Oracle Database Security Health Check
Picture a scene...
Despite the claims of anti-virus vendors, malware problems are near impossible to control. Attackers own user workstation subnets and mobile devices, and very often malware either directly finds a route to databases (critical infrastructure) or it opens a tunnel for manual hacker gangs to exploit.
Seven Stone's software Musang targets Oracle Database 10g and 11g and gives organisations a quick and accurate view of Oracle Database security.
In critical cases (e.g. "crown jewels" hosting, credit card details, personal information with potential legal nightmares attached), Seven Stones long experience in Oracle Database security can be used to develop internal security solutions to good effect. More details...
ArchitectureThis service varies from client to client, as it depends very much on the maturity of existing controls. This is usually the service which we need to perform as a first step. In summary, it's an information gathering workshop and it allows us to learn how we can best deliver value for our clients.
For more details, please consult our terms of engagement and service portfolio.
Vulnerability AssessmentWhen you see this title you probably think in terms of penetration testing. The reality is though that penetration testing, even when delivered properly (i.e. not using automated scanners and with all testing restrictions removed), doesn't lend itself to cost-effectiveness.
Generally, we only deliver these services when we are sure the clients' investment is justified in terms of risk.
Corporate PoliciesAt Seven Stones, we have no interest in consulting or delivering for clients, if the recommendations we make are likely to be implemented, but then forgotten after a change of staff, or just the passage of time.
Policies and standards (an ISO 27001 - based baseline policy, plus technical build standards) are very important, not least for helping to ensure that improved processes and practices are "carved in stone".
Incident ResponseIncident response, and the whole area of best practices in incident management, are complex. If you think it's simple, then you probably don't have effective processes.
We have a track record of having dealt in this area with large firms in transport and finance, and we know what works in practice, as opposed to just theory.
For more details on our offering in incident response, click here
Latest Blog Post
Post Date: 4th December 2016
Clouds and Vulnerability Management
In the world of Clouds and Vulnerability Management, based on observations, it seems like a critical issue has slipped under the radar: if you’re running with PaaS and SaaS VMs, you cannot deliver anything close to a respectable level of vulnerability management with these platforms. This is because to do effective vulnerability management, the first part of that process – the vulnerability assessment – needs to be performed with administrative access (over SSH/SMB), and with PaaS and SaaS, you do not, as a customer, have such access (this is part of your agreement with the cloud provider). The rest of this article explains this issue in more detail.
The main reason for the clouding (sorry) of this issue, is what is still, after 20+ years, a fairly widespread lack of awareness of the ineffectiveness of unauthenticated vulnerability scanning. More and more security managers are becoming aware that credentialed scans are the only way to go. However, with a lack of objective survey data available, I can only draw on my own experiences. See – i’m one of those ... link to original article
Security De-engineering, published in December 2011 by Taylor Francis, covers ubiquitous problems in information security and offers a solution in the final chapter
Areas covered: Penetration testing, Hackers, CASEs (Checklists and Standards Evangelists), IDS, Cloud Security, jobs in security, Identity Management, and organisational elements.