Enterprise Security Lessons from Oracle’s Reported Breaches

It’s been a rough few weeks for Oracle. 

Not only is the FBI reportedly investigating the theft of patient data from legacy servers at Oracle’s healthcare arm, but security researchers have presented evidence that hackers exploited a vulnerability allowing access to Oracle Cloud infrastructure, potentially impacting approximately 6 million records from over 140,000 tenants. Oracle has denied the Cloud-related claims.

Security breaches are often linked to four main attack vectors: Legacy infrastructure, credential attacks, social engineering such as phishing attacks, and forgotten software bugs, said Sharon Auma-Ebanyat, Research Director at Info-Tech Research Group. “What a lot of hackers are looking for are the places people are not paying attention to,” said Auma-Ebanyat.

“Organizations need to prioritize cybersecurity at a much higher level than they’ve normally done,” she added.

The alleged breaches highlight the risk presented by a lack of visibility on third-party software and technologies, said Joe Silva, co-founder and CEO of cybersecurity firm Spektion. By its nature, third-party software is entirely external, said Silva, meaning there’s little visibility into the underlying risk and vulnerabilities that a software provider may face, and few security controls that an enterprise can apply. 

“Enterprises need to take a harder look at the amount of risk and volatility that they’re carrying associated with third-party providers that are handling critical data and critical services,” said Silva. 

The best way for organizations to handle the issue when using third-party software is to know what you’re in for if something goes awry, said Silva. 

• Having a “tolerance for ambiguity” when you’re relying on a third-party provider can allow your business to account for vulnerabilities before they become problems, he added. “Knowing that you’re not going to have good visibility into underlying security issues – you have to understand and have an organizational risk tolerance for that.”
• Software providers, meanwhile, should be held up to a higher standard for continuous monitoring of vulnerabilities, said Silva. This is especially true if these providers are handling business-critical operations that, “if exploited, would have a huge blast radius,” he said. 

“Enterprises need to demand the same type of continuous monitoring and runtime visibility into risk that they would have on critical data and services within their sphere of control,” Silva added.