Everyone from bedroom hackers to nation states is trying to hack Oracle, its chief executive officer Mark Hurd has told Computerworld.
“As you can imagine I go through the day not wanting to have the call that somebody’s hacked us,” Hurd said at a media roundtable at the company’s OpenWorld conference in San Francisco last month.
Asked exactly who was attempting to breach the company’s cyber defences, Hurd said: “Virtually everyone; from someone that’s in their pyjamas in their basement, to a nation state.”
In recent years, determining the origins of attacks has become “much more difficult to deal with” if not impossible Hurd explained, due to a “blurring of the lines between good guys and bad guys”.
“It used to be we could see the metadata signature – if you went back four or five years ago – and say ‘ah that’s coming from these guys’. Now many people working for one actor in a nation state, have been recruited to another actor. They use the signatures from the place they came from but they’re actually employed somewhere else,” he said.
The landscape of malicious actors has changed considerably in the last few years Hurd added, and they posed a greater threat than ever before.
“We’re investing in the United States in aircraft carriers, and they’re expensive it turns out — turns out it costs $2.5 billion to build an aircraft carrier — but get 15 guys together and you can have a cyber squad, maybe just as dangerous if not more than an aircraft carrier,” he told Computerworld.
It is not surprising that Oracle, and its products, are prime targets for hackers. The company has not always responded well to those trying to find gaps and bugs in its software.
In 2015, Oracle chief security officer Mary Ann Davidson posted a rant against customers “reverse engineering our code to attempt to find security vulnerabilities in it”. The post – which included the line “please comply with your license agreement and stop reverse engineering our code, already” – was up for less than 24 hours before it was deleted.
One of the biggest risks Oracle customers run around unwarranted access to their systems is a result of failing to patch in a timely fashion.
Oracle’s Enterprise Resource Planning (ERP) software, for example, “holds the crown jewels” for the thousands of businesses that use it. According to a July report from Digital Shadows and Onapsis, Oracle ERP vulnerabilities have been steadily growing in number over the last 10 years.
The report noted that “systems are often left unpatched for years in the name of operational availability”.
Transfer the risk
Oracle is hoping to fill those gaping holes with its new Autonomous Database product which uses machine learning to automatically upgrade, patch, and tune as it runs; and automates security updates with no downtime window required.
Not having to find appropriate times to implement patches is significant for businesses, Hurd said.
“It’s just limitless and it doesn’t take much to pull up a website and find out where the patches are, to find out what’s been patched and to know what the windows are, and if you’ve got a computer and your technically competent you’re in business,” he said.
Adoption of autonomous patching products like Autonomous Database “transfers the risk” to Oracle, Hurd explained.
“It’s not a great job when you’re a CEO, people write things about you and if you get hacked and you lose important data, particularly customer data this is very difficult. So I not only need to look for security I also need to offload the risk,” he said.
“The risk, and by the way the cost of the risk, transfers in some respects from the customer to us. Not all the risk because you selected us so you still have some risk in that process, but certainly less than what you had before.
"And we’re now going to take on the job of fighting the bad guys and in general we’re going to do that a whole lot better than any individual company’s going to,” Hurd said.
“It’s a big differentiator,” he added.
The author travelled to Oracle OpenWorld as a guest of Oracle.