oracle security radoslav rusinov ing wholesale banking
TRANSCRIPT
![Page 1: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/1.jpg)
Oracle Security
Radoslav Rusinov
ING Wholesale Banking
![Page 2: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/2.jpg)
2 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
![Page 3: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/3.jpg)
3 of 58
Why is security necessary?
• Security threats have grown monthly
• Unauthorized access to servers, databases and applications
• Worms / Viruses
• Software vulnerabilities
• Theft / Hacker intrusions
• Operator or user errors
• 70% of intrusions are internal
![Page 4: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/4.jpg)
4 of 58
Security Breaches – Last Cases
• 25.02.2005 – Bank of America Corp. loses credit card info of 1.2M federal workers
• 08.04.2005 – Stolen computers from San Jose Medical Group contain data on 185,000 patients
• 12.04.2005 – Data broker LexisNexis Group said that hackers have stolen data of 310,000 people
• 14.04.2005 – British HSBC Bank PLC warns for stolen data of 180,000 credit card customers
• 15.04.2005 – Bulgarian National Cardiologic Hospital informs of an intrusion attack
![Page 5: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/5.jpg)
5 of 58
Intrusions – Business Impact
• Damage to image and reputation• Loss of Customer confidence• Loss of Partner confidence• Loss of Business• Impact in the revenue• Benefits competition
![Page 6: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/6.jpg)
6 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
![Page 7: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/7.jpg)
7 of 58
Information Security
• Every organization should secure its information• They should use security management strategy
![Page 8: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/8.jpg)
8 of 58
Information Security - Regulatory
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act• California SB 1386• GLB – Gramm-Leach-Biley Act• MasterCard Site Data Protection (SDP)• Payment Card Industry (PCI) Data Security
Standard• Visa USA Cardholder Information Security
Program (CISP)• ISO IEC 17799/BS7799 Standard
![Page 9: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/9.jpg)
9 of 58
Information Security - Certifying
• Certification Organizations - BSI, DNV, KPMG, Certification Europe, KEMA, JACO IS
• Vulnerability Assessment/Penetration Testing by Information Security Audit Companies – KPMG, PricewaterhouseCoopers
• SANS Best practices in Information Security
URL: http://www.sans.org/rr/whitepapers/bestprac• Information Security News – URL:
www.computerworld.com/securitytopics/security
![Page 10: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/10.jpg)
10 of 58
Information Security - Own Procedures
• Organizations can follow their own Information Security Standards
• The Database Security is important part of these standards
![Page 11: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/11.jpg)
11 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
![Page 12: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/12.jpg)
12 of 58
Securing Databases - Layers
![Page 13: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/13.jpg)
13 of 58
Securing Databases - Common Steps
• Write a database security procedure• Record the current configuration• Test and implement the procedure• Record the OS configuration• Record the database configuration• Record the security configuration• Monitor the environment• Regular checks • Update your security plan
![Page 14: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/14.jpg)
14 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 15: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/15.jpg)
15 of 58
OS Security – Owner of Oracle software - 1/2
• Do not name the owner of Oracle software “oracle”
• This is considered as “security through obscurity”
• Limit access to the account that owns Oracle software using mechanisms like “sudo”
• Create different users for every part of Oracle software. Examples:• Oralsnr – for the listener• Oradb – for the database
![Page 16: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/16.jpg)
16 of 58
OS Security – Owner of Oracle software - 2/2
• The user used to install Oracle should be a local one
• Prohibit sys administrators to access files owned by “oracle”
• “oracle” account should not be a member of the admin group
• Check members of the ORA_DBA / OSDBA group
• Only database administrators should be assigned to the ORA_DBA / OSDBA group
![Page 17: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/17.jpg)
17 of 58
OS Security – File Permissions - 1/2
• Verify permissions for files under the ORACLE_BASE and ORACLE_HOME directories
• Disable the otrace utility – Metalink note: 192541.995
• Oracle processes should be run through the Oracle software account (or ORA_DBA group)
• On Windows, Oracle services are using “Local System Account” – it should be changed
• On Windows, restrict access to directory C:\Program Files\Oracle
![Page 18: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/18.jpg)
18 of 58
OS Security – File Permissions - 2/2
• Remove or restrict permissions on all saved script files after creating the database
• On Windows- Restrict access to Windows Registry- Give Full Control over registry key HKEY_LOCAL_MACHINE\Software\Oracle to the account that will run Oracle Services - Use regedt32.exe for changing Registry Security Policy
• If database backups are written to the system disks, verify the permissions for this directory
![Page 19: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/19.jpg)
19 of 58
OS Security – Usernames and Passwords
• On Unix
- restrict the “ps” command at the OS level
- check the cron jobs• Check the server for scripts that contains
usernames and passwords• Check all environment variables• Check client machines for application
configuration files• Use secure IP communications
![Page 20: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/20.jpg)
20 of 58
OS Security – Auditing
• Start OS level auditing for unauthorized use of Oracle. For particular directories – tripwire
• For monitoring and analyzing of log files – swatch, logcheck
• For checking of integrity of Oracle binary and configuration files – tripwire, samhain, AIDE
• Oracle provides a tool for monitoring OracleAS – iHAT
• Save audit log files on secured remote servers • Check processes regularly
![Page 21: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/21.jpg)
21 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 22: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/22.jpg)
22 of 58
Oracle Authentication – Password Policy
• All employees that are using the database must have own accounts
• Use Oracle password management features:alter profile defaultlimit failed_login_attempts 3password_life_time 60password_reuse_max 20password_lock_time 1;
• User passwords should be changed on a regular basis
• Create different profiles for different types of users
![Page 23: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/23.jpg)
23 of 58
Oracle Authentication – Weak Passwords
• Enable password verification function• Check for default accounts that are installed as
part of Oracle installation • Check application accounts for
username/password matching• Check for weak passwords • Check for roles with default passwords
![Page 24: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/24.jpg)
24 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 25: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/25.jpg)
25 of 58
Access to the Database - 1/3
• Limit access to roles that consists of _CATALOG_• Use manually created roles• Roles that are powerful should be password
protected• Use password protected role when DML is used• Check for users or roles with granted privileges
consists of “all privileges”, “any”, “with admin”, “with grant”
• Review the system privileges granted to users
![Page 26: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/26.jpg)
26 of 58
Access to the Database - 2/3
• Check for granted direct privileges on objects, use roles
• Check for granted “CREATE LIBRARY”, “ALTER SYSTEM” or “CREATE PROCEDURE”
• Check for users that have “CREATE ANY DIRECTORY” privilege
• Check for users that have “CREATE JOB” or “CREATE ANY JOB” privilege (10G)
• Check user objects in SYSTEM tablespace
![Page 27: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/27.jpg)
27 of 58
Access to the Database - 3/3
• Check for “external” users• Revoke RESOURCE role from user accounts• Revoke CONNECT role from user accounts• Check for users with “CREATE ANY TRIGGER”
privilege• Check for users that have access to data
dictionary views and tables• Check for users that have “SELECT ANY TABLE”
privilege
![Page 28: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/28.jpg)
28 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 29: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/29.jpg)
29 of 58
Securing PUBLIC Role - 1/3
• Grant privileges to appropriate users before revoking
• revoke all on utl_tcp from public;• revoke all on utl_http from public;• revoke all on utl_smtp from public;• revoke all on utl_file from public;• revoke all on dbms_random from public;• revoke all on dbms_lob from public;• revoke all on dbms_sql from public;
![Page 30: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/30.jpg)
30 of 58
Securing PUBLIC Role - 2/3
• revoke all on dbms_sys_sql from public;• revoke all on dbms_job on public;• revoke all on dbms_scheduler from public;
• revoke all on owa_util from public;• revoke all on utl_xml from public;• revoke all on dbms_java_test from public;
• revoke all on dbms_lock from public;• revoke all on dbms_pipe from public;
![Page 31: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/31.jpg)
31 of 58
Securing PUBLIC Role - 3/3• revoke select on all_db_links from public;
• revoke select on all_users from public;• revoke select on all_catalog from public;
• revoke select on all_java_classes from public;
• revoke select on all_source from public;• revoke select on all_tab_privs from public;
• Check all PUBLIC execute privileges on packages owned by SYS (XMLDB problem)
![Page 32: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/32.jpg)
32 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 33: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/33.jpg)
33 of 58
Initialization Parameters - 1/2
• Check user_dump_dest, background_dump_dest and core_dump_dest
• Set global_names=TRUE• Set max_enabled_roles=30• Set os_authent_prefix=“” (a null string)• Set os_roles=FALSE• Set o7_dictionary_accessibility=FALSE• Set remote_os_authent=FALSE• Set remote_os_roles=FALSE• Set remote_listener=“” (a null string)• Set sql92_security=TRUE
![Page 34: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/34.jpg)
34 of 58
Initialization Parameters - 2/2
• Set row_locking=ALWAYS• Set remote_login_passwordfile=NONE• Avoid using the utl_file_dir parameter• Set dblink_encrypt_login=TRUE. For “client to
server” connections set ORA_ENCRYPT_LOGIN=TRUE environment variable
• Set transaction_auditing=TRUE• Check if that IFILE is used• Periodically check the instance
![Page 35: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/35.jpg)
35 of 58
Initialization Parameters - Hidden
• Set _trace_file_public=FALSE• Set _system_trig_enabled=TRUE• Review on regular basis all hidden parameters
![Page 36: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/36.jpg)
36 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 37: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/37.jpg)
37 of 58
Application Security – 1/4
• Wrap the PL/SQL application code• Checksum the PL/SQL source code and Java classes
DECLAREv_counter NUMBER;BEGIN v_counter := 0; FOR c IN (SELECT text FROM user_source WHERE NAME='TEST_PKG' ORDER BY line) LOOP
v_counter := v_counter + owa_opt_lock.checksum(c.text);
END LOOP; dbms_output.put_line('checksum: '||v_counter);END;
• Check the code for hard coded passwords
![Page 38: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/38.jpg)
38 of 58
Application Security – 2/4
• Check the PL/SQL code for SQL injection and PL/SQL injection possibilities. Some guidelines:
- use bind variables
- review the new code for security compliance
- secure PUBLIC role
- do not use dynamic SQL and PL/SQL
- use input filtering for web-based PL/SQL• Prevent your web-based applications from Cross
Site Scripting. Use output filtering
![Page 39: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/39.jpg)
39 of 58
Application Security – 3/4
• Check which applications access the database• Control which applications access your database• Review grants of the application account• Batch processes should use own account• Encrypt critical application data• Write procedures for adding new applications• Write procedures for employee movers, leavers
and joiners• Secure Test and Development databases
![Page 40: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/40.jpg)
40 of 58
Application Security – 4/4
• Restrict access to SQL*Plus• Disable iSQL*Plus or limit access to it. • Restrict access to debugging interfaces
- Oradebug- DBMS_DEBUG- JDeveloper- Oracle tracing
• Do not publish information about your production environments. Try Google.com
![Page 41: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/41.jpg)
41 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 42: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/42.jpg)
42 of 58
Auditing – 1/2
• Set audit_trail=DB, or OS• Use OS audit instead DB audit• Audit SYS activities• Audit DML failures• Audit CREATE SESSION• Audit using of GRANT, DROP, ALTER statements
on application accounts• Audit CREATE USER, CREATE ROLE on on
application accounts• Audit CREATE statements on application
accounts
![Page 43: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/43.jpg)
43 of 58
Auditing – 2/2• Audit employee's database accounts• Use process to monitor database activities and
sends SMS or email• Consider row level auditing• Write procedures for protection of generated audit
info• Review regularly generated audit logs• Logs for checking for suspicious activities
- on OS level – Eventviewer / Syslog- listener.log, sqlnet.log- access_log, error_log, Apache.log
![Page 44: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/44.jpg)
44 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 45: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/45.jpg)
45 of 58
Securing the Network – 1/2
• Secure the listener • Create separate listeners for clients and for
administration• Configure Oracle to use your firewall (Windows)• Use a personal firewall on all database
administration computers• Accept connections from short list of IP addresses• Search for sqlnet.log files on the server and client
machines• Set log_directory_client in sqlnet.ora
![Page 46: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/46.jpg)
46 of 58
Securing the Network – 2/2
• Secure used database links. There are passwords in clear text in sys.link$ table
• Write a policy for managing database links• Check with port scanner for open default ports• Secure the Intelligent agent• Encrypt communication between all Oracle clients
and the database. Use IPSec or SSL
![Page 47: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/47.jpg)
47 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 48: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/48.jpg)
48 of 58
Availability
• Review backup and restore procedures• Check periodically the backup media integrity• Backups should be available only off-site• Write procedures for backup tape retrieval to
prevent social engineering• Format all old and not already used disks (DUL
and BBED tools)• Secure the fallback databases as they are
production one• Write and test disaster recovery procedures
![Page 49: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/49.jpg)
49 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended
Readings• Conclusion
• OS Security• Oracle Authentication• Access to the Database• Securing PUBLIC Role• Initialization Parameters• Application Security• Auditing• Securing the Network• Availability• Regular Checks
![Page 50: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/50.jpg)
50 of 58
Regular Checks
• Check for unauthorized changes• Monitor the audited information• Review members of the ORA_DBA/OSDBA groups• Review the recorded database configuration• Monitor listener.log for brute force attacks• Test the disaster recovery procedures• Test the recovery procedures• Install the latest Oracle security patches• Stay up-to-date with latest known Oracle
vulnerabilities (mailing lists and sites)
![Page 51: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/51.jpg)
51 of 58
Agenda
• The need of Security• Information Security• Securing Databases• Securing Oracle• Recommended Readings• Conclusion
![Page 52: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/52.jpg)
52 of 58
Recommended Readings - Papers
• Oracle Database Security Benchmark - http://www.cisecurity.org/bench_oracle.html
• SANS Oracle Database Checklist - http://www.sans.org/score/checklists/Oracle_Database_Checklist.pdf
• Oracle Security Papers - http://www.petefinnigan.com/orasec.htm
• Oracle 10G – Security Guide
• Protecting Oracle Databases – white paper
![Page 53: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/53.jpg)
53 of 58
Recommended Readings - Sites• http://www.petefinnigan.com/• http://www.cisecurity.org/• http://www.protegrity.com/• http://www.nextgenss.com/• http://www.appsecinc.com/• http://www.sans.org/• http://www.iss.net/• http://www.securityfocus.com/• http://otn.oracle.com/deploy/security• http://www.computerworld.com/securitytopics/sec
urity
![Page 54: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/54.jpg)
54 of 58
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1111427975
![Page 55: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/55.jpg)
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1091002374
![Page 56: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/56.jpg)
56 of 58
Recommended Readings – Books
• Oracle Database Security, Audit & Control Features (PricewaterhouseCoopers – 2004)
• Security, Audit & Control Features Oracle Applications: A Technical and Risk Management Reference Guide (Deloitte & Touche Tohmatsu Research Team - 2003)
• Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment (Oracle Press – 2001)
• Oracle Security (O’Reilly – 1998)
![Page 57: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/57.jpg)
57 of 58
Conclusion
• Do not wait to be hacked• Implement some security policy• Stay up-to-date• Improve the policy repeatedly• The mentioned steps are not rules –
they are information• Do not implement everything – balance
between security, performance and usability
![Page 58: Oracle Security Radoslav Rusinov ING Wholesale Banking](https://reader035.vdocuments.net/reader035/viewer/2022062300/56649cc55503460f9498ea1b/html5/thumbnails/58.jpg)
58 of 58
Questions or Comments
Radoslav Rusinov