CPE Session March 02, 2014 ISACA-Dhaka Chapter

Md. Mushfiqur Rahman Member ID: 839745

Consolidate Oracle Database Security

Get to know DATABASE Security

11

Steps to a Secure Oracle Database Server

Why do we continue to encounter Oracle servers with misconfigurations and other vulnerabilities that can easily avoided by just a little effort by DBAs?

There are many reasons: Understaffed Security Teams - Simply a lack of internal or third-party security professionals to bring visibility to the importance of database security. If there are no security professionals in the organization, or ones that lack the skills or resources to perform periodic security assessments of databases, database misconfigurations will often go undetected.
DBA's "don't do" security - The reality in many organizations is that DBAs are administrators that are focused on database availability and performance and not security. DBAs might be reluctant to implement secure configurations due to a lack of full understanding of the security risks- the vulnerability and exposure of not implementing the secure configuration, or due to fear that the secure configuration will unintentionally break some functionality. To boil it down, DBAs might have some fear, uncertainty, and doubt (FUD) about implementing secure database configurations.

Steps to a Secure Oracle Database Server

1. Lock Down Default Accounts! 2. Require all database connections to use a strong SID 3. Apply Oracle Critical Patch Updates ASAP 4. Remove all unnecessary privileges from the PUBLIC role 5. Enable Database Auditing Audit SYS Operations Enable Database Auditing Enable Auditing on Important Database Objects

Steps to a Secure Oracle Database Server

6. Setup Database Triggers for Schema Auditing and Logon/Logoff Events Logon Trigger DDL_Trigger Error Trigger 7. Implement a Database Activity Monitoring (DAM) Solution

Steps to a Secure Oracle Database Server

8. Enable Password Management for all Oracle Logins A. Creating Profiles B. Account Lockout C. Password Expiration D. Password History E. Password Complexity Verification

In general, the password verification function should ensure users passwords incorporate the following criteria:
Differs from their username Not a dictionary word At least 10 characters in length Include at least 1 alpha, 1 numeric, and 1 special character 9. Perform Regular Database Security Assessments

Steps to a Secure Oracle Database Server

10. Encrypt Database Traffic
Security Threats and Countermeasures

Security threats can be addressed with different types of measures:

A. Procedural, such as requiring data center employees to display security badges B. Physical, such as securing computers in restricted-access facilities C. Technical, such as implementing strong authentication requirements for critical business systems D. Personnel-related, such as performing background checks or "vetting" key personnel E. Consider whether the appropriate response to a threat is procedural, physical, technical, personnel-related, or a combination of the such measures.

Steps to a Secure Oracle Database Server

Issues and Actions for Policies to Address

A. B. C. D. E. F. G.

Establish & maintain application-level security Manage privileges & attributes (system/object/user) Create, manage, and control roles (database, enterprise) Establish the granularity of access control desired Establish & manage the use of encryption Establish & maintain security in 3-tier applications Control query access, data misuse, and intrusions

Skill-sets needed for Oracle DBA?

Conceptual System Analysis & Design skills Database Design skills Physical Disk Storage skills Data Security skills Backup and Recovery skills Change Control Management skills

24

Thank you!