Presentation is loading. Please wait.

Presentation is loading. Please wait.

Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC.

Published byTracey Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC."— Presentation transcript:

1 Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC

2 Introduction The exploits found in this presentation can be easily found on the Internet and numerous research papers. With the rise in data theft and the introduction of various compliance laws in South Africa to protect data (POPI), database security can no longer be ignored. To avoid reputational and financial risks the DBA has to ensure that the companies databases are secure.

3 Agenda Man In The Middle Attack Data Redaction Privilege Escalation Oradebug Utility Project Alcatraz Recommendations Summary

4 Man In The Middle Attack A man in the middle attack is where a hacker intercepts communication between two parties. Example: TNS Listener Poison Attack. Can be exploited remotely without a username or password.

5 TNS Listener Poison Attack SAOUG_CLIENT TESTBOX (Database) SAOUG_ATTACKER

6 TNS Listener Poison Attack

7 Protection: RAC – use SECURE_REGISTER_listener_name to restrict instance registration - Doc ID 1340831.1 By default 12c won’t allow remote servers to register their database instances. In Oracle 11.2.0.4 and Oracle 12c use the “Valid Node Checking for Registration” feature if remote registration is required. Disable dynamic registration on single instance databases.

8 Data Redaction Oracle Data Redaction enables you to mask (redact) data that is returned from queries. Before Redaction EMPLOYEESALARY Larry89000 Bill10000

9 Data Redaction Apply a redaction policy to the column that you want to mask. Redaction EMPLOYEESALARY Larry0 Bill0

10 Data Redaction DEMO

11 Data Redaction According to the Oracle Documentation: Not designed to prevent data exposure to database users who run ad hoc queries directly on the database. Need to keep in mind that a malicious user can bypass Data Redaction policies in certain circumstances.

12 Privilege Escalation Privilege Escalation is the act of exploiting a bug or design flaw to gain elevated access.

13 Privilege Escalation

14 Does Privilege Escalation work on a 12c database ?

15 Privilege Escalation Create any procedure/Execute any procedure works on 12.1.0.1.0 Create any index – insufficient INHERIT PRIVILEGES in 12.1.0.1.0 and 12.1.0.2.0 12c database more secure because of inherit privileges. Using DBMS_ADVISOR for privilege escalation is a known issue for 12.1.0.1.0

16 Privilege Escalation 12c

17 Privilege Escalation Protection: Work on the principle of least privileges. Review privileges given to users. Revoke unnecessary privileges from public.

18 Oradebug Oradebug is an undocumented debugging utility provided with the Oracle database. How can we use Oradebug to bypass auditing ?

19 Oradebug

20 11.2.03 apply patch and use _fifteenth_spare_parameter _disable_oradebug_commands – available in 11.2.0.4 and 12.1 none-default all – disable oradebug (support+online patching), Restricted – disable certain commands

21 Project Alcatraz

22

23

24

25

26 Recommendations Research and review all database security standards and best practices for Oracle. Choose a hardening guideline. Define a security policy for your environment. Proactively monitor your security policy (Alctraz or other available tools). Choose tools to secure your environment.

27 Summary Gone are the days when the DBA only focuses on administration and performance tuning. The role of the DBA in securing the database is now more critical. Proactive monitoring is key. Applying the latest CPU/PSU patch is compulsory. Database security is no longer an option. The DBA needs to constantly keep up to date with the latest security exploits to ensure that the database is protected.

28

Download ppt "Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Understand Database Security Concepts

Understand Database Security Concepts
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Administering User Security

Administering User Security
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.

10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google