Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC.

Slides:



Advertisements
Similar presentations
Security Update Server Registration, Active scanning and Windows patching.
Advertisements

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Understand Database Security Concepts
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Administering User Security
Database Security Managing Users and Security Models.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Project Implementation for COSC 5050 Distributed Database Applications Lab1.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Chapter 7 Database Auditing Models
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Website Hardening HUIT IT Security | Sep
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Best Practices for Securing Oracle EBS R12
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Access Training Linux/Unix Power Broker Access Custom Schema Database Access Customer Training Date: 25-JAN-2005.
Auditing Information Systems (AIS)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Dale Smith COSC 4010 Computer Security Authentication & Security in the.NET environment.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Database Role Activity. DB Role and Privileges Worksheet.
Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Increasing security by disabling DML statements to a dba user in Oracle database Hakik PACI Polytechnic University of Tirana.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Computer Security By Duncan Hall.
Michelle Malcher PepsiCo Session # For the DBA Manager – Understanding Oracle and DBAs.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
1 Copyright © 2009, Oracle. All rights reserved. Controlling User Access.
Module 7: Designing Security for Accounts and Services.
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
 CONACT UC:  Magnific training   
Computer Security Sample security policy Dr Alexei Vernitski.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Database Management
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Chapter 7: Identifying Advanced Attacks
Database Security.
Database Security.
Limiting SQL Server Exposure
The Dirty Business of Auditing
Limiting SQL Server Exposure
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
IS4680 Security Auditing for Compliance
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC

Introduction The exploits found in this presentation can be easily found on the Internet and numerous research papers. With the rise in data theft and the introduction of various compliance laws in South Africa to protect data (POPI), database security can no longer be ignored. To avoid reputational and financial risks the DBA has to ensure that the companies databases are secure.

Agenda Man In The Middle Attack Data Redaction Privilege Escalation Oradebug Utility Project Alcatraz Recommendations Summary

Man In The Middle Attack A man in the middle attack is where a hacker intercepts communication between two parties. Example: TNS Listener Poison Attack. Can be exploited remotely without a username or password.

TNS Listener Poison Attack SAOUG_CLIENT TESTBOX (Database) SAOUG_ATTACKER

TNS Listener Poison Attack

Protection: RAC – use SECURE_REGISTER_listener_name to restrict instance registration - Doc ID By default 12c won’t allow remote servers to register their database instances. In Oracle and Oracle 12c use the “Valid Node Checking for Registration” feature if remote registration is required. Disable dynamic registration on single instance databases.

Data Redaction Oracle Data Redaction enables you to mask (redact) data that is returned from queries. Before Redaction EMPLOYEESALARY Larry89000 Bill10000

Data Redaction Apply a redaction policy to the column that you want to mask. Redaction EMPLOYEESALARY Larry0 Bill0

Data Redaction DEMO

Data Redaction According to the Oracle Documentation: Not designed to prevent data exposure to database users who run ad hoc queries directly on the database. Need to keep in mind that a malicious user can bypass Data Redaction policies in certain circumstances.

Privilege Escalation Privilege Escalation is the act of exploiting a bug or design flaw to gain elevated access.

Privilege Escalation

Does Privilege Escalation work on a 12c database ?

Privilege Escalation Create any procedure/Execute any procedure works on Create any index – insufficient INHERIT PRIVILEGES in and c database more secure because of inherit privileges. Using DBMS_ADVISOR for privilege escalation is a known issue for

Privilege Escalation 12c

Privilege Escalation Protection: Work on the principle of least privileges. Review privileges given to users. Revoke unnecessary privileges from public.

Oradebug Oradebug is an undocumented debugging utility provided with the Oracle database. How can we use Oradebug to bypass auditing ?

Oradebug

apply patch and use _fifteenth_spare_parameter _disable_oradebug_commands – available in and 12.1 none-default all – disable oradebug (support+online patching), Restricted – disable certain commands

Project Alcatraz

Recommendations Research and review all database security standards and best practices for Oracle. Choose a hardening guideline. Define a security policy for your environment. Proactively monitor your security policy (Alctraz or other available tools). Choose tools to secure your environment.

Summary Gone are the days when the DBA only focuses on administration and performance tuning. The role of the DBA in securing the database is now more critical. Proactive monitoring is key. Applying the latest CPU/PSU patch is compulsory. Database security is no longer an option. The DBA needs to constantly keep up to date with the latest security exploits to ensure that the database is protected.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.