Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Security Radoslav Rusinov ING Wholesale Banking.

Similar presentations


Presentation on theme: "Oracle Security Radoslav Rusinov ING Wholesale Banking."— Presentation transcript:

1 Oracle Security Radoslav Rusinov ING Wholesale Banking

2 2 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion

3 3 of 58 Why is security necessary? Security threats have grown monthly Unauthorized access to servers, databases and applications Worms / Viruses Software vulnerabilities Theft / Hacker intrusions Operator or user errors 70% of intrusions are internal

4 4 of 58 Security Breaches – Last Cases – Bank of America Corp. loses credit card info of 1.2M federal workers – Stolen computers from San Jose Medical Group contain data on 185,000 patients – Data broker LexisNexis Group said that hackers have stolen data of 310,000 people – British HSBC Bank PLC warns for stolen data of 180,000 credit card customers – Bulgarian National Cardiologic Hospital informs of an intrusion attack

5 5 of 58 Intrusions – Business Impact Damage to image and reputation Loss of Customer confidence Loss of Partner confidence Loss of Business Impact in the revenue Benefits competition

6 6 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion

7 7 of 58 Information Security Every organization should secure its information They should use security management strategy

8 8 of 58 Information Security - Regulatory Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act California SB 1386 GLB – Gramm-Leach-Biley Act MasterCard Site Data Protection (SDP) Payment Card Industry (PCI) Data Security Standard Visa USA Cardholder Information Security Program (CISP) ISO IEC 17799/BS7799 Standard

9 9 of 58 Information Security - Certifying Certification Organizations - BSI, DNV, KPMG, Certification Europe, KEMA, JACO IS Vulnerability Assessment/Penetration Testing by Information Security Audit Companies – KPMG, PricewaterhouseCoopers SANS Best practices in Information Security URL: Information Security News – URL:

10 10 of 58 Information Security - Own Procedures Organizations can follow their own Information Security Standards The Database Security is important part of these standards

11 11 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion

12 12 of 58 Securing Databases - Layers

13 13 of 58 Securing Databases - Common Steps Write a database security procedure Record the current configuration Test and implement the procedure Record the OS configuration Record the database configuration Record the security configuration Monitor the environment Regular checks Update your security plan

14 14 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

15 15 of 58 OS Security – Owner of Oracle software - 1/2 Do not name the owner of Oracle software “oracle” This is considered as “security through obscurity” Limit access to the account that owns Oracle software using mechanisms like “sudo” Create different users for every part of Oracle software. Examples: Oralsnr – for the listener Oradb – for the database

16 16 of 58 OS Security – Owner of Oracle software - 2/2 The user used to install Oracle should be a local one Prohibit sys administrators to access files owned by “oracle” “oracle” account should not be a member of the admin group Check members of the ORA_DBA / OSDBA group Only database administrators should be assigned to the ORA_DBA / OSDBA group

17 17 of 58 OS Security – File Permissions - 1/2 Verify permissions for files under the ORACLE_BASE and ORACLE_HOME directories Disable the otrace utility – Metalink note: Oracle processes should be run through the Oracle software account (or ORA_DBA group) On Windows, Oracle services are using “Local System Account” – it should be changed On Windows, restrict access to directory C:\Program Files\Oracle

18 18 of 58 OS Security – File Permissions - 2/2 Remove or restrict permissions on all saved script files after creating the database On Windows - Restrict access to Windows Registry - Give Full Control over registry key HKEY_LOCAL_MACHINE\Software\Oracle to the account that will run Oracle Services - Use regedt32.exe for changing Registry Security Policy If database backups are written to the system disks, verify the permissions for this directory

19 19 of 58 OS Security – Usernames and Passwords On Unix - restrict the “ps” command at the OS level - check the cron jobs Check the server for scripts that contains usernames and passwords Check all environment variables Check client machines for application configuration files Use secure IP communications

20 20 of 58 OS Security – Auditing Start OS level auditing for unauthorized use of Oracle. For particular directories – tripwire For monitoring and analyzing of log files – swatch, logcheck For checking of integrity of Oracle binary and configuration files – tripwire, samhain, AIDE Oracle provides a tool for monitoring OracleAS – iHAT Save audit log files on secured remote servers Check processes regularly

21 21 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

22 22 of 58 Oracle Authentication – Password Policy All employees that are using the database must have own accounts Use Oracle password management features: alter profile default limit failed_login_attempts 3 password_life_time 60 password_reuse_max 20 password_lock_time 1; User passwords should be changed on a regular basis Create different profiles for different types of users

23 23 of 58 Oracle Authentication – Weak Passwords Enable password verification function Check for default accounts that are installed as part of Oracle installation Check application accounts for username/password matching Check for weak passwords Check for roles with default passwords

24 24 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

25 25 of 58 Access to the Database - 1/3 Limit access to roles that consists of _CATALOG_ Use manually created roles Roles that are powerful should be password protected Use password protected role when DML is used Check for users or roles with granted privileges consists of “all privileges”, “any”, “with admin”, “with grant” Review the system privileges granted to users

26 26 of 58 Access to the Database - 2/3 Check for granted direct privileges on objects, use roles Check for granted “CREATE LIBRARY”, “ALTER SYSTEM” or “CREATE PROCEDURE” Check for users that have “CREATE ANY DIRECTORY” privilege Check for users that have “CREATE JOB” or “CREATE ANY JOB” privilege (10G) Check user objects in SYSTEM tablespace

27 27 of 58 Access to the Database - 3/3 Check for “external” users Revoke RESOURCE role from user accounts Revoke CONNECT role from user accounts Check for users with “CREATE ANY TRIGGER” privilege Check for users that have access to data dictionary views and tables Check for users that have “SELECT ANY TABLE” privilege

28 28 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

29 29 of 58 Securing PUBLIC Role - 1/3 Grant privileges to appropriate users before revoking revoke all on utl_tcp from public; revoke all on utl_http from public; revoke all on utl_smtp from public; revoke all on utl_file from public; revoke all on dbms_random from public; revoke all on dbms_lob from public; revoke all on dbms_sql from public;

30 30 of 58 Securing PUBLIC Role - 2/3 revoke all on dbms_sys_sql from public; revoke all on dbms_job on public; revoke all on dbms_scheduler from public; revoke all on owa_util from public; revoke all on utl_xml from public; revoke all on dbms_java_test from public; revoke all on dbms_lock from public; revoke all on dbms_pipe from public;

31 31 of 58 Securing PUBLIC Role - 3/3 revoke select on all_db_links from public; revoke select on all_users from public; revoke select on all_catalog from public; revoke select on all_java_classes from public; revoke select on all_source from public; revoke select on all_tab_privs from public; Check all PUBLIC execute privileges on packages owned by SYS (XMLDB problem)

32 32 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

33 33 of 58 Initialization Parameters - 1/2 Check user_dump_dest, background_dump_dest and core_dump_dest Set global_names=TRUE Set max_enabled_roles=30 Set os_authent_prefix=“” (a null string) Set os_roles=FALSE Set o7_dictionary_accessibility=FALSE Set remote_os_authent=FALSE Set remote_os_roles=FALSE Set remote_listener=“” (a null string) Set sql92_security=TRUE

34 34 of 58 Initialization Parameters - 2/2 Set row_locking=ALWAYS Set remote_login_passwordfile=NONE Avoid using the utl_file_dir parameter Set dblink_encrypt_login=TRUE. For “client to server” connections set ORA_ENCRYPT_LOGIN=TRUE environment variable Set transaction_auditing=TRUE Check if that IFILE is used Periodically check the instance

35 35 of 58 Initialization Parameters - Hidden Set _trace_file_public=FALSE Set _system_trig_enabled=TRUE Review on regular basis all hidden parameters

36 36 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

37 37 of 58 Application Security – 1/4 Wrap the PL/SQL application code Checksum the PL/SQL source code and Java classes DECLARE v_counter NUMBER; BEGIN v_counter := 0; FOR c IN (SELECT text FROM user_source WHERE NAME='TEST_PKG' ORDER BY line) LOOP v_counter := v_counter + owa_opt_lock.checksum(c.text); END LOOP; dbms_output.put_line('checksum: '||v_counter); END; Check the code for hard coded passwords

38 38 of 58 Application Security – 2/4 Check the PL/SQL code for SQL injection and PL/SQL injection possibilities. Some guidelines: - use bind variables - review the new code for security compliance - secure PUBLIC role - do not use dynamic SQL and PL/SQL - use input filtering for web-based PL/SQL Prevent your web-based applications from Cross Site Scripting. Use output filtering

39 39 of 58 Application Security – 3/4 Check which applications access the database Control which applications access your database Review grants of the application account Batch processes should use own account Encrypt critical application data Write procedures for adding new applications Write procedures for employee movers, leavers and joiners Secure Test and Development databases

40 40 of 58 Application Security – 4/4 Restrict access to SQL*Plus Disable iSQL*Plus or limit access to it. Restrict access to debugging interfaces -Oradebug -DBMS_DEBUG -JDeveloper -Oracle tracing Do not publish information about your production environments. Try Google.com

41 41 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

42 42 of 58 Auditing – 1/2 Set audit_trail=DB, or OS Use OS audit instead DB audit Audit SYS activities Audit DML failures Audit CREATE SESSION Audit using of GRANT, DROP, ALTER statements on application accounts Audit CREATE USER, CREATE ROLE on on application accounts Audit CREATE statements on application accounts

43 43 of 58 Auditing – 2/2 Audit employee's database accounts Use process to monitor database activities and sends SMS or Consider row level auditing Write procedures for protection of generated audit info Review regularly generated audit logs Logs for checking for suspicious activities - on OS level – Eventviewer / Syslog - listener.log, sqlnet.log - access_log, error_log, Apache.log

44 44 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

45 45 of 58 Securing the Network – 1/2 Secure the listener Create separate listeners for clients and for administration Configure Oracle to use your firewall (Windows) Use a personal firewall on all database administration computers Accept connections from short list of IP addresses Search for sqlnet.log files on the server and client machines Set log_directory_client in sqlnet.ora

46 46 of 58 Securing the Network – 2/2 Secure used database links. There are passwords in clear text in sys.link$ table Write a policy for managing database links Check with port scanner for open default ports Secure the Intelligent agent Encrypt communication between all Oracle clients and the database. Use IPSec or SSL

47 47 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

48 48 of 58 Availability Review backup and restore procedures Check periodically the backup media integrity Backups should be available only off-site Write procedures for backup tape retrieval to prevent social engineering Format all old and not already used disks (DUL and BBED tools) Secure the fallback databases as they are production one Write and test disaster recovery procedures

49 49 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion OS Security Oracle Authentication Access to the Database Securing PUBLIC Role Initialization Parameters Application Security Auditing Securing the Network Availability Regular Checks

50 50 of 58 Regular Checks Check for unauthorized changes Monitor the audited information Review members of the ORA_DBA/OSDBA groups Review the recorded database configuration Monitor listener.log for brute force attacks Test the disaster recovery procedures Test the recovery procedures Install the latest Oracle security patches Stay up-to-date with latest known Oracle vulnerabilities (mailing lists and sites)

51 51 of 58 Agenda The need of Security Information Security Securing Databases Securing Oracle Recommended Readings Conclusion

52 52 of 58 Recommended Readings - Papers Oracle Database Security Benchmark - SANS Oracle Database Checklist - _Database_Checklist.pdf _Database_Checklist.pdf Oracle Security Papers - Oracle 10G – Security Guide Protecting Oracle Databases – white paper

53 53 of 58 Recommended Readings - Sites /http://www.securityfocus.com urityhttp://www.computerworld.com/securitytopics/sec urity

54 54 of 58 Recommended Readings - Books

55 Recommended Readings - Books

56 56 of 58 Recommended Readings – Books Oracle Database Security, Audit & Control Features (PricewaterhouseCoopers – 2004) Security, Audit & Control Features Oracle Applications: A Technical and Risk Management Reference Guide (Deloitte & Touche Tohmatsu Research Team ) Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment (Oracle Press – 2001) Oracle Security (O’Reilly – 1998)

57 57 of 58 Conclusion Do not wait to be hacked Implement some security policy Stay up-to-date Improve the policy repeatedly The mentioned steps are not rules – they are information Do not implement everything – balance between security, performance and usability

58 58 of 58 Questions or Comments Radoslav Rusinov


Download ppt "Oracle Security Radoslav Rusinov ING Wholesale Banking."

Similar presentations


Ads by Google