Oracle Flaw, RSA Security Roadmap and Microsoft System Center

Oracle Corp. released a critical patch to its flagship database software to fix a time stamp flaw that could shut down large, high transaction Oracle databases. RSA, the security division of EMC Corp., published new insights designed to dramatically improve visibility into advanced threats ranging from industrial espionage and disruption of business and financial operations to sabotage of corporate infrastructure. In other news, Microsoft Corp. unveiled the final pre-release of System Center 2012.

Focal Points:

• According to InfoWorld, it researched and uncovered a flaw in Oracle's database software that could seriously impact Oracle database customers, potentially compromising the security and stability of Oracle database systems. The heart of the problem is the System Change Number (SCN) – the "time stamp" that maintains data consistency and allows the database to respond to every user query with the appropriate version of data at every point in time. The hot backup routine has an SCN bug which can rapidly increment the clock, which can never be decremented, in a database as well as all other interconnected Oracle databases. In most cases this will not be a problem, but there is a way for a saboteur with low level privileges to get in and cause SCN havoc. Oracle has just released its January critical patch update, which contains patches to fix the problem. However, these patches are being released for only the more recent versions of the database: Oracle 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, as well as Oracle 10g 10.1.0.5, 10.2.0.3, 10.2.0.4, and 10.2.0.5. Older versions will continue to be affected. Oracle believes that the probability of anyone experiencing the problem is quite low; but if it did occur, the databases could be offline for an extended period. 
• RSA released a research report, the ninth in a series from an RSA-led advisory group called the Security for Business Innovation Council (SBIC). The report, "Getting Ahead of Advanced Threats: Achieving Intelligence-Driven Information Security," advocates for a new defense doctrine for combating advanced threats.  The doctrine calls for "intelligence-driven information security," which is a collaborative, big data approach to information security. The council's report lays out a six-step roadmap to achieve intelligence-driven information security: start with the basics; make the case; find the right people; build sources; define a process; and implement automation. The council claims that a strong return on investment (ROI) case can be made for executing the roadmap.
• Microsoft stated its System Center 2012 is now available as a Release Candidate, the last milestone before final release. The upgraded System Center is one of Microsoft's three key building blocks for its private cloud strategy (Hyper-V and Windows Server are the other two elements). All eight components of the suite (App Controller, Configuration Manager, Data Protection Manager, Endpoint Protection, Operations Manager, Orchestrator, Service Manager, and Virtual Machine Manager) are free as a download. The final versions are expected to be generally available sometime in the first half of 2012. System Center will support a number of hypervisors – Hyper-V, VMware Inc.'s hypervisor and Citrix System, Inc.'s XenServer. The desktop management tools are Windows-only but Microsoft is providing cross-management tools for mobile devices, with security and configuration management covering Apple Inc.'s iOS, Google Inc.'s Android, and Windows Phone. System Center officially only supports the Azure cloud environment but customers are reporting it can manage virtual servers running on Amazon Inc.'s Elastic Compute Cloud. The estimated retail price for the Standard Edition of System Center is believed to be $1,323 per server (up to two physical processors) and $3,615 for the Datacenter edition (unlimited). There are separate fees for managing mobile devices and PCs, which are estimated to range from $22 to $121 per device.

Experton Group believes minimizing risk exposure and achieving a maximum security blanket will be tougher to achieve in 2012, as the attackers and attack vectors become more aggressive, creative and persistent. Any flaw, even those as challenging to implement as the one imbedded in the Oracle database software, is susceptible to saboteurs that have the desire, time and resources to create havoc or steal information. The RSA intelligence-driven information security roadmap represents an excellent approach to move security to the next level. The use of community security practices is a logical next step and one that will pay dividends. IT executives and their security teams should obtain the report and determine what portions of the roadmap can be included in current initiatives and how the overall roadmap can be incorporated into the corporate security plan. Microsoft's System Center is a major advancement in the management of large virtual environments. It is currently being used in environments where a single IT administrator is able to manage thousands of servers, rather than tens or hundreds. In that it will work in a large private onsite cloud environment or with external clouds like Azure and EC2 is a very positive statement. It is good to see Microsoft listening to its customers and stepping up to the plate with a well-targeted solution. IT executives should understand the functionality of System Center 2012 and determine if, how and/or where it makes sense for implementation.