Researchers discover POS backdoor targeting the hospitality industry

ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS (point-of-sale) – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide.

POS backdoor targeting hospitality industry

The majority of the identified targets were from the United States.

Containing a custom algorithm

What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.

Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” cautions ESET researcher Martin Smolár, who discovered ModPipe.

“Probably the most intriguing parts of ModPipe are its downloadable modules. We’ve been aware of their existence since the end of 2019, when we first found and analyzed its basic components,” explains Smolár.

POS backdoor targeting hospitality industry

Downloadable modules

  • GetMicInfo targets data related to the MICROS POS, including passwords tied to two database usernames predefined by the manufacturer. This module can intercept and decrypt these database passwords, using a specifically designed algorithm.
  • ModScan 2.20 collects additional information about the installed MICROS POS environment on the machines by scanning selected IP addresses.
  • ProcList with main purpose is to collect information about currently running processes on the machine.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market,” adds Smolár.

What can you do?

To keep the operators behind ModPipe at bay, potential victims in the hospitality sector as well as any other businesses using the RES 3700 POS are advised to:

  • Use the latest version of the software.
  • Use it on devices that run updated operating system and software.
  • Use reliable multilayered security software that can detect ModPipe and similar threats.

Most UK businesses using Oracle E-Business Suite are running old systems

The majority of UK businesses using Oracle E-Business Suite (EBS) are running on old versions of the business critical ERP system, according to a Claremont study.

Oracle E-Business Suite

Of the 154 IT professionals polled, 64% revealed they are running on an earlier version that the current R12.2. With Oracle cutting off premier support to EBS 12.1 in December 2021, this leaves these businesses facing potential legislative and security issues if they fail to upgrade prior to the deadline.

58% of the businesses polled claimed they did intend on making the upgrade to R12.2.

“Businesses intent on upgrading to EBS R12.2 face a race against the clock in order to get it done in time. There is now just 14 months until the deadline, and while that may seem like a long time, given that the survey indicates almost two-thirds of businesses are currently looking to upgrade, there is likely to be resource scarcity in the marketplace. With upgrades taking 6-12 months to complete, vendor selections to be made and business cases to be raised, now is the time to act,” said Mark Vivian, CEO at Claremont.

The study also revealed that the majority of EBS users are currently hosting EBS on physical servers. 69% said they were still using physical servers, compared to just 31% hosting EBS on a cloud platform. 60% of businesses claimed they had no intention of migrating to the cloud, while 26% said they were planning a migration, and just 14% said their migration was underway.

The survey also revealed the reasons why those businesses using cloud platforms to host EBS had chosen their cloud provider. 53% of businesses cited price as the main reason they had chosen their cloud provider, while 40% cited greater agility and flexibility, and just 36% cited better support from the cloud vendor.

Mark Vivian added: “It’s surprising to see that so many businesses are still running Oracle E-Business on physical servers. Moving to cloud infrastructure means a shift towards greater agility, crucial for organisations to survive and thrive in response to the accelerating pace of change in today’s marketplace.”

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.

vulnerabilities exploited Chinese hackers

“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.

The list of vulnerabilities exploited by Chinese hackers

The list is as follows:

The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.

Mitigations are also available

If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:

  • Disabling external management capabilities and setting up an out-of-band management network
  • Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
  • Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
  • Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise

The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.

Additional “most exploited vulnerabilities” lists

Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.

Admins and network defenders are encouraged to peruse them and patch those flaws as well.

Rescale’s cloud HPC simulation platform now available on Oracle Cloud Infrastructure

Oracle announced that Rescale‘s cloud HPC simulation platform is now available on Oracle Cloud Infrastructure. Rescale’s platform helps engineers and scientists build, compute, analyze, and scale simulations with high performance computing.

Now, Rescale customers can deploy and manage their critical engineering simulation and analytics applications on Oracle’s modern cloud infrastructure.

Businesses use Rescale’s intelligent platform to orchestrate HPC jobs in the cloud from anywhere. With Rescale, customers can run complex simulations in the cloud to improve their designs, which is much less expensive and time consuming than building and testing physical prototypes.

With Oracle and Rescale, enterprise customers can take advantage of the industry’s first bare-metal compute instances with cluster networking, resulting in increased productivity, better performance, and reduced cost.

Only Oracle offers bare-metal HPC infrastructure with RDMA networking, an important consideration for applications needing low-latency (sub two microsecond) response times.

“We help engineers and scientists make breakthroughs that enrich our everyday lives,” said Terry Denzer, chief revenue officer, Rescale. “With Oracle Cloud Infrastructure, we provide customers with the perfect platform for high performance computing that can be deployed in minutes with maximized control, transparency, and security.”

The Rescale cloud HPC platform, built on a powerful high-performance computing infrastructure, seamlessly matches software applications with the best cloud or on-premises architecture to run complex data processing and simulations.

Rescale on Oracle Cloud Infrastructure integrates with more than 600 HPC simulation applications and workloads and gives customers an easy-to-use enterprise interface to migrate and manage their on-premises HPC workloads on Oracle Cloud.

It includes an intuitive web portal for job submission, monitoring, results visualization, cost management and reporting. Customers can also choose to bring their own Oracle Cloud Infrastructure tenancy and applications licensing.

“Organizations use HPC services, like Rescale’s, to speed digital design and engineering and bring new products to market quickly,” said Clay Magouyrk, executive vice president, Oracle Cloud Infrastructure. “Rescale provides great value to our customers by offering HPC services and managing the entire HPC workflow in the cloud.”

Customers are reinventing how they develop products, measure risk, deliver experiences, and revolutionize their industries using Oracle’s HPC solutions. Oracle Cloud Infrastructure’s HPC services uniquely provides bare-metal compute instances, low latency cluster networks with RDMA, high performance distributed storage solutions, and network traffic isolation to automate and run jobs seamlessly in the cloud.

Oracle Cloud supports the full array of HPC workloads, including CFD, crash, computer-aided design (CAE), electronic design automation (EDA), VFX rendering, reservoir simulations, and AI training/inference.

Oracle offers pre-built tools to automate threat response and reduce customers’ cloud security risk

Oracle announced the availability of Oracle Cloud Guard and Oracle Maximum Security Zones. With Oracle Maximum Security Zones, Oracle is the first public cloud provider to activate security policy enforcement of best practices automatically from day one so customers can prevent misconfiguration errors and deploy workloads securely.

For day-to-day operations, Oracle Cloud Guard continuously monitors configurations and activities to identify threats and automatically acts to remediate them across all Oracle Cloud global regions.

With these capabilities, Oracle is the only cloud service provider to offer a cloud security posture management dashboard at no additional cost, with numerous pre-built tools that automate response to reduce customer risk quickly and efficiently.

Companies are moving more business-critical workloads to the cloud than ever before. The increase in cloud adoption has created new security “blind spots” that have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records.

Gartner forecasts that “through 2025, 99 percent of cloud security failures will be the customer’s fault.” Cloud users and administrators are now expected to know how cloud security services work, configure them correctly, and maintain their cloud deployments.

Organizations that have experienced data breaches due to misconfigurations have suffered brand damage, recovery costs and fines. Oracle Maximum Security Zones and Oracle Cloud Guard embed decades of enterprise security expertise and best practices into the Oracle public cloud in an autonomous fashion, accelerating customers’ ability to ramp up to their cloud estate securely from inception.

“Security has been a critical design consideration across Oracle Cloud for years. We believe security should be foundational and built in, and customers shouldn’t be forced to make tradeoffs between security and cost,” said Clay Magouyrk, executive vice president, Oracle Cloud Infrastructure.

“With Oracle Cloud Guard and Oracle Maximum Security Zones’ security automation and embedded expertise, customers can feel confident running their business-critical workloads on Oracle Cloud.”

Now available in all Oracle Cloud commercial regions, Oracle Cloud Guard acts as a log and events aggregator that directly integrates with all major Oracle Cloud Infrastructure services – Compute, Networking, Storage – and automatically implements unique components called targets, detectors, and responders.

Targets set the scope of resources to be examined, such as compartments and their descendent structures within Oracle Cloud Infrastructure. Detectors identify issues with resources or user actions and alert when an issue is found, such as a TOR login or public bucket.

Responders provide notifications and corrective actions to security problems by automatically stopping the instance, suspending the user, or disabling the bucket. As a result, Oracle Cloud Guard provides security administrators the cloud detect-and-response framework needed to lower the mean time to respond to security misconfigurations and scale out security operations centers.

Oracle Maximum Security Zones extends IaaS access management to restrict insecure actions or configurations using a new policy definition that applies to designated cloud compartments. This new Oracle Cloud Infrastructure service helps ensure resources are secure from inception by enforcing rigorous security best practices for highly sensitive workloads.

Oracle Maximum Security Zones includes policies for several core Oracle Cloud Infrastructure Services, including Object Storage, Networking, Encryption, DBaaS, and File Storage.

These new services work in tandem to further Oracle’s second-generation public cloud, which is built with security as a critical foundation. Oracle Cloud is distinguished for bedrock design primitives, including high customer isolation, clean host hardware, default encryption, no downtime patching, and sophisticated data protection.

“As workloads transition to the cloud, organizations are looking for a supplier where security technology is designed-in throughout the complete hardware/software stack,” said Jay Bretzmann, program director, IDC cybersecurity research.

“Oracle’s new cloud security services will help automate and simplify the management of increasingly critical applications with painfully stringent security and compliance requirements that, until lately, few imagined would ever migrate off premises.”

Customers adopt new built-in security services

Accenture is one of the largest consulting companies in the world, employing about 500,000 people worldwide. “Accelerating the path to value is our key focus area, and Oracle technology and Oracle Cloud is a key factor to deliver on that. We were immediately impressed with Oracle Cloud Guard – the set-up, ease of use, and immediate results about potential misconfigurations,” said Chris Pasternak, managing director, Accenture.

“We appreciate the fact that this capability is available at no cost above the Oracle Cloud Infrastructure investment. It further solidifies the conversations I have with my clients about how Oracle builds Oracle Cloud with security in mind first; Oracle Cloud Guard is a great example of how Oracle continues that heritage.”

ALEF is a laboratory for financial economics and produces solutions to the financial problems of public and private firms, banks, and insurance companies.

“We adopted Oracle Cloud Infrastructure to help us and our customers achieve better, predictable performance for deeper analysis workloads. As part of Oracle Cloud Infrastructure, we found Oracle Cloud Guard to be very powerful in helping us discover complex security issues,” said Pietro Lascari, delivery manager, ALEF.

“Oracle Cloud Guard helped ALEF anticipate the right security posture for upcoming compliance regulations for our customers and implement them quickly using existing tools and APIs. Oracle Cloud Guard is a great tool to anticipate security and compliance concerns before they have even occurred.”

Darling Ingredients, a global developer and producer of sustainable natural ingredients from edible and inedible bio-nutrients, is using Oracle’s new services to evaluate its security posture as the company deploys production instances of business-critical workloads in Oracle Cloud Infrastructure.

“We recently turned on Oracle Cloud Guard, and we’ve been looking at Oracle Maximum Security Zones to see how we’re doing as we deploy the Oracle E-Business Suite production instance into Oracle Cloud Infrastructure,” said Tom Morgan, threat intelligence lead, Cyber Security Group, Darling Ingredients.

“What I like about Oracle Cloud Guard is the fact that it is continuously running and available to a wider group of people, which provides a continuous improvement process in our security posture. It’s also included with Oracle Cloud Infrastructure, which is a really good value.”

Discngine specializes in developing applications for life sciences research. The company relies on Oracle Cloud Infrastructure to enable its researchers to model protein structures and small molecules and uses Oracle Cloud Guard’s embedded rules to continuously monitor the security status of its cloud assets.

“With Oracle Cloud Guard, we were able to analyze each alert and assess the associated security risks,” said Alexandre Gillet-Markowska, cloud security officer, Discngine. “That allowed us to quickly obtain a key security certification by one of our largest customers and freed up valuable time to focus on innovation.”

Siram Veolia, a group that offers sustainable solutions for the management and optimization of environmental resources, adopted Oracle Cloud for its digital transformation program.

“Oracle Cloud Guard is an excellent product to automatically identify and resolve security misconfigurations and unused resources on Oracle Cloud Infrastructure,” said Davide Benedetto, head cloud team, Siram Veolia.

“We were able to activate Oracle Cloud Guard in a few hours, and it has been very easy to manage and configure. As a result, we have been able to improve our Oracle Cloud governance and security with minimal effort.”

Migrating and managing Oracle applications and database platforms on Microsoft Azure

Data Intensity announced the launch of Safe-Switch, a life-cycle approach to migrating and managing Oracle applications and database platforms on Microsoft Azure. In response to the Oracle and Microsoft Cloud Interoperability Partnership announcement, Safe-Switch was created to help customers accelerate their consumption of heterogenous cloud adoption, with freedom of choice and seamless integration for Oracle and Microsoft workloads.

The Data Intensity Safe-Switch program is founded on 20 years of professional and managed services experience migrating, upgrading, and managing highly customized Oracle workloads across hybrid and multicloud architectures. As both an Oracle Platinum Partner and Microsoft Gold Partner, Data Intensity has successfully executed more than 300 workload migrations.

“One challenge many customers face is bridging the skill-set gaps associated with deep Oracle knowledge and Microsoft Azure reference architectures to accurately migrate workloads to improve cost, service capabilities, and agility,” said Phil LaForge, President and CEO of Data Intensity.

The Safe-Switch Discovery Workshop is the first step toward identifying, prioritizing, and migrating Oracle workloads for the right cloud delivery model. Safe-Switch customers can benefit from a prescriptive roadmap that covers Oracle license compliance, fault-tolerant application performance architectures, secure Azure cloud reference mapped to a combined migration strategy, and managed services bundle.

“From start to finish, Data Intensity was highly professional; the design phase through to go-live ran smoothly and efficiently,” said Alan Horne, Team Lead for Cory Brothers. “A deep knowledge of both Oracle and Azure enabled the project to be successful.”

Gavriella Schuster, Corporate VP, One Commercial Partner at Microsoft said, “Customers can receive decades of enterprise expertise in workload migration across multiple cloud platforms from veteran MSP partner Data Intensity, with its strong partner credentials. The Data Intensity Safe-Switch program gives enterprise customers the confidence to maximize their cloud adoption.”

Data Intensity is currently providing a fixed-price Azure Safe-Switch Discovery Workshop, which includes a series of collaborative, data-driven assessments to provide a prescriptive migration road-map based on standardized methodologies. Data Intensity’s Safe-Switch complements the Microsoft Cloud Adoption Framework by providing businesses with the ability and processes to migrate workloads in a safe and secure manner.

Global public cloud services market grew 26% YOY in 2019 with revenues totaling $233.4 billion

The worldwide public cloud services market, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), grew 26% year over year in 2019 with revenues totaling $233.4 billion, according to IDC.

public cloud services market 2019

Spending continued to consolidate in 2019 with the combined revenue of the top 5 public cloud service providers (Amazon Web Services, Microsoft, Salesforce.com, Google, and Oracle) capturing more than one third of the worldwide total and growing 36% year over year.

“Cloud is expanding far beyond niche e-commerce and online ad-sponsored searches. It underpins all the digital activities that individuals and enterprises depend upon as we navigate and move beyond the pandemic,” said Rick Villars, group vice president, Worldwide Research at IDC.

“Enterprises talked about cloud journeys of up to ten years. Now they are looking to complete the shift in less than half that time.”

Public cloud services market has doubled since 2016

The public cloud services market has doubled in the three years since 2016. During this same period, the combined spending on IaaS and PaaS has nearly tripled. This highlights the increasing reliance on cloud infrastructure and platforms for application deployment for enterprise IT internal applications as well as SaaS and digital application delivery.

Spending on IaaS and PaaS is expected to continue growing at a higher rate than the overall cloud market over the next several years as resilience, flexibility, and agility guide IT platform decisions.

“Today’s economic uncertainty draws fresh attention to the core benefits of IaaS – low financial commitment, flexibility to support business agility, and operational resilience,” said Deepak Mohan, research director, Cloud Infrastructure Services.

“Cost optimization and business resilience have emerged as top drivers of IT investment decisions and IaaS offerings are designed to enable both. The COVID-19 disruption has accelerated cloud adoption with both traditional enterprise IT organizations and digital service providers increasing use of IaaS for their technology platforms.”

“Digitizing processes is being prioritized by enterprises in every industry segment and that is accelerating the demand for new applications as well as repurposing existing applications,” said Larry Carvalho, research director, Platform as a Service.

“Modern application platforms powered by containers and the serverless approach are providing the necessary tools for developers in meeting these needs. The growth in PaaS revenue reflects the need by enterprises for tools to accelerate and automate the development lifecycle.”

“SaaS applications remains the largest segment of public cloud spending with revenues of more than $122 billion in 2019. Although growth has slowed somewhat in recent years, the current crisis serves as an accelerator for SaaS adoption across primary and functional markets to address the exponential growth of remote workers,” said Frank Della Rosa, research director, SaaS and Cloud Software.

The combined IaaS and PaaS market

A combined view of IaaS and PaaS spending is relevant because it represents how end customers consume these services when deploying applications on public cloud. In the combined IaaS and PaaS market, Amazon Web Services and Microsoft captured more than half of global revenues.

But there continues to be a healthy long tail, representing over a third of the market. These are typically companies with targeted use case-specific PaaS offerings. The long tail is even more pronounced in SaaS, where nearly three quarters of the spending is captured outside the top 5.

Oracle Dedicated Region [email protected]: Making all cloud services available on-premises

Driven by strong customer demand, Oracle announced Oracle Dedicated Region [email protected], the industry’s first fully-managed cloud region that brings all of Oracle’s second-generation cloud services, including Autonomous Database and Oracle Cloud applications, to customer datacenters.

With this offering, enterprises get the exact same complete set of modern cloud services, APIs, industry-leading SLAs, superior price-performance, and highest levels of security available from Oracle’s public cloud regions in their own datacenters. This is ideal for highly regulated or security-focused businesses needing to meet demanding latency and data residency requirements, reduce operational costs, and modernize legacy applications.

Over the past few years, enterprise adoption of public clouds has gone mainstream as companies took advantage of the pay-as-you-go economics, scale, and agility of cloud computing.

However, most enterprises expect to continue to run a portion of their workloads in on-premises datacenters for the foreseeable future. This has resulted in strong demand from customers for a hybrid architecture where the same services, same functionality, and easy portability of applications exists between their public and on-premises cloud environments.

But until today, no solution was able to bridge the gap between cloud and on-premises environments. On-premises offerings from other cloud providers offer a very small subset of the services available in their public cloud regions.

With this announcement, Oracle is making all of its cloud services — more than 50 services — available on-premises so enterprises can use Oracle’s cloud services wherever they need them – in the cloud or on-premises via [email protected]

“Enterprise customers have told us that they want the full experience of a public cloud on-premises, including access to all of Oracle’s cloud services, to run their most important workloads,” said Clay Magouyrk, executive vice president of engineering, Oracle Cloud Infrastructure.

“With Oracle Dedicated Region [email protected], enterprises get all of our second-generation cloud services, including Autonomous Database, in their datacenters. Our major competitors can’t offer customers a comparable dedicated cloud region running on-premises.”

Oracle Dedicated Region [email protected] includes full management capabilities and access to new features and functions the moment they become available in Oracle’s public cloud. It provides strong isolation of customer data, including all API operations, which remain local to customer datacenters and provide the highest levels of security.

Additionally, Oracle Dedicated Region [email protected] is certified to seamlessly run Oracle Cloud applications, including Oracle Fusion Cloud Applications (Cloud ERP, Cloud HCM, Cloud SCM, and Cloud CX, making it a completely integrated cloud experience on-premises.

Customers only pay for services they consume using the same predictable low pricing offered in Oracle’s public cloud regions.

“With Dedicated Region [email protected], Oracle delivers a slice of its public cloud experience into customer datacenters, with no changes in pricing or capabilities,” said Deepak Mohan, Research Director at IDC.

“This represents a new direction for public cloud providers, who have historically offered only limited versions of their services to customer premises. Oracle Dedicated Region [email protected] brings the full capabilities of Oracle Cloud Infrastructure and Oracle Fusion Cloud Applications, including over 50 services, to customer premises.

“This brings together public cloud service capability with the compliance, latency and co-location benefits of on premises – which can be a game changer for large scale digital transformation efforts at enterprises.”

Global organizations adopt Oracle Dedicated Region [email protected]

Nomura Research Institute (NRI), Ltd. is the largest consulting firm and IT solutions provider in Japan. “With Oracle Dedicated Region [email protected], we can use Oracle Exadata as a cloud service and achieve greater agility, such as seamless expansion, while maintaining high availability at the same level as on-premises,” said Tomoshiro Takemoto, Senior Corporate Managing Director, NRI.

“Built in our own datacenter, it also enables us to not only provide SOC2 reports based on Japanese security standards in financial industries, but it also allows us to access broader cloud services and tools provided by Oracle and further increase our business value for our customers.

Oman Information and Communications Technology Group is an entity owned by State General Reserve Fund (SGRF) of the Government of Oman. “Oman Information and Communications Technology Group (OICTG), is committed to propel and shape the Sultanate’s ICT sector.

Our investments, focused initiatives and bespoke partnerships aim to unlock the full potential of ICT. So, by fostering Omani talents, we will actively support the ongoing diversification of Oman’s economic development as outlined in His Majesty Sultan Haitham bin Tarik’s Oman 2040 Vision,” said HH Sayyid Kamil Fahad Al-Said; Chairman of Oman ICT Group.

“Furthermore, and to meet the Sultanate’s needs of digital transformation, our centralized, innovatively structured digital framework will support the ownership and management of cloud-ready IT services.

“The OICTG’s sustainable, economically sensitive budget and attainable, realistic time-bound goals will guarantee maximum operational performance, flexible scalability and a secure data residency file under the accountable canopy of the Oman Investment Authority.”

“Oracle Dedicated Region [email protected] enables a variety of use cases, from migrating Oracle ERP and CRM applications to deploying custom developed applications using Oracle Database, as well as implementing Digital Innovation Services (Blockchain, AI, Big Data) and High-Performance Computing (HPC), all while following the country regulations regarding data sovereignty,” said Said Al-Mandhari, CEO, Oman ICT Group.

NETSCOUT and Oracle help customers gain real-time visibility into risks from apps and digital services

NETSCOUT SYSTEMS announced that it is collaborating with Oracle to help customers gain end-to-end visibility for service assurance and security of mission-critical applications and services across their hybrid cloud infrastructures. NETSCOUT is a Gold level member of the Oracle PartnerNetwork (OPN).

NETSCOUT’s vSTREAM and virtual nGeniusONE are now available from the Oracle Cloud Marketplace, offering Oracle Cloud customers best-in-class application visibility and the ability to leverage authentic information contained in application and network traffic for real-time telemetry.

This “Smart Data” enables I.T. teams to gain consistent visibility and perform monitoring and troubleshooting of their critical services, regardless of the application or underlying infrastructure, with the ability to provide the deep forensics needed for faster and more efficient responses.

Deployable from Oracle Cloud Infrastructure, the nGeniusONE platform uses ISNG software, appliances, and vSTREAM agents, to provide proactive service assurance by identifying developing service delivery problems across any hybrid cloud environment. It analyzes network and application traffic to deliver end-to-end visibility into the availability and performance of applications, networks, service enablers, and end-users.

The Oracle Cloud Marketplace is a one-stop-shop for Oracle customers seeking trusted business applications and service providers offering unique business solutions, including ones that extend Oracle Cloud Applications.

Oracle Cloud is a Generation 2 enterprise cloud that delivers massive, non-variable performance and next-generation security across a comprehensive portfolio of services including SaaS, application development, application hosting, and business analytics.

Customers get access to leading compute, storage, data management, integration, security, HPC, artificial intelligence (AI), and Blockchain services to augment and modernize their critical workloads. Oracle Cloud runs Oracle Autonomous Database, the industry’s first and only self-driving database.

“Digital transformation has new meaning and urgency in today’s reality,” stated Tom Raimondi, Jr., chief marketing officer, NETSCOUT. “Our relationship with Oracle provides customers borderless visibility into their network — from the core to the edge — as they migrate from on-prem to the cloud.”

While organizations require more automated application and network performance monitoring, which is imperative for successful deployments of critical business services, they currently rely on dozens of tools that aren’t integrated. This flaw results in visibility and operational gaps that open the delivery of applications and business services to increased risk.

“The cloud represents a huge opportunity for our partner community,” said David Hicks, vice-president, Worldwide ISV Cloud Business Development, Oracle.

“NETSCOUT’s commitment to innovation with the Oracle Cloud and its ability to help our mutual customers gain real-time visibility into risks from applications and digital services provides a significant operational benefit.”

Shifting responsibility is causing uncertainty and more security breaches

Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report.

shifting responsibility security

The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business.

Data security is keeping IT professionals awake at night

Demonstrating the fear and trust issues experienced by IT professionals, the study found that IT professionals are more concerned about the security of their company’s data than the security of their own home.

  • IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security.
  • IT professionals have concerns about cloud service providers. 80 percent are concerned that cloud service providers they do business with will become competitors in their core markets.
  • 75 percent of IT professionals view the public cloud as more secure than their own data centers, yet 92 percent of IT professionals do not trust their organization is well prepared to secure public cloud services.
  • Nearly 80 percent of IT professionals say that recent data breaches experienced by other businesses have increased their organization’s focus on securing data moving forward.

Legacy data security approaches leave IT professionals playing whac-a-mole

IT professionals are using a patchwork of different cybersecurity products to try and address data security concerns, but face an uphill battle as these systems are seldom configured correctly.

  • 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
  • Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
  • 59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
  • The most common types of misconfigurations are:
    • Over-privileged accounts (37 percent)
    • Exposed web servers and other types of server workloads (35 percent)
    • Lack of multi-factor authentication for access to key services (33 percent)

Shifting responsibility and security

Organizations are moving more business-critical workloads to the cloud than ever before, but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. Shifting responsibility is clearly a huge issue, and confusion has left IT security teams scrambling to address a growing threat landscape.

  • Nearly 90 percent of companies are using SaaS and 76 percent are using IaaS. 50 percent expect to move all their data to the cloud in the next two years.
  • Shared responsibility security models are causing confusion. Only 8 percent of IT security executives state that they fully understand the shared responsibility security model.
  • 70 percent of IT professionals think too many specialized tools are required to secure their public cloud footprint.
  • 75 percent of IT professionals have experienced data loss from a cloud service more than once.

It’s time to build a security-first model

To address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to help mitigate threats in an increasingly expanding digital world.

  • 69 percent of organizations report their CISO reactively responds and gets involved in public cloud projects only after a cybersecurity incident has occurred.
  • 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
  • 88 percent of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
  • 87 percent of IT professionals see AI/ML capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations.

shifting responsibility security

“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud.

“Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”

“In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models. This is exposing existing vulnerabilities and creating new risks,” said Tony Buffomante, Global Co-Leader and U.S. Leader of KPMG’s Cyber Security Services.

“To be able to manage that increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business.”

May 2020 Patch Tuesday forecast: Time for a break?

It’s been a hectic month for everyone worldwide, but we may get a small break in the action this patch Tuesday. The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management.

May 2020 Patch Tuesday forecast

COVID-19 exploitation

Threat actor activity around COVID-19 exploitation increased dramatically in April. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity. This advisory provides a detailed summary of several attacks and valuable links to actions you can take for mitigation.

The number of reported COVID-themed attacks, particularly phishing, have risen more than 475 percent according to this blog from BitDefender Labs and that was in March. Coupled with this rising threat is the challenge of managing a now dispersed work force on previously unused remote and BYOD devices, resulting in a higher risk of a security breach.

IT departments are stretched to the limit, ‘keeping the lights on’ for many businesses and they have little time to deal with the added complexities of deploying regular security updates to these devices.

Oracle

Oracle released their Critical Patch Updates (CPU) last month which happened to coincide with April Patch Tuesday (it is usually the week after). They had 399 updates across their entire product line. These included updates for Java 7, 8, 11, and 14. A total of 15 vulnerabilities were addressed with CVE-2020-2803 having the highest base CVSS 3.0 score at 8.3.

If you are running the Java JRE in your environment, please update your 7 or 8 versions. If you are developing applications with Java, get the latest 11 or 14 updates to ensure these vulnerabilities are addressed. The next Oracle CPU is scheduled for July.

Microsoft

One break last month came from Microsoft when they delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13, 2020 and the SharePoint 2010 Family – SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010 – to April 13, 2021. There was a sigh of relief from a few people.

Also last month, Microsoft addressed 113 CVEs in the patch Tuesday release, which included fixes to font vulnerabilities CVE-2020-1020 and CVE-2020-0938 associated with Advisory 20006. With record numbers of CVEs being fixed each month and the growing threat actor activity, it is more important than ever to keep your systems up-to-date with these latest releases.

May 2020 Patch Tuesday forecast

  • Microsoft should release a.NET update this month in addition to the usual OS and application set. We’ll see if the high number of resolved CVEs continues.
  • Expect new servicing stack updates (SSUs) for select operating systems this month; most have been getting periodic updates.
  • The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released on Patch Tuesday as usual. Also be aware that Microsoft released an updated licensing preparation package this week under KB 4538483.
  • We should see Windows 10 2004, the May release as it is being called, either next Tuesday or soon thereafter.
  • Google released a security update for Chrome 81 this week.
  • Similarly, Mozilla provided security updates this week for Firefox 76, Firefox ESR 68, and Thunderbird 68.
  • The last security updates for Adobe Acrobat and Reader were in March; we may see an update this month, but Adobe has been releasing major security updates quarterly, so this is more likely to occur in June.

The adage says we should soon see May flowers. With most of the third-party vendors releasing their security updates this week we should have a light patch Tuesday coming. Take some time and smell those roses. After this past month we’ve all earned it.

Cloud-native security considerations for critical enterprise workloads

Since the advent of the public cloud as a viable alternative to on-premise systems, CIOs and CISOs have been citing security as one of the top concerns when it comes to making the switch.

While most of their worries have abated over the years, some remain, fuelled by the number of data leak incidents, mainly arising from misconfiguration.

cloud-native security considerations

Johnnie Konstantas, Senior Director, Security Go to Market at Oracle, says that the main reason we are seeing so many headlines around sensitive data leaks and loss is that there are almost too many security tools offered by public cloud providers.

Making cloud security administration less person-intensive and error-prone

“Public clouds are, by and large, homogeneous infrastructures with embedded monitoring capabilities that are ubiquitous and have centralized security administration and threat remediation tools built on top,” Konstantas told Help Net Security.

But cloud customers must train anew on the use of these tools and be properly staffed to leverage them and to coordinate amongst the various security disciplines – and this is hard to do as cybersecurity expertise is at historic shortage.

“Customers don’t want more tools, they want the benefit of cloud service provider innovation and expertise to address the challenge. At this point, we need reliable, accurate security configuration management and threat response that is automated,” Konstantas opined.

This is the direction in which she expects cloud-native security to go in the next five years. She believes we are likely to see a shift away from discussions about the shared responsibility model and more toward making customers cloud security heroes through automation.

Automation really is central to effective cloud security. Just take the example of data and consider the volume of data flowing into cloud hosted data bases and data warehouses. Classifying the data, identifying PII, PHI, credit cards etc., flagging overly permissioned access, and requiring additional authorization for data removal – all these things have to be automated. Even the remediation, or prevention of access needs to be automated,” she noted.

Cloud providers will have to break through customers’ fear that automated security means breaking business by over-reacting to false positives, but those that find a way to excel in using machine learning, model tuning and artificial intelligence for effective and accurate automated threat prevention will deservedly earn customer confidence – and not a moment too soon.

Is it safe to put critical enterprise workloads in the public cloud?

Without a doubt, the public cloud has proven a worthy alternative to private data centers by offering high resilience to threats and rapid security incident recovery. But not all public cloud providers are the same when it comes to expertise or built-in security.

Organizations with sensitive data and workloads must find those that will offer adequate security, and can do so by asking many questions and evaluating the answers.

Konstantas proposes the following (though the list isn’t exhaustive):

  • What are your data protection, detection, response and recovery capabilities for both structured (database) and unstructured (object storage) data?
  • How do you protect against hypervisor-based attacks, cross tenant infection, hardware-based attacks?
  • Which customer-controlled security functions are built into your cloud and are they charged for?
  • Which parts of security configuration, detection and threat remediation are automated on your platform and to which services do they apply (i.e. IaaS, PaaS, SaaS)?

For the CISO that has to work with the CIO to lead a massive migration of the organization’s data to the cloud, she advises to get as much visibility into the project as possible.

“CISOs need to prepare answers for how the organization will meet its regulatory and compliance obligations for the data during the migration and once fully operational in the cloud,” she explained.

Again, there are many questions that must be answered. Among them are:

  • How will security coverage look after the migration as compared to what is being done on premises?
  • How will security posture visibility and effectiveness increase?
  • What cost savings will be incurred on security spend by adopting built-in cloud security?
  • How will holistic cloud security posture be communicated to the CIO and board of directors?

“If the CISO is working with a cloud security provider that understands critical enterprise workloads, they will have ample support and guidance in preparing and documenting these answers because enterprise-focused CSPs have deep experience with the specific requirements of global companies, complex enterprise applications and data residency and sovereignty requirements. Enterprise-focused CSPs staff teams ready to share those insights and furnish the proof points customers require,” she concluded.

Infosys leverages Oracle-based cloud solutions to enable orgs to transform into live enterprises

Infosys, a global leader in next-generation digital services and consulting, leverages Oracle Cloud technologies to empower businesses across Europe to transform into ‘Live Enterprises’, helping them drive intuitive decisions, automate processes, create new user experiences and reinvent businesses for accelerated growth.

One such organisation that has transformed its way of working, in collaboration with Infosys and leveraging Oracle technology, is the University of Nottingham. The UK-based institution wanted to overhaul its academic and student management system to improve productivity and drive growth.

To address the complex IT infrastructure that was previously in place, the university rolled out Oracle’s PeopleSoft Campus Solutions in partnership with Infosys, which is detailed in this case study. The new integrated system is expected to bring dramatic productivity and user experience improvements for both employees and students.

Digital security leader Gemalto, a Thales company, has also enhanced its operations leveraging the Infosys and Oracle alliance, by setting up a robust single source of master data management and improving data integrity.

Rémi Médevielle, Global ERP Program Director at Gemalto, a Thales company, commented: “We undertook an ambitious digital transformation project to integrate our ERP platforms into a single, shared global platform.

“Our partner, Infosys helped guide us in streamlining and optimizing key processes and automating workloads, ultimately resulting in significant improvements in data integrity and management across our team.”

Meanwhile, bpost, Belgium’s leading postal operator, worked with Infosys to replace a previous Oracle ERP solution with a new system using Oracle Cloud Solutions. This enabled the company to streamline its business processes, while also reducing the cost of future support and maintenance.

Olivier Hernandez, CIO Corporate Services at bpost, commented: “Infosys has been a key partner in shaping our work to transform our organisation’s digital processes.

“Whilst many of our processes were previously manual, with the new Oracle Digital Platform we have been able to automate and gather actionable insights on our Sourcing, Procure to Pay and Record to Record processes. Infosys worked with us to optimise and consolidate this using Oracle Cloud Solutions, greatly streamlining our operations.”

“We’re delighted to see continued momentum amongst our customers in Europe as they embark upon their Live Enterprise journey with Oracle-based solutions,” said Dinesh Rao, Executive Vice President, Enterprise Applications Services at Infosys.

“Europe is a region of intense growth and focus for us, as we continue to invest in our localisation offering here. Together with our partnership with Oracle, Infosys is uniquely positioned to empower our customers with the latest next-generation technologies and agile business processes that increase efficiency, maximise productivity, and improve the user and customer experience, ultimately accelerating our clients’ transformation on their Live Enterprise journey.”

Infosys is a Platinum Cloud Elite level member of Oracle PartnerNetwork (OPN), and the Infosys Oracle collaboration spans across a wide variety of technologies including but not limited to ERP, IaaS, PaaS, SaaS, SCM, HCM, CX, Autonomous Database and Oracle Cloud.

DOL’s $400M pay-discrimination suit is unconstitutional, Oracle argues

Glass skyscraper with Oracle logo on front.

Enlarge / Regional headquarters of software company Oracle in San Jose, California, April 13, 2019.

As a long-running Department of Labor suit against Oracle heads in front of a judge this week, Oracle is fighting back by arguing that the DOL’s suit, alleging violation of labor laws, is unconstitutional.

The DOL filed suit against Oracle in 2017, alleging that the company had a broad, systemic pay discrepancy that underpaid women and people of color employed by the firm by a total $401 million in a four-year period. Analyses conducted by the department, as well as by independent third parties, found women were being paid between $13,000 and $20,000 less per year, on average, than their male peers.

The hearings in the case began today. The DOL is expected to call more than 20 current and former employees as witnesses in the case over the next week or two of proceedings.

This kind of complaint, however, does not go into the regular federal court system. Instead, it goes before an administrative law judge—a different office within the Department of Labor. More than 30 different federal agencies use this model, including the Federal Trade Commission, the Federal Communications Commission, and the Food and Drug Administration.

Just before Thanksgiving, Oracle, in its own words, filed a suit “challenging the legality of the system” of administrative law judges. That system, Oracle claims, violates both the US Constitution as well as several federal laws.

“The government’s case rests on false allegations, cherry-picked statistics, and erroneous and radical theories of the law,” Oracle said about the suit. “The Labor Department’s nonsensical claims underscore the need for the federal courts to declare the Department of Labor’s current enforcement system unconstitutional.”

The backstory

The 2017 DOL complaint (PDF) alleged that white men employed by Oracle received significantly more pay than women, black, or Asian employees of the firm, even when controlling for “job title, full-time status, exempt status, global career level, job specialty, estimated prior work experience, and company tenure.”

Between 2013 and the time the suit was filed in 2017, the DOL found, the salaries women received as compared to their male peers were between 2.71 and 8.41 standard deviations lower, depending on job category. The salary paid to black employees, adjusted for the same variables, had a standard deviation 2.10 lower than the compensation for white men, and for Asian employees the difference was -6.55. Oracle also showed hiring bias in certain roles, disproportionately staffing them with those (lower-paid) Asian employees, the DOL said, particularly individuals of Indian descent. In one six-month time span in 2013, 82 percent of hires in one job group were identified as Asian.

Three women who had by that point left their jobs with Oracle also filed a separate suit in 2017, alleging a pattern of gendered discrimination in pay and other unfair practices in violation of California labor law. The plaintiffs in that suit are seeking class-action status to represent a group of about 4,200 employees.

Oracle bites back

The DOL complaint not only seeks financial restitution for all the affected employees but also to make Oracle cancel its general contracts while being barred from taking on new ones. That would be an enormous blow for Oracle, which still relies on federal money despite recently missing out on a $10 billion contract with the Department of Defense. (Oracle is suing the DOD over the contract, which ultimately went to Microsoft.)

Against that backdrop, it is perhaps unsurprising that Oracle sued back. In its complaint, (PDF), Oracle called the DOL action “unprecedented overreach” and argued that the system is “coercive” and self-serving.

“Without authority from any Act of Congress—indeed, in contravention of congressional legislation—a group of unelected, unaccountable, and unconfirmed administrative officials have cut from whole cloth this adjudicative agency-enforcement scheme,” Oracle argued.

Oracle’s suit is extremely unusual, Bloomberg Law reported today. While other companies have pushed back against rulings and data requests from this particular bureau, the Office of Federal Contract Compliance Programs (OFCCP), none has legally challenged its existence or authority in almost 40 years.

Legal experts who spoke to Bloomberg Law said there would be huge ramifications if Oracle were to win and the OFCCP “would cease to exist.” That said, however, several experts Bloomberg interviewed seem to view that as unlikely, instead considering the suit a “Hail Mary” move, typical of the company.

GitHub Security Lab aims to make open source software more secure

GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab. “Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub. GitHub Security Lab GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software. Current … More

The post GitHub Security Lab aims to make open source software more secure appeared first on Help Net Security.