Presentation is loading. Please wait.

Presentation is loading. Please wait.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

Published byGiselle Wiseman Modified over 9 years ago

Similar presentations

Presentation on theme: "An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden."— Presentation transcript:

1 An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden

2 Database security Aaron Newman views database security as composed of multiple layers of protection to reduce the risk of intrusion just like in a medieval castle. Aaron Newman views database security as composed of multiple layers of protection to reduce the risk of intrusion just like in a medieval castle. This poses a great challenge for the intruder thus giving the DBA time to take appropriate actions against these malicious users. This poses a great challenge for the intruder thus giving the DBA time to take appropriate actions against these malicious users. Each layer is specially designed to give the highest defence against intrusion Each layer is specially designed to give the highest defence against intrusion

3 Background of project The trigger to my project was the white paper released by Litchfield D in which he describes precisely cursor snarfing, a new security flaw he recently discovered on Oracle databases. The trigger to my project was the white paper released by Litchfield D in which he describes precisely cursor snarfing, a new security flaw he recently discovered on Oracle databases. He published another whitepaper called “Which database is more secure? Oracle vs. Microsoft SQL Server” in which he reveals the alarming security flaws in Oracle. He published another whitepaper called “Which database is more secure? Oracle vs. Microsoft SQL Server” in which he reveals the alarming security flaws in Oracle. Meanwhile Oracle claims that this flaw is trivial and rare, it requires some impractical special cases for it to be happen. Meanwhile Oracle claims that this flaw is trivial and rare, it requires some impractical special cases for it to be happen.

4 Background cont… Firewalls can no longer protect databases from all intrusion because modern database threats are higher than firewalls on the OSI model Firewalls can no longer protect databases from all intrusion because modern database threats are higher than firewalls on the OSI model Attackers have found a way of by passing the firewalls by using specific search strings in search engines that lead them straight to the database. Attackers have found a way of by passing the firewalls by using specific search strings in search engines that lead them straight to the database.

5 The OSI model

6 The approach by Oracle Oracle uses the four major methods for their database security. These are authentication, roles and privileges, auditing and finally data integrity. Oracle uses the four major methods for their database security. These are authentication, roles and privileges, auditing and finally data integrity. These form the desired layered security structure, first a user is authenticated, then he is authorised to perform some actions which are then monitored by auditing. These form the desired layered security structure, first a user is authenticated, then he is authorised to perform some actions which are then monitored by auditing. Finally, data is protected and accessible to only the authorised by data integrity. Finally, data is protected and accessible to only the authorised by data integrity.

7 Authentication Verifying that users are who they claim to be, these may be a person using a computer, a computer itself or a program on a computer. Verifying that users are who they claim to be, these may be a person using a computer, a computer itself or a program on a computer. Oracle allows 4 login trials before the database is blocked and also allows a password to be used only for three months to combat authentication breaches. Oracle allows 4 login trials before the database is blocked and also allows a password to be used only for three months to combat authentication breaches. The database is locked for 30 days or only unlocked by the DBA after a day if more than 4 attempts are exceeded. The database is locked for 30 days or only unlocked by the DBA after a day if more than 4 attempts are exceeded. Oracle claims to have a safe password management and also enables users to make very strong passwords. In addition Oracle does not allow a user to use the same password consecutively. Oracle claims to have a safe password management and also enables users to make very strong passwords. In addition Oracle does not allow a user to use the same password consecutively.

8 Critics of Oracle Paul Wright published a whitepaper that describes how a hacker can manage to perform a brute force attack on the login of the Oracle database despite Oracle’s claim of a login block Paul Wright published a whitepaper that describes how a hacker can manage to perform a brute force attack on the login of the Oracle database despite Oracle’s claim of a login block Mark Burnett talks about the effects of login block as a way to avoid combating brute force attacks. Mark Burnett talks about the effects of login block as a way to avoid combating brute force attacks. An intruder can cause DOS, harvest usernames from site, cause a diversion by flooding the help desk with support calls and disable an account by continually locking it. An intruder can cause DOS, harvest usernames from site, cause a diversion by flooding the help desk with support calls and disable an account by continually locking it. Account lockouts is ineffective against slow attacks, attacks that try one password against a large list, first time correct guesses, DBA accounts. Account lockouts is ineffective against slow attacks, attacks that try one password against a large list, first time correct guesses, DBA accounts.

9 Roles and Privileges. Oracle offers different privileges to different users Oracle offers different privileges to different users These are rights to execute particular SQL statements e.g. creating tables, executing stored procedures. These are rights to execute particular SQL statements e.g. creating tables, executing stored procedures. To provide easy privilege management and control, privileges can be bundled together into a role ( a group of privileges assigned to a group of users or a single user. To provide easy privilege management and control, privileges can be bundled together into a role ( a group of privileges assigned to a group of users or a single user. Roles make it easy to monitor and make alterations to privileges granted to a group of users for security reasons. Roles make it easy to monitor and make alterations to privileges granted to a group of users for security reasons. Roles also allow some privileges to be password protected which narrows down the search criteria in case of a breach. Roles also allow some privileges to be password protected which narrows down the search criteria in case of a breach. Roles can be assigned to other roles and then finally to users. Roles can be assigned to other roles and then finally to users.

10 Auditing This is the monitoring and recording of database user actions. This is the monitoring and recording of database user actions. Audits can be triggered when specified elements in an Oracle database are accessed or altered. Audits can be triggered when specified elements in an Oracle database are accessed or altered. Auditing keeps record of both failed and successful attempts on the server. Auditing keeps record of both failed and successful attempts on the server. One disadvantage in auditing is that there is no mechanism to prevent the DBA from tempering with the audit output in the case of an attacker gaining SYS privileges. One disadvantage in auditing is that there is no mechanism to prevent the DBA from tempering with the audit output in the case of an attacker gaining SYS privileges.

11 Data Integrity This is an act of ensuring that data is complete and identically maintained during an operation such as transfer, storage or retrieval. This is an act of ensuring that data is complete and identically maintained during an operation such as transfer, storage or retrieval. Oracle encrypts data by a process called Transparent Data Encryption which restricts data retrieval by unauthorised users. Oracle encrypts data by a process called Transparent Data Encryption which restricts data retrieval by unauthorised users. The encryption and decryption of data is handled by the database instead of users and applications, even the DBA has no access to data. The encryption and decryption of data is handled by the database instead of users and applications, even the DBA has no access to data. This is the peak of Oracle’s layered security after firewalls, authentication and authorisation. This is the peak of Oracle’s layered security after firewalls, authentication and authorisation. It can be implemented using simple and easy SQL commands. It can be implemented using simple and easy SQL commands.

12 Oracle’s Software Security Assurance A strong guide against security flaws must be taken since this has the ability of letting intruders by pass even the toughest security measure. A strong guide against security flaws must be taken since this has the ability of letting intruders by pass even the toughest security measure. A secure system does not only offer security features but also prevents security flaws. A secure system does not only offer security features but also prevents security flaws. Oracle claims to have security assurance to prevents security flaws Oracle claims to have security assurance to prevents security flaws Contrary to Oracle’s claims, David Litchfield in his whitepaper claims that Oracle does not keep record of problems encountered and they do not understand them. Contrary to Oracle’s claims, David Litchfield in his whitepaper claims that Oracle does not keep record of problems encountered and they do not understand them. The claim made by Litchfield is strengthened by the amount of patches that Oracle has advised DBA to install, this has an effect of adding complexity to the system. The claim made by Litchfield is strengthened by the amount of patches that Oracle has advised DBA to install, this has an effect of adding complexity to the system.

13 Cont… Number of flaws Years

14 Summary Database security is crucial to the safety of a user’s personal data which includes card numbers, bank details and medical details. Database security is crucial to the safety of a user’s personal data which includes card numbers, bank details and medical details. Firewalls on their own can not combat all the database security concerns. Firewalls on their own can not combat all the database security concerns. Databases are safe if they are to remain isolated from any network. Databases are safe if they are to remain isolated from any network. Oracle offers a layered security structure like that of a medieval castle. There is the outermost which uses the network firewalls, then followed by authentication and authorisation( roles and privileges), auditing and finally data encryption. Oracle offers a layered security structure like that of a medieval castle. There is the outermost which uses the network firewalls, then followed by authentication and authorisation( roles and privileges), auditing and finally data encryption.

15 Questions and Answers

Download ppt "An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
An investigation into the security features offered by Oracle 10g Enterprise Edition Author: Keletso Nyathi Supervisor: Mr John Ebden Computer Science.

An investigation into the security features offered by Oracle 10g Enterprise Edition Author: Keletso Nyathi Supervisor: Mr John Ebden Computer Science.
10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden.

10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Understand Database Security Concepts

Understand Database Security Concepts
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Database Management System

Database Management System
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Similar presentations

Ads by Google