty that ransomeware or similar malware will succeed...

One approach is based on the idea that no object is permitted to exist more than a fixed period of time before it is replaced from a protected image. For example, all virtual machines are orchestrated to be replaced with new virtual machines installed from "gold images" every month. The advantages for this example are that any malware that does slips through exists for at most a month before it is annihilated. This approach has the advantage of starting off with a lengthier fixed period of time before replacement (i.e. 12-15 months), and with maturity this period can gradually be reduced to the desired period, of a month, or two weeks, or a week, or less. Since this is a database help list, I think it is clear that the data within the databases cannot be "rebuilt", but the executables and configuration will be rebuilt, and the data recovered.
The other approach is based on virtual machine snapshots, common in cloud environments, stored in immutable backup vaults, segregated from the VMs themselves. Should VMs be compromised, they can be overwritten individually or en masse by snapshot images captured prior to "infection".

To summarize...

rebuild VMs from orchestration scripting
rebuild VMs from snapshot images

Of course, these approaches are not mutually exclusive, and since they are usually deployed by different groups within organizations, often they overlap.

Build a recovery solution with the certainty it is necessary. Assume that malware will eventually penetrate all other layers of security, regardless what technology you use. Malware affecting Microsoft gets more press, which doesn't mean that malware affecting Linux/UNIX doesn't exist, it just means that fingers are not being pointed loudly.

On 1/9/2024 8:11 AM, Paul Houghton (Paul.Houghton) wrote:
>
> This is so frustrating. As a DBA, how do I decide where to spend my
> finite time to get the best value? There is no shortage of opinion on
> the internet, often from people with something to sell, but no /data/
> to help a technical specialist protect their systems. The people who
> could help – those who have suffered an attack and thought “If only we
> had done X” are not allowed to tell anyone else what X is. So I am
> left guessing.
>
> How do others decide how to prioritise security? I don’t want to know
> what you think my priorities should be, I want to know */why/* you
> think they should be my priorities and what data you have to back that up.
>
> *From:*oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org>
> *On Behalf Of *dimensional.dba_at_comcast.net
> *Sent:* 09 January 2024 00:10
> *To:* rprabha01_at_gmail.com; l.flatz_at_bluewin.ch
> *Cc:* 'ORACLE-L' <oracle-l_at_freelists.org>
> *Subject:* RE: Security Attack
>
> Part of the problem here is no one releases all the information for
> each attack how many systems and of what type were compromised or how
> the attack was perpetrated.
>
> Only the specific company/organization helping the attacked details
> and they are not releasing the information either.
>
> Many attacks have nothing to do your keeping up with patching.
>

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Jan 09 2024 - 19:21:41 CET

This message: [ Message body ]
Next message: Scott Canaan: "Cloud Control Issue"
Maybe in reply to: Lothar Flatz: "Security Attack"
In reply to Paul Houghton: "RE: Security Attack"
Next in thread: Osman DINC: "Re: Performance issue on Oracle 9i"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message