Professional Documents
Culture Documents
Radoslav Rusinov
ING Wholesale Banking
Agenda
2 of 58
Why is security necessary?
• Security threats have grown monthly
• Unauthorized access to servers, databases
and applications
• Worms / Viruses
• Software vulnerabilities
• Theft / Hacker intrusions
• Operator or user errors
• 70% of intrusions are internal
3 of 58
Security Breaches – Last Cases
• 25.02.2005 – Bank of America Corp. loses credit
card info of 1.2M federal workers
• 08.04.2005 – Stolen computers from San Jose
Medical Group contain data on 185,000 patients
• 12.04.2005 – Data broker LexisNexis Group said
that hackers have stolen data of 310,000 people
• 14.04.2005 – British HSBC Bank PLC warns for
stolen data of 180,000 credit card customers
• 15.04.2005 – Bulgarian National Cardiologic
Hospital informs of an intrusion attack
4 of 58
Intrusions – Business Impact
5 of 58
Agenda
6 of 58
Information Security
• Every organization should secure its information
• They should use security management strategy
7 of 58
Information Security - Regulatory
• Health Insurance Portability and Accountability Act
(HIPAA)
• Sarbanes-Oxley Act
• California SB 1386
• GLB – Gramm-Leach-Biley Act
• MasterCard Site Data Protection (SDP)
• Payment Card Industry (PCI) Data Security
Standard
• Visa USA Cardholder Information Security
Program (CISP)
• ISO IEC 17799/BS7799 Standard
8 of 58
Information Security - Certifying
9 of 58
Information Security - Own
Procedures
10 of 58
Agenda
11 of 58
Securing Databases - Layers
12 of 58
Securing Databases - Common Steps
• Write a database security procedure
• Record the current configuration
• Test and implement the procedure
• Record the OS configuration
• Record the database configuration
• Record the security configuration
• Monitor the environment
• Regular checks
• Update your security plan
13 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
14 of 58
OS Security – Owner of Oracle software -
1/2
• Do not name the owner of Oracle software
“oracle”
• This is considered as “security through
obscurity”
• Limit access to the account that owns Oracle
software using mechanisms like “sudo”
• Create different users for every part of Oracle
software. Examples:
• Oralsnr – for the listener
• Oradb – for the database
15 of 58
OS Security – Owner of Oracle software -
2/2
• The user used to install Oracle should be a
local one
• Prohibit sys administrators to access files
owned by “oracle”
• “oracle” account should not be a member of
the admin group
• Check members of the ORA_DBA / OSDBA
group
• Only database administrators should be
assigned to the ORA_DBA / OSDBA group
16 of 58
OS Security – File Permissions - 1/2
• Verify permissions for files under the
ORACLE_BASE and ORACLE_HOME directories
• Disable the otrace utility – Metalink note:
192541.995
• Oracle processes should be run through the
Oracle software account (or ORA_DBA group)
• On Windows, Oracle services are using “Local
System Account” – it should be changed
• On Windows, restrict access to directory
C:\Program Files\Oracle
17 of 58
OS Security – File Permissions - 2/2
• Remove or restrict permissions on all saved script
files after creating the database
• On Windows
- Restrict access to Windows Registry
- Give Full Control over registry key
HKEY_LOCAL_MACHINE\Software\Oracle to the
account that will run Oracle Services
- Use regedt32.exe for changing Registry Security
Policy
• If database backups are written to the system
disks, verify the permissions for this directory
18 of 58
OS Security – Usernames and
Passwords
• On Unix
- restrict the “ps” command at the OS level
- check the cron jobs
• Check the server for scripts that contains
usernames and passwords
• Check all environment variables
• Check client machines for application
configuration files
• Use secure IP communications
19 of 58
OS Security – Auditing
• Start OS level auditing for unauthorized use of
Oracle. For particular directories – tripwire
• For monitoring and analyzing of log files – swatch,
logcheck
• For checking of integrity of Oracle binary and
configuration files – tripwire, samhain, AIDE
• Oracle provides a tool for monitoring OracleAS –
iHAT
• Save audit log files on secured remote servers
• Check processes regularly
20 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
21 of 58
Oracle Authentication – Password Policy
• All employees that are using the database must
have own accounts
• Use Oracle password management features:
alter profile default
limit failed_login_attempts 3
password_life_time 60
password_reuse_max 20
password_lock_time 1;
• User passwords should be changed on a regular
basis
• Create different profiles for different types of users
22 of 58
Oracle Authentication – Weak
Passwords
23 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
24 of 58
Access to the Database - 1/3
25 of 58
Access to the Database - 2/3
26 of 58
Access to the Database - 3/3
27 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
28 of 58
Securing PUBLIC Role - 1/3
• Grant privileges to appropriate users before
revoking
• revoke all on utl_tcp from public;
• revoke all on utl_http from public;
• revoke all on utl_smtp from public;
• revoke all on utl_file from public;
• revoke all on dbms_random from public;
• revoke all on dbms_lob from public;
• revoke all on dbms_sql from public;
29 of 58
Securing PUBLIC Role - 2/3
• revoke all on dbms_sys_sql from public;
• revoke all on dbms_job on public;
• revoke all on dbms_scheduler from
public;
• revoke all on owa_util from public;
• revoke all on utl_xml from public;
• revoke all on dbms_java_test from
public;
• revoke all on dbms_lock from public;
• revoke all on dbms_pipe from public;
30 of 58
Securing PUBLIC Role - 3/3
• revoke select on all_db_links from
public;
• revoke select on all_users from public;
• revoke select on all_catalog from
public;
• revoke select on all_java_classes from
public;
• revoke select on all_source from public;
• revoke select on all_tab_privs from
public;
• Check all PUBLIC execute privileges on packages
owned by SYS (XMLDB problem)
31 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
32 of 58
Initialization Parameters - 1/2
• Check user_dump_dest, background_dump_dest
and core_dump_dest
• Set global_names=TRUE
• Set max_enabled_roles=30
• Set os_authent_prefix=“” (a null string)
• Set os_roles=FALSE
• Set o7_dictionary_accessibility=FALSE
• Set remote_os_authent=FALSE
• Set remote_os_roles=FALSE
• Set remote_listener=“” (a null string)
• Set sql92_security=TRUE
33 of 58
Initialization Parameters - 2/2
• Set row_locking=ALWAYS
• Set remote_login_passwordfile=NONE
• Avoid using the utl_file_dir parameter
• Set dblink_encrypt_login=TRUE. For “client to
server” connections set
ORA_ENCRYPT_LOGIN=TRUE environment
variable
• Set transaction_auditing=TRUE
• Check if that IFILE is used
• Periodically check the instance
34 of 58
Initialization Parameters - Hidden
• Set _trace_file_public=FALSE
• Set _system_trig_enabled=TRUE
• Review on regular basis all hidden parameters
35 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
36 of 58
Application Security – 1/4
• Wrap the PL/SQL application code
• Checksum the PL/SQL source code and Java classes
DECLARE
v_counter NUMBER;
BEGIN
v_counter := 0;
FOR c IN (SELECT text FROM user_source WHERE
NAME='TEST_PKG' ORDER BY line) LOOP
v_counter := v_counter +
owa_opt_lock.checksum(c.text);
END LOOP;
dbms_output.put_line('checksum: '||v_counter);
END;
• Check the code for hard coded passwords
37 of 58
Application Security – 2/4
• Check the PL/SQL code for SQL injection and
PL/SQL injection possibilities. Some guidelines:
- use bind variables
- review the new code for security compliance
- secure PUBLIC role
- do not use dynamic SQL and PL/SQL
- use input filtering for web-based PL/SQL
• Prevent your web-based applications from Cross
Site Scripting. Use output filtering
38 of 58
Application Security – 3/4
39 of 58
Application Security – 4/4
• Restrict access to SQL*Plus
• Disable iSQL*Plus or limit access to it.
• Restrict access to debugging interfaces
- Oradebug
- DBMS_DEBUG
- JDeveloper
- Oracle tracing
• Do not publish information about your production
environments. Try Google.com
40 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
41 of 58
Auditing – 1/2
• Set audit_trail=DB, or OS
• Use OS audit instead DB audit
• Audit SYS activities
• Audit DML failures
• Audit CREATE SESSION
• Audit using of GRANT, DROP, ALTER statements
on application accounts
• Audit CREATE USER, CREATE ROLE on on
application accounts
• Audit CREATE statements on application
accounts
42 of 58
Auditing – 2/2
• Audit employee's database accounts
• Use process to monitor database activities and
sends SMS or email
• Consider row level auditing
• Write procedures for protection of generated audit
info
• Review regularly generated audit logs
• Logs for checking for suspicious activities
- on OS level – Eventviewer / Syslog
- listener.log, sqlnet.log
- access_log, error_log, Apache.log
43 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
44 of 58
Securing the Network – 1/2
• Secure the listener
• Create separate listeners for clients and for
administration
• Configure Oracle to use your firewall (Windows)
• Use a personal firewall on all database
administration computers
• Accept connections from short list of IP addresses
• Search for sqlnet.log files on the server and client
machines
• Set log_directory_client in sqlnet.ora
45 of 58
Securing the Network – 2/2
46 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
47 of 58
Availability
• Review backup and restore procedures
• Check periodically the backup media integrity
• Backups should be available only off-site
• Write procedures for backup tape retrieval to
prevent social engineering
• Format all old and not already used disks (DUL
and BBED tools)
• Secure the fallback databases as they are
production one
• Write and test disaster recovery procedures
48 of 58
Agenda
• The need of Security • OS Security
• Information Security • Oracle Authentication
• Securing Databases • Access to the Database
• Securing Oracle • Securing PUBLIC Role
• Initialization Parameters
• Recommended
Readings • Application Security
• Auditing
• Conclusion
• Securing the Network
• Availability
• Regular Checks
49 of 58
Regular Checks
• Check for unauthorized changes
• Monitor the audited information
• Review members of the ORA_DBA/OSDBA groups
• Review the recorded database configuration
• Monitor listener.log for brute force attacks
• Test the disaster recovery procedures
• Test the recovery procedures
• Install the latest Oracle security patches
• Stay up-to-date with latest known Oracle
vulnerabilities (mailing lists and sites)
50 of 58
Agenda
51 of 58
Recommended Readings - Papers
• Oracle Database Security Benchmark -
http://www.cisecurity.org/bench_oracle.html
• SANS Oracle Database Checklist -
http://www.sans.org/score/checklists/Oracle
_Database_Checklist.pdf
• Oracle Security Papers -
http://www.petefinnigan.com/orasec.htm
• Oracle 10G – Security Guide
• Protecting Oracle Databases – white paper
52 of 58
Recommended Readings - Sites
• http://www.petefinnigan.com/
• http://www.cisecurity.org/
• http://www.protegrity.com/
• http://www.nextgenss.com/
• http://www.appsecinc.com/
• http://www.sans.org/
• http://www.iss.net/
• http://www.securityfocus.com/
• http://otn.oracle.com/deploy/security
• http://www.computerworld.com/securitytopics/sec
urity
53 of 58
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1111427975
54 of 58
Recommended Readings - Books
http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1091002374
Recommended Readings – Books
56 of 58
Conclusion
• Do not wait to be hacked
• Implement some security policy
• Stay up-to-date
• Improve the policy repeatedly
• The mentioned steps are not rules –
they are information
• Do not implement everything – balance
between security, performance and
usability
57 of 58
Questions or Comments
Radoslav Rusinov
Radoslav.Rusinov@dir.bg
Radoslav.Rusinov@gmail.com
58 of 58