Maintaining High Level of Information Security During the COVID-19 Pandemic

Leave a reply

As more people are forced to work from home during this pandemic, it is important to maintain a high level of security to safeguard the company’s information assets as well as its employees.  Endpoints such as laptops not connected to corporate network are more vulnerable when used at home.  Stressed out employees are more prone to social-engineering attacks.  They may visit sites that are usually blocked on a corporate firewall. Not surprisingly, this is also the best time for bad actors to take advantage of this opportunity.  

To mitigate these risks, the company’s security office should work with the IT department in implementing the following security measures:

  1. Enhance user security awareness by using creative ways to make the users pay attention to the message, such as using short video instead of just sending email.  Emphasize COVID-19-themed scams and phishing email and websites.  
  2. Identify and monitor high-risk user groups. Some users, such as those working with personally identifiable information (PII) or other confidential data, pose more risk than others, and their activity should be closely monitored. 
  3. Make sure all laptops have the latest security patches.  Critical servers that are accessed remotely should also have the latest security patches.
  4. Critical servers should only be accessed via virtual private network (VPN)
  5. Users connecting to the corporate network via VPN should use multi-factor (MFA) authentication. Corporate applications in the cloud should also use MFA authentication
  6. If your Virtual Desktop Infrastructure (VDI) can handle the load, users should use virtual desktops in accessing corporate applications.
  7. To support the massive users working remotely, IT should add more capacity to the network bandwidth, VDI, VPNs and MFA services.
  8. Validate and adjust incident-response (IR) and business-continuity (BC)/disaster-recovery (DR) plans.
  9. Expand monitoring of data access and end points, since the usual detection mechanism such as IDS/IPS, proxies, etc. will not secure users working from home. 
  10. Clarify incident-response protocols. When a breach occurs, security teams must know how to report and take action on it.

Source: https://www.mckinsey.com/business-functions/risk/our-insights/cybersecurity-tactics-for-the-coronavirus-pandemic?cid=other-eml-alt-mip mck&hlkid=cc61f434b9354af8aaf986862aa59350&hctky=3124098&hdpid=fd48c3f4-6cf9-4203-bfae-3df232c30bb7

Encrypting In-flight Oracle RMAN Database Backup via DD Boost

3 Replies

To secure Oracle database backup from a DB server to a Data Domain system, DD Boost for RMAN encryption can be enabled so that RMAN backup data can be encrypted after deduplication at the Oracle server and before transmitting across the network. Since the encryption happens after deduplication and before the segment leaves the Oracle server (in-flight encryption), deduplication ratios will not suffer on the Data Domain system. In contrast, if Oracle RMAN encryption is used, data will not be deduplicated because they will be encrypted first, thus deduplication ratio will suffer.

In-flight encryption enables applications to encrypt in-flight backup or restore data over the network from the Data Domain system. When configured, the client is able to use TLS to encrypt the session between the client and the Data Domain system.

To enable in-flight encryption for backup and restore operations over a LAN, run the following command on the Data Domain:

# ddboost clients add client-list [encryption-strength {medium | high} authentication-mode {one-way | two-way | anonymous}]

This command can enable encryption for a single client or for a set of clients.

The specific cipher suite used is either ADH-AES256-SHA, if the HIGH encryption option is selected, or ADH-AES128-SHA, if the MEDIUM encryption option is selected.

The authentication-mode option is used to configure the minimum authentication requirement. A client trying to connect by using a weaker authentication setting will be blocked. Both one-way and two-way authentication require the client to be knowledgeable about certificates.

For example:

# ddboost clients add db1.domain.com db2.domain.com encryption-strength high authentication-mode anonymous

To verify:

# ddboost clients show config
Client          Encryption Strength  Authentication Mode
*               none                 none
db1.domain.com  high                 anonymous
db2.domain.com  high                 anonymous

Using BoostFS to Backup Databases

Leave a reply

If your company is using DellEMC Data Domain appliance to backup your databases, you are probably familiar with DD Boost technology. DD Boost increases backup speed while decreasing network bandwidth utilization.  In the case of Oracle, it has a plugin that integrates directly into RMAN. RMAN backs up via the DD Boost plugin to the Data Domain. It is the fastest and most efficient method to backup Oracle databases. 

However, some database administrators are still more comfortable with performing cold backups.  These backups are usually dumped to the Data Domain via NFS mount.   This is not the most efficient way to backup large databases as they are not deduplicated before sending to the network, thus consuming a lot of bandwidth.

Luckily, DellEMC created the product BoostFS (Data Domain Boost Filesystem) which provides a general file-system interface to the DD Boost library, allowing standard backup applications to take advantage of DD Boost features.   In the case of database cold backup, instead of using NFS to mount the Data Domain, you can use BoostFS to stream the cold backups to the Data Domain, thus increasing backup speed and decreasing network bandwidth utilization. In addition, you can also take advantage of its load-balancing feature as well as in-flight encryption.

To implement BoostFS, follow these steps:

1. DDBoostFS is dependent on FUSE.  So before installing DDBoostFS, install fuse and fuse-libs first.

2. Edit the configuration file /opt/emc/boostfs/etc/boostfs.conf, specifying the Data Domain hostname, DD storage-unit, username, security option, and if you want to allow users other than the owner of the mount to access the mount.  This is useful if you are using the same storage-unit for multiple machines.

3. Create the lockbox file, if you specified lockbox as the security option.  This is the most popular choice.

4. Verify host has access to storage using command /opt/emc/boostfs/bin/boostfs lockbox show-hosts

5. Mount the new boostfs storage unit using command /opt/emc/boostfs/bin/boostfs mount

6. To retain the mount after reboots, add the boostfs entry on /etc/fstab

For more information, visit the DellEMC support site.

Automating Security

Leave a reply

One of the most exploited security weaknesses that leads to data breaches is device misconfigurations, Some of these misconfigurations are:

  • Not changing the default passwords
  • Not cleaning up unused user accounts
  • Failing to remove unused / temporary access
  • Inability to cope with changes
  • Overly complex policies
  • Creating incorrect or non compliant policies
  • Changing wrong policies

Compared to security device flaws, misconfigurations can be mitigated by enforcing strict procedures as well as automation. Automating security configuration will eliminate human errors amidst the complex and rapidly changing environment.  For instance, Operating System images can be defined in a template format which have been hardened with the necessary configurations.  Orchestration tools such as Puppet, Ansible, or Chef are then used to deploy and implement automatically.  

How to Permanently Delete Data in the Cloud

Leave a reply

In the pre-cloud era, to permanently delete data, the sectors on the physical disk must be overwritten multiple times with zeros and ones to make sure the data is unrecoverable. if the device will not be re-used, it must be degaussed. The Department of Defense standard, DoD 5220.22-M, goes so far as destroying the physical disk through melting, crushing, incineration or shredding to completely get rid of the data.

But these techniques do not work for data in the cloud. First, cloud customers probably will not have access to the provider’s data centers to access the physical disks. Second, cloud customers do not know where they are written, i.e. which specific sectors of the disk, or which physical disks for that matter. In addition, drives may reside on different arrays, located in multiple availability zones, or data might even be replicated in different regions.

The only way to permanently erase data in the cloud is via crypto-shredding. It works by deleting the encryption keys used to encrypt the data. Once the encryption keys are gone, the data cannot be recovered. So it is imperative that even before putting data in the cloud, they should be encrypted. Unencrypted data in the cloud will be impossible to permanently delete. As a cloud customer, it is also important that you own and manage the encryption keys and not the cloud provider.

Characteristics of a True Private Cloud

Leave a reply

A lot of companies like to claim that their internal IT infrastructure is a “private cloud.”  But what really qualifies as a “cloud?”  According to ISC2 (International Information System Security Certification Consortium), ISO/IEC 17788, and NIST, a true private cloud must have the following characteristics similar to a public cloud such as AWS or Azure.

1. On-demand self-service.  This characteristic enables the provisioning of cloud resources including compute, storage and network whenever and wherever they are required.  It allows self-provisioning where the user can setup, manage or operate the cloud services without assistance from the cloud provider or IT personnel.

2. Broad network access. The cloud should always be available and accessible anytime and anywhere.  Users should have widespread access to their compute resources as well as their data at home, office, or on the road, using any device such as laptop, desktop, smartphone or tablet.

3. Resource pooling. A cloud typically has a large number of compute, storage, and network devices as well as sophisticated applications which can be pooled to address various user needs. These resources can be scaled and adjusted to meet user workloads or requirements.

4. Rapid elasticity.  This allows the user to obtain additional compute, storage, network and other resources as their workload requires.  This is often automated and transparent to the user.

5. Measured service.  This is a critical component for a cloud service because this is the only way the user can be charged back for its use of the resources.  A cloud should be able to measure, control, and report the user’s usage of resources. 

Most companies probably meet one or two of the above criteria.  Resource pooling for instance is one of them because of the widespread use of virtualization technology.  However, they usually struggle to provide measured service, as they usually over provision resources and unable to quantify usage. 

For the most part these companies are still traditional IT.   Without all of the cloud computing characteristics, it is simply not possible to deliver and maintain a reliable service to the rapid and changing requirements of the business.

Practical Research 2: Exploring Quantitative Research, 2nd Edition

Leave a reply

About the book:
This book features the step-by-step process of quantitative research. It aims to develop critical thinking and problem-solving skills.

DepEd K-12 Curriculum Compliant
Outcomes Based Education (OBE) Designed
Grade Level: Grade 12 
Semester: 1st Semester
Track: Applied Track
Authors: Garcia M, Palencia J, Palencia M.
ISBN: 978-621-436-006-2
Edition: Second Edition
Year Published: 2019
Language: English
No. of pages: 368
Size: 7 x 10 inches

Contents:
CHAPTER 1 – Nature of Inquiry and Research
CHAPTER 2 – Identifying Inquiry and Formulating Statement of the Problem
CHAPTER 3 – Learning from Others and Reviewing the Literature
CHAPTER 4 – Understanding Data and Ways to Systematically Collect Data
CHAPTER 5 – Finding Answers through Data Collection
CHAPTER 6 – Reporting and Sharing Findings

CONTACT INFORMATION:

https://www.azespublishing.com

Bank Drive, Ortigas Center, 
Mandaluyong City, Philippines 1550 
Landline: +63 2 8515-9557 
Globe: +63 967-236-7338 
Smart: +63 961-362-2635 
sales@azespublishing.com 
azespublishingcorp@gmail.com 

Authorized Online Distributors

LAZADA 1

LAZADA 2

SHOPEE 1 

SHOPEE 3

CAROUSELL

Practical Research 1: Basics of Qualitative Research, 2nd Edition

Leave a reply

About the book:
This book aims to develop critical thinking and problem-solving skills through qualitative research

DepEd K-12 Curriculum Compliant
Outcomes Based Education (OBE) Designed
Grade Level: Grade 11
Semester: 2nd Semester
Track: Applied Track
Authors: Garcia M, Palencia J, Palencia M.
ISBN: 978-621-436-007-9
Edition: Second Edition
Year Published: 2019
Language: English
No. of pages: 384
Size: 7 x 10 inches

Contents:
Chapter 1 – Nature of Inquiry and Research 
Chapter 2 – Qualitative Research and Its Importance in Daily Life
Chapter 3 – Identifying the Inquiry and Stating the Problem
Chapter 4 – Learning from Others and Reviewing the Literature
Chapter 5 – Understanding Data and Ways to Systematically Collect Data
Chapter 6 – Finding Answers Through Data Collection
Chapter 7 – Analyzing the Meaning of the Data and Drawing Conclusions
Chapter 8 – Reporting and Sharing the Findings

CONTACT INFORMATION:

https://www.azespublishing.com

Bank Drive, Ortigas Center, 
Mandaluyong City, Philippines 1550 
Landline: +63 2 8515-9557 
Globe: +63 967-236-7338 
Smart: +63 961-362-2635 
sales@azespublishing.com 
azespublishingcorp@gmail.com 

Authorized Online Distributors

LAZADA 1

LAZADA 2

SHOPEE 1 

SHOPEE 3

CAROUSELL

21st Century Literature from the Philippines and the World, 3rd Edition

Leave a reply

About the book:

This textbook engages students in the appreciation and critical study of 21st Century Literature from the Philippines and the World encompassing their various dimensions, genres, elements, structures, contexts, and traditions.

Chapters 1 to 5 are literary texts from the Philippines and the representative writings from the different regions of the country and from the National Artists for Literature.

Chapters 6 to 11 are representative texts from the different continents of the world originally written in the 21st century.

21st century literatures are literary works written and published at the latter part of the 21st century (from 2001 onwards). These works are often characterized as gender sensitive, technologically alluding, culturally pluralistic, operates on the extreme reality or extreme fiction, and questions conventions and supposedly absolute norms.

DepEd K-12 Curriculum Compliant
Outcomes Based Education (OBE) Designed
Grade Level: Grades 11/ 12
Semester: 1st Semester
Strands: ABM, HUMSS, STEM, GAS
Authors: Palencia M, Cruz J.
ISBN: 978-621-436-029-1
Edition: Third Edition
Year Published: 2019
Language: English
No. of pages: 400
Size: 7 x 10 inches

Contents:

Chapter 1 – 21st Century Philippine Literature
Chapter 2 – History of Philippine Literature
Chapter 3 – Philippine Literary Canon
Chapter 4 – National Artists for Literature
Chapter 5 – Selected Texts in 21st Century Philippine Literature
Chapter 6 – 21st Century World Literature
Chapter 7 – 21st Century Asian Literature
Chapter 8 – 21st Century Anglo-American Literature
Chapter 9 – 21st Century Continental European Literature
Chapter 10 – 21st Century Latin American Literature
Chapter 11 – 21st Century African Literature
Chapter 12 – Critical Approaches to Literature

CONTACT INFORMATION:

https://www.azespublishing.com

Bank Drive, Ortigas Center, 
Mandaluyong City, Philippines 1550 
Landline: +63 2 8515-9557 
Globe: +63 967-236-7338 
Smart: +63 961-362-2635 
sales@azespublishing.com 
azespublishingcorp@gmail.com 

Authorized Online Distributors

LAZADA 1

LAZADA 2

SHOPEE 1 

SHOPEE 3

CAROUSELL

Creative Writing, 2nd Edition

Leave a reply

About the book:
This textbook aims to develop practical and creative skills in reading and writing; introduce students to the fundamental techniques of writing fiction, poetry, and drama; and discuss the use of such techniques by well-known authors in a variety of genres. Activities are devoted to the examination of techniques and to the workshop of students’ drafts toward the enrichment of their manuscripts. Students will learn how to combine inspiration and revision, and to develop a sense of form.

DepEd K-12 Curriculum Compliant
Outcomes Based Education (OBE) Designed
Grade Level: Grades 11/ 12
Semester: 1st Semester
Strands: HUMSS, GAS
Authors: Palencia M, Chancoco J, Garcia M.
ISBN: 978-621-436-021-5
Edition: Second Edition
Year Published: 2019
Language: English
No. of pages: 352
Size: 7 x 10 inches

Contents:
Chapter 1 – In Your Write Mind: Following the Writer’s Trade
Chapter 2 – The Process of Writing: Whatever Works
Chapter 3 – Reading and Writing Poetry: For Better or Verse
Chapter 4 – Reading and Writing Fiction: The Long and Short of It
Chapter 5 – Reading and Writing Drama: Finding the Shakespeare in You
Chapter 6 – Final Output – Writing Prompts for Poems, Stories and Drama

CONTACT INFORMATION:

https://www.azespublishing.com

Bank Drive, Ortigas Center, 
Mandaluyong City, Philippines 1550 
Landline: +63 2 8515-9557 
Globe: +63 967-236-7338 
Smart: +63 961-362-2635 
sales@azespublishing.com 
azespublishingcorp@gmail.com 

Authorized Online Distributors

LAZADA 1

LAZADA 2

SHOPEE 1 

SHOPEE 3

CAROUSELL