Oracle Observations

December 4, 2008

A summary of the Oracle Security round table.

Filed under: Uncategorized — bigdaveroberts @ 8:48 pm

The experts present were:

Pete Finnigan (of petefinnigan.com) – Pete I hope requires no introduction, before Pete I was an Oracle security virgin!
Paul Wright (of Markit) – From the previous days Oracle security session seems to be a heavy proponent of hedgehog form sentrigo.
Slavik Markovich (of Sentrigo (originator of Hedgehog)) – on the basis of his session, a strong proponent of proactive pl/sql security hole discovery.

And possibly Kev Else (of no fools limited) – listed on the agenda; however I failed to confirm his identity or presence.

Very roughly, Pete Finnigan expressed the position that open routing is the greatest general security risk. The ability for anyone to plug a laptop into an open Ethernet socket and then be able to connect directly to the database!

Secondly the implementation of security at the application layer, where the functionality of a user is restricted within an application, but when connecting directly either through SQL*Plus or Excel had little or no restriction on the SQL they could execute.

There was then the consideration of the nature and the source of the threats confronting an organisation.

Threats were predominantly not malicious, but rather based on the failings of various carbon based life forms. The propensity of people to place critical data on CDs or USB sticks, and then not be able to verify what happened to that data or who had access to it.

However there was also the suggestion as more companies have a direct exposure to the internet; the proportion of the risk that was internal (in the past estimated to be 80%) was dropping with organised gangs attempting to attack financial institutions.

Next was an observation made at sites that implement a data map – a system where access to sensitive data is recorded.

The behavior observed, was that people soon to leave an organisation often accessed much more data in the period before they left than they would in normal use of the systems.

Pete then proposed a methodology for reducing user’s privileges.

1) Check what privileges a user holds, both directly and through roles.
2) Check what type of objects that a user owns.
3) Identify roles that a user has been granted, but doesn’t require to create the objects that exist.
4) Audit that user on the roles that the user in theory doesn’t need.
5) If after a couple of months revoke the privileges that the user doesn’t use and doesn’t need.

It was then stated that this was only an approach to system privileges, father actions would then need to be taken to curtail object privileges.

Issues relating to the vulnerabilities that were introduced by not following Oracles recommendations for having a separate oinstall installation user and oper and oasys groups.

If performed correctly, a privileged UNIX user (not oracle) will connect to sqlplus /nolog, connect internal and only acquire public privileges, rather than the sys privileges that are acquired when the oracle user performs these instructions.

There was then an encouragement to prioritorise and escalate security implementation on the basis of an investigation of the importance of the data to be protected. Essentially some of your databases may only hold administrative data, and hardening these databases is substantially less important than hardening those databases that may contain personal or financial information.

There was a discussion regarding whistle blowing, and the stated fact that many firms were now obliged to have a risk officer or security officer, and it is to that person in the first case that security issues should probably be raised.

There was a little more, but I suspect that even tripling the time allocated, we would have only scratched the surface!

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: