Security is a hot topic in the news today, and we believe Oracle has chosen a dangerous, troubling and unethical strategy of hyping security threats using a security scare campaign of misleading and inaccurate statements and hyperbole. The campaign is being executed via a multi-faceted approach. For example, Oracle has sent letters to client executive management, authored blog posts, published a special web site and has even cited cyber-attacks that do not relate to Oracle products.

Why?

We believe Oracle has chosen to pursue using this scare campaign for its own business purposes – such as to try and pressure customers into performing otherwise unwanted and expensive software upgrades or purchasing otherwise unneeded product licenses. We also believe Oracle is attempting to protect its very profitable annual support revenues as an increasing number of Oracle licensees switch from expensive and poorly-rated Oracle support to a more innovative, responsive and award-winning annual support program like Rimini Street support that that can save customers up to 90% in total annual support costs and has been successfully utilized by more than 2,600 clients around the world for over a decade.

Further evidence that we believe makes Oracle’s true intentions clear includes the fact that, unlike many major software companies such as SAP, Microsoft and Cisco, Oracle does not provide security patches and updates to their paid licensees without cost.

However, unfortunately for Oracle, their scare campaign is also giving customers the opportunity to learn about the significant potential risks and challenges with Oracle’s dated, costly and ineffective software patch and update model for security remediation, and learn more about the alternative modern, innovative and holistic security solutions available from Rimini Street Global Security Services and other leading security vendors.

Case Study: 60% of Oracle Databases Vulnerable to TNS Listener Poison Attack²⁸

One of the most infamous Oracle vulnerabilities was the TNS Listener Poison Attack (CVE-2012-1675) that was reported to Oracle in 2008. It took Oracle four years to respond to the reported vulnerability, and even when it did so, they did not provide a workaround until another year had passed and did not provide a patch for another year, totaling six years from vulnerability report to patch and then only for 12c. In 2016 60 percent of Oracle Databases assessed were still vulnerable to TNS:

Rimini Street does agree with Oracle on one thing – the importance of security and taking a proactive stance on the remediation of vulnerabilities.

However, the traditional vendor security patching model does not meet today’s need for rapid, cost-effective remediation of vulnerabilities, especially in today’s complex multi-vendor environments. Rimini Street strongly believes in a modern approach to security where remediation can occur through various strategies, processes and controls – not just through the application of vendor security patches.

Following suggestions from security experts, Rimini Street recommends a layered security strategy – also known as defense in depth and holistic security. This approach protects your applications and databases by blocking attack vectors and alerting the user to attempted attacks at each layer. A layered protection approach provides a comprehensive barrier to entry, increases the likelihood of attack detection, and decreases the likelihood of a successful compromise. Compensating controls are an important component of a layered security strategy. The New York State Department of Financial Services (DFS)³⁰ and security vendors like Trend Micro³¹ agree that compensating controls, including virtual patching, may provide the vulnerability protection and governmental/regulatory compliance required by leading organizations.

Virtual Patching Reduces Risk

As part of a holistic, layered security program, the strategic deployment of compensating controls, including virtual patching, provides an important shield from intrusive exploits that companies face every day.

Compensating controls “refer to alternative countermeasures or safeguards put in place to mitigate specific security risks, in lieu of nominally recommended controls, as a result of legitimate technical or business constraints.”³²

Organizations cannot accept the risk exposure and negative business impact inherent in the cumbersome, time-consuming and costly “patch everything” model. According to the Aberdeen Group, “Virtual Patching (external patching, vulnerability shielding) refers to establishing a policy enforcement point that is external to the resource being protected, to identify and intercept exploits of known vulnerabilities before they reach their target. In this way, direct modifications to the resource being protected are not required.”³³ Virtual patching updates can be automatic and adapt to continuously evolving threats.

The benefits of virtual patching solutions, as part of an overall holistic security strategy, are significant.

• Fast Protection
• Easy to Deploy
• Protects Old and New Releases
• Comprehensive Protection
• Multi-vendor Protection
• Fights Unknown Vulnerabilities
• Monitoring

Continuous Security Protection with Virtual Patching vs. Vendor Patching

According to an Aberdeen Group research study “The window of vulnerability from public disclosure to mitigation is substantially shorter [with virtual patching] than with traditional vendor patching, substantially reducing the likelihood that enterprise databases and applications may be compromised.”³⁴

While Oracle is focusing its efforts on its scare campaign, Rimini Street Global Security Services is helping clients around the world deploy a modern, innovative, holistic and layered security model across their enterprise. Rimini Street provides clients with security consultations, assessments and actionable security intelligence delivered by experienced security architects, and innovative virtual patching solutions like Rimini Street Advanced Database Security.

Rimini Street Advanced Database Security enhanced with technology from McAfee, one of the world’s leading independent cybersecurity companies, is a modern, next-generation database security solution that helps protect Oracle, SAP, IBM and Microsoft databases from known and unknown vulnerabilities. The software monitors and analyzes database memory and uses virtual patching technology to block potential attack vectors and risks – even before any attempted attack on the database.

Rimini Street has redefined enterprise software support services since 2005 with an innovative, award-winning program that enables licensees of IBM, Microsoft, Oracle, SAP and other enterprise software vendors to save up to 90 percent on total support costs.

Using Virtual Patching

Benchmark research has shown that the best-in-class performers are two times as likely as lagging performers to use virtual patching.

Aberdeen, “Virtual Patching and Database Security: An Effective Compensating Control”, April 2013

Sources

¹ http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html
² Arete Research Services LLP, Oracle: Fantasia, June 12, 2017
³ Rimini Street SEC S-4
⁴ https://www.oracle.com/rimini/index.html
⁵ Oracle Security Practices for Cloud at Customer Services, Feb 2017 https://www.oracle.com/us/assets/cloud-at-customer-security-wp-3606887.pdf
⁶ DBA–SECURITY SUPERHERO, 2014 IOUG ENTERPRISE DATA SECURITY SURVEY
⁷ https://www.dhs.gov/sites/default/files/publications/FY15-SPFI.pdf
⁸ https://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-security-strategy/d/d-id/1323170
⁹ https://www.oracle.com/rimini/index.html
¹⁰ https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf
¹¹ http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
¹² https://www.oracle.com/rimini/index.html
¹³ https://riministreet.com/Documents/Collateral/Rimini-Street-Security-Success-Story-Suburban-Propane.pdf
¹⁴ https://www.forbes.com/sites/oracle/2017/06/29/petya-didnt-know-this-about-third-party-software-maintenance-firms
¹⁵ https://www.oracle.com/support/trusted-support.html
¹⁶ http://www.securityweek.com/giving-oracle-researcher-discloses-critical-vulnerabilities-oracle-forms-and-reports
¹⁷ https://www.ftc.gov/news-events/press-releases/2015/12/oracle-agrees-settle-ftc-charges-it-deceived-consumers-about-java
¹⁸ https://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/
¹⁹ Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016
²⁰ https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf
²¹ “It’s Time to Align Your Vulnerability Management Priorities With The Biggest Threats,” Gartner, 9 September 2016.
²² http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
²³ https://www.oracle.com/support/lifetime-support/index.html
²⁴ Rimini Street, 2017 Survey Report THE HIDDEN TRUTHS ABOUT ORACLE DATABASE SUPPORT
²⁵ https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf
²⁶ http://www.lightreading.com/security/security-takes-the-stage-at-oracle-industry-connect/d/d-id/731469
²⁷ Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016
²⁸ https://www.integrigy.com/files/Integrigy%20Oracle%20TNS%20Poisoning%20Attacks.pdf
²⁹ https://www.us-cert.gov/ncas/alerts/TA17-117A
³⁰ http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
³¹ http://la.trendmicro.com/media/wp/deep-security-virtual-patching-whitepaper-en.pdf
³² https://www.ascent.tech/wp-content/uploads/documents/mcafee/virtual-patching-and-database-security.pdf
³³ Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016
³⁴ Aberdeen Group, BEYOND THE PATCH: REDUCING THE RISK OF DATABASE AND APPLICATION VULNERABILITIES, Dec 2016