Security is a hot topic in the news today, and we believe Oracle has chosen a dangerous, troubling and unethical strategy of hyping security threats using a security scare campaign of misleading and inaccurate statements and hyperbole. The campaign is being executed via a multi-faceted approach. For example, Oracle has sent letters to client executive management, authored blog posts, published a special web site and has even cited cyber-attacks that do not relate to Oracle products.

Why?

74% of customers planning to reduce spend with Oracle2

37% Rimini Street compound annual growth rate3

We believe Oracle has chosen to pursue using this scare campaign for its own business purposes – such as to try and pressure customers into performing otherwise unwanted and expensive software upgrades or purchasing otherwise unneeded product licenses. We also believe Oracle is attempting to protect its very profitable annual support revenues as an increasing number of Oracle licensees switch from expensive and poorly-rated Oracle support to a more innovative, responsive and award-winning annual support program like Rimini Street support that that can save customers up to 90% in total annual support costs and has been successfully utilized by more than 2,600 clients around the world for over a decade.

Further evidence that we believe makes Oracle’s true intentions clear includes the fact that, unlike many major software companies such as SAP, Microsoft and Cisco, Oracle does not provide security patches and updates to their paid licensees without cost.

However, unfortunately for Oracle, their scare campaign is also giving customers the opportunity to learn about the significant potential risks and challenges with Oracle's dated, costly and ineffective software patch and update model for security remediation, and learn more about the alternative modern, innovative and holistic security solutions available from Rimini Street Global Security Services and other leading security vendors.

In an apparent attempt to protect its profitable annual support fees from competition, one goal of Oracle’s security scare campaign appears to be aimed at Oracle licensees who have already switched or are considering switching their annual support from Oracle to Oracle’s largest and fastest growing annual support competitor globally, Rimini Street.

Below we separate Oracle hype from the facts:

ORACLE HYPETHE FACTS

"Q. [Mr. Ravin] said it was called holistic security….Do you have any reaction to that?
 A. I do. That’s totally ridiculous. It’s completely and totally ridiculous.”4

Edward Screven, Chief Corporate Architect at Oracle
(Trial testimony as excerpted by Oracle)

In Oracle's own published document: “Oracle takes a holistic approach to information security, implementing a layered defense security strategy”.- Oracle Security Practices, White Paper, Feb 2017 5
From an Oracle sponsored report: “A holistic strategy is often required at multiple levels”.6
The Department of Homeland Security, Office of Inspector General, advises "[DHS] must take a holistic approach to cybersecurity and infrastructure protection". 7
Microsoft invested $1 Billion in Holistic Security. 8

Virtual patching* is an “inadequate response to real-world security challenges”9

* Virtual Patching (external patching, vulnerability shielding) "refers to establishing a policy enforcement point that is external to the resource being protected, to identify and intercept exploits of known vulnerabilities before they reach their target."13

** Compensating controls "refer to alternative countermeasures or safeguards put in place to mitigate specific security risks, in lieu of nominally recommended controls, as a result of legitimate technical or business constraints."14

Aberdeen Group research revealed leading performers are 2-times more likely to use virtual patching security. 10

Rimini Street cannot “close vulnerabilities” related to security 12

Rimini Street Advanced Database Security specifically provides protection against security vulnerabilities.

Rimini Street has successfully resolved hundreds of security cases for clients, including "prevention measure" cases to block suspected vulnerabilities.

As one Rimini Street client expressed about Rimini Street support, they “feel more protected than ever before.”13

Inferring third-party support is unable to keep your software secure from attacks like “WannaCry” and “Petya”14

These ransomware threats are irrelevant to Oracle products supported by Rimini Street. Oracle has not delivered any related fixes for such products either. This appears to just be a diversion.

Oracle support services are “Trusted, Secure, Comprehensive”15

Oracle downplays vulnerabilities "as less critical than they are" and apparently hiding them by disabling diagnostic output to show the contrary.16
The FTC sued Oracle for making allegedly deceptive security claims. Oracle entered into a consent order agreeing that they must not misrepresent the security of Java SE and Oracle must provide security instructions to its customers.17

* Virtual Patching is a policy enforcement point, external to the resource being protected, that identifies and intercepts exploits of vulnerabilities before they reach their target.19

** "Compensating controls, such as virtual patching," are "alternative countermeasures or safeguards put in place to mitigate specific security risks."20

Hidden behind Oracle's security scare campaign are real risks and challenges in their dated security patch and update model, known as Critical Patch Updates (CPUs). In the real world, we believe a CPU-centric security model may put licensees at risk with a false sense of comprehensive security protection that is not provided by Oracle’s CPUs.

Below we detail the risks, challenges and facts:

ORACLE CPU RISK & CHALLENGETHE FACTS

Oracle CPUs do not address all KNOWN vulnerabilities

Known vulnerabilities are the most dangerous.21 Oracle does not always provide a CPU to fix every vulnerability. See TNS Listener case study below.

Oracle CPUs do not address UNKNOWN vulnerabilities

Unknown vulnerabilities will always be present in software and sophisticated hackers will find them. Oracle CPUs only patch specific vulnerabilities instead of providing broader attack vector protection against risks such as generic injection, scripting and memory-based attacks.

Oracle CPUs are not always timely

Oracle does not consistently publish CPUs in a timely manner. For example, a July 2017 CPU release contained four database patches. One patch addresses a vulnerability from 2014 (CVE-2014-3566) and a second patch addresses an issue from 2016 (CVE-2016-2183).22

Oracle CPUs do not protect popular, older releases

In the real world, customers do not always run the most recent release of software. Oracle’s Lifetime Support Policy does not provide new CPUs to releases in Sustaining Support.23

74% of respondents from a recent survey have Oracle database instances that are no longer fully supported by Oracle and do not receive CPUs.24

Oracle CPUs are burdensome to apply due to costly regression testing of software code changes

The time, cost and risk of traditional Oracle security patching leads many organizations to delay or forego applying some or all Oracle CPUs—leaving their systems vulnerable.

CPUs change software code and can require significant testing and downtime, and can even create system problems.25

Mark Hurd, co‐CEO of Oracle states “customers have to secure tens of servers, tens of operating systems, tens of databases and they tend to be 14 to 18 months behind us in patching.26

The Aberdeen Group estimates patch management costs a mid-size organization $4 million annually in lost revenue and productivity.27

Oracle CPUs do not monitor, report and alert attempted attacks

Oracle CPUs do not provide important monitoring, reporting and alerts on attempted malicious behavior or actions required to help block attacks.

Case Study: 60% of Oracle Databases Vulnerable to TNS Listener Poison Attack28

One of the most infamous Oracle vulnerabilities was the TNS Listener Poison Attack (CVE-2012-1675) that was reported to Oracle in 2008. It took Oracle four years to respond to the reported vulnerability, and even when it did so, they did not provide a workaround until another year had passed and did not provide a patch for another year, totaling six years from vulnerability report to patch and then only for 12c. In 2016 60 percent of Oracle Databases assessed were still vulnerable to TNS:

"There is no single or set of defensive techniques or programs that will completely avert all malicious activities."

Department of Homeland Security29

Rimini Street does agree with Oracle on one thing – the importance of security and taking a proactive stance on the remediation of vulnerabilities.

However, the traditional vendor security patching model does not meet today's need for rapid, cost-effective remediation of vulnerabilities, especially in today's complex multi-vendor environments. Rimini Street strongly believes in a modern approach to security where remediation can occur through various strategies, processes and controls – not just through the application of vendor security patches.

Following suggestions from security experts, Rimini Street recommends a layered security strategy – also known as defense in depth and holistic security. This approach protects your applications and databases by blocking attack vectors and alerting the user to attempted attacks at each layer. A layered protection approach provides a comprehensive barrier to entry, increases the likelihood of attack detection, and decreases the likelihood of a successful compromise. Compensating controls are an important component of a layered security strategy. The New York State Department of Financial Services (DFS)30 and security vendors like Trend Micro31 agree that compensating controls, including virtual patching, may provide the vulnerability protection and governmental/regulatory compliance required by leading organizations.

Virtual Patching Reduces Risk

As part of a holistic, layered security program, the strategic deployment of compensating controls, including virtual patching, provides an important shield from intrusive exploits that companies face every day.

Compensating controls "refer to alternative countermeasures or safeguards put in place to mitigate specific security risks, in lieu of nominally recommended controls, as a result of legitimate technical or business constraints."32

Organizations cannot accept the risk exposure and negative business impact inherent in the cumbersome, time-consuming and costly "patch everything" model. According to the Aberdeen Group, "Virtual Patching (external patching, vulnerability shielding) refers to establishing a policy enforcement point that is external to the resource being protected, to identify and intercept exploits of known vulnerabilities before they reach their target. In this way, direct modifications to the resource being protected are not required."33 Virtual patching updates can be automatic and adapt to continuously evolving threats.

The benefits of virtual patching solutions, as part of an overall holistic security strategy, are significant.

Fast Protection
Easy to Deploy
Protects Old and New Releases
Comprehensive Protection
Multi-vendor Protection
Fights Unknown Vulnerabilities
Monitoring

Aberdeen Group, October, 2016

Continuous Security Protection with Virtual Patching vs. Vendor Patching

According to an Aberdeen Group research study "The window of vulnerability from public disclosure to mitigation is substantially shorter [with virtual patching] than with traditional vendor patching, substantially reducing the likelihood that enterprise databases and applications may be compromised."34

Source information - Aberdeen Group, October 2016

While Oracle is focusing its efforts on its scare campaign, Rimini Street Global Security Services is helping clients around the world deploy a modern, innovative, holistic and layered security model across their enterprise. Rimini Street provides clients with security consultations, assessments and actionable security intelligence delivered by experienced security architects, and innovative virtual patching solutions like Rimini Street Advanced Database Security.

Rimini Street Advanced Database Security enhanced with technology from McAfee, one of the world's leading independent cybersecurity companies, is a modern, next-generation database security solution that helps protect Oracle, SAP, IBM and Microsoft databases from known and unknown vulnerabilities. The software monitors and analyzes database memory and uses virtual patching technology to block potential attack vectors and risks – even before any attempted attack on the database.

Rimini Street has redefined enterprise software support services since 2005 with an innovative, award-winning program that enables licensees of IBM, Microsoft, Oracle, SAP and other enterprise software vendors to save up to 90 percent on total support costs.

Using Virtual Patching

Benchmark research has shown that the best-in-class performers are two times as likely as lagging performers to use virtual patching.

Aberdeen, “Virtual Patching and Database Security: An Effective Compensating Control”, April 2013


1 http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html

2 Arete Research Services LLP, Oracle: Fantasia, June 12, 2017

3 Rimini Street SEC S-4

4 https://www.oracle.com/rimini/index.html

5 Oracle Security Practices for Cloud at Customer Services, Feb 2017 https://www.oracle.com/us/assets/cloud-at-customer-security-wp-3606887.pdf

6 DBA–SECURITY SUPERHERO, 2014 IOUG ENTERPRISE DATA SECURITY SURVEY

7 https://www.dhs.gov/sites/default/files/publications/FY15-SPFI.pdf

8 https://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-security-strategy/d/d-id/1323170

9 https://www.oracle.com/rimini/index.html

10 https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf

11 http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

12 https://www.oracle.com/rimini/index.html

13 https://riministreet.com/Documents/Collateral/Rimini-Street-Security-Success-Story-Suburban-Propane.pdf

14 https://www.forbes.com/sites/oracle/2017/06/29/petya-didnt-know-this-about-third-party-software-maintenance-firms

15 https://www.oracle.com/support/trusted-support.html

16 http://www.securityweek.com/giving-oracle-researcher-discloses-critical-vulnerabilities-oracle-forms-and-reports

17 https://www.ftc.gov/news-events/press-releases/2015/12/oracle-agrees-settle-ftc-charges-it-deceived-consumers-about-java

18 https://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/

19 Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016

20 https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf

21 "It's Time to Align Your Vulnerability Management Priorities With The Biggest Threats," Gartner, 9 September 2016.

22 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

23 https://www.oracle.com/support/lifetime-support/index.html

24 Rimini Street, 2017 Survey Report THE HIDDEN TRUTHS ABOUT ORACLE DATABASE SUPPORT

25 https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf

26 http://www.lightreading.com/security/security-takes-the-stage-at-oracle-industry-connect/d/d-id/731469

27 Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016

28 https://www.integrigy.com/files/Integrigy%20Oracle%20TNS%20Poisoning%20Attacks.pdf

29 https://www.us-cert.gov/ncas/alerts/TA17-117A

30 http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

31 http://la.trendmicro.com/media/wp/deep-security-virtual-patching-whitepaper-en.pdf

32 https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf

33 Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016

34 Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016