Introducing Oracle Database Security Assessment Tool 2.0...Oracle Database Security Assessment Tool...
Transcript of Introducing Oracle Database Security Assessment Tool 2.0...Oracle Database Security Assessment Tool...
Product Manager
Database Security, Oracle
Pedro Lopes
Learn how secure your databases are with DBSAT
Oracle Database Security Assessment Tool
Copyright © 2020 Oracle and/or its affiliates.
Security Zones of Control for Oracle Databases
* unique to Oracle
Password, PKI, Kerberos, RadiusProxy Users, Password Profiles
Oracle & Active Directory
Users
Crypto ToolkitVirtual Private Database
Label SecurityReal Application Security
Data
Encryption & Key VaultData Masking, Data Redaction Database Vault
Prevent
Activity Auditing/MonitoringAudit VaultDatabase Firewall
Detect
Security-Assessment (DBSAT) Data DiscoveryPrivilege Analysis
Assess
Data & Users
2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.
Safe Harbor
Copyright © 2020 Oracle and/or its affiliates.
4 Copyright © 2020 Oracle and/or its affiliates.
Data drives everything
• Analytics and automation
• Advertising and marketing budgets
• Personalization and improved experience
• Business analytics and decisions
• Government policies and plans
Data is today’s capital“The world’s most valuable resource is no longer oil, but data”
Overall, data helps improve products and services, provide better user experience, and
support and grow businesses
PII DataFinancial DataTrade Secrets
Competitive DataEmployment DataHealthcare DataIT Security Data
Transaction DataBrowsing Data…
5 Copyright © 2020 Oracle and/or its affiliates.
Data breaches are exploding world wide
• Database is the most common asset involved in breaches
Data losses can be catastrophic for businesses impacting
• Finances due to compensations, penalties, legal, PR, recovery cost
• Brand reputation, customer trust, intellectual property, competitiveness
• Overall business and revenue
Fast evolving, stringent regulatory landscape
• Across industries and regions
• Laws that aim to protect data and citizen privacy
Data can be a liabilityThe scary side of data economy
Copyright © 2020 Oracle and/or its affiliates.
Evolving Attack Tools and Techniques
Buffer Overflow
Phishing
App Exploits
Unpatched Systems
SQL Injection
Stolen Credentials
Privilege Escalation
XSS Attacks
6
Copyright © 2020 Oracle and/or its affiliates.
Think Like a Hacker
Known UsersCommon Passwords
Privileged UsersOpen PortsDatabase
Encrypted DataAuditing On
Database VersionKnown Vulnerabilities
Known Packaged AppsInsider / Outsider Data Owner
7
Copyright © 2020 Oracle and/or its affiliates.
Is the database configured according to best practices?
What security controls are already in place?
What users are in the database?
What access do users have?
What sensitive data is in this database?
Start Here
8
• No Database Security policies/strategy in place
• No patching/patch management policy in place
• No personalized accounts; No separation of duties; Over-privileged accounts
• No encryption of sensitive/regulated data
• No monitoring/auditing in place
• No password policies; Weak password management
• Non-Production (DEV/TEST/TRAINING) systems with production data
• No cleanup of test/sample accounts
• No anonymization of data sent to third parties
• No OS hardening
From Database Security AssessmentsTop 10 Findings
9 Copyright © 2020 Oracle and/or its affiliates.9
Copyright © 2020 Oracle and/or its affiliates.
Database Security Assessment Tool
Introducing
10
Copyright © 2020 Oracle and/or its affiliates.
35,000+ Downloads since introduction of DBSAT 2.0.1, January 2018
Celebrating
11
Copyright © 2020 Oracle and/or its affiliates.
Assessment Reports
Summary and detailed information.
Prioritized & actionable recommendations.
Mapping to EU GDPR, STIG and CIS Benchmark.
Runs on 10g to 19c Oracle Databases.
Discover Sensitive Data
What type, where, and how much?
Sample pattern files for Greek, German, Dutch, French, Spanish, Italian, and Portuguese based data models as well.
Identify Risky Users
Database accounts
User privileges
User roles
Assess Configuration
Patches
Data Encryption
Auditing policies
OS file permissions
Database configuration
Listener configuration
Fine-grained access control
Assess Your Database Security Before Hackers Come Knocking
12
Enhanced Finding:
• AUDIT.UNIFIEDNow lists if audit policies are enabled on role(s). Object Actions are now listed.
Update Severity for:
• USER.AUTHVERS, USER.VERIFIERS, USER.NOLOCK, PRIV.CBAC, PRIV.USER, PRIV.EXFIL, AUTH.PRIV, ACCESS.REDACT, ACCESS.VPD, ACCESS.TSDP, CONF.BKUP, CONF.DIR.
• NET and AUDIT all.
Improved Autonomous Databases checks
Improved checks for PUBLIC grants
Updated remarks and recommendations
Performance improvement in Sensitive Data Discovery
New Finding:
• USER.SESSIONSChecks if there is a limit on the number of user sessions that are allowed to be open concurrently.
New Features in DBSAT 2.2.1 (May 2020)
Copyright © 2020 Oracle and/or its affiliates.13
14 Copyright © 2020 Oracle and/or its affiliates.
How can DBSAT Help?
Copyright © 2020 Oracle and/or its affiliates.
Assess Your Database Security Before Hackers Come Knocking
Know Your Overall
DatabaseSecurityPosture
Know Your Sensitive
Data
Know Your Users,
Roles, and Privileges
15
Assess Your Database Security Before Hackers Come Knocking
16
Know Your Overall
DatabaseSecurityPosture
Copyright © 2020 Oracle and/or its affiliates.16
Know Your Overall Database Security Posture
17 Copyright © 2020 Oracle and/or its affiliates.17
Know Your Users,
Roles, and Privileges
Assess Your Database Security Before Hackers Come Knocking
18 Copyright © 2020 Oracle and/or its affiliates.18
Know Your Users, Roles, and Privileges
19 Copyright © 2020 Oracle and/or its affiliates.19
Know Your Users, Roles, and Privileges
20 Copyright © 2020 Oracle and/or its affiliates.20
Know Your Users, Roles, and Privileges
21
(*) With Admin Option(D) Direct Grant(C) Common Grant
SQL> grant advisor to C##DBA_DEBRA container=all;
Copyright © 2020 Oracle and/or its affiliates.21
Know Your Users, Roles, and Privileges
22
Direct and Indirect grants
Copyright © 2020 Oracle and/or its affiliates.22
Know Your Sensitive
Data
Assess Your Database Security Before Hackers Come Knocking
23 Copyright © 2020 Oracle and/or its affiliates.23
Know Your Sensitive Data
24
Sensitive Data Summary
Copyright © 2020 Oracle and/or its affiliates.24
Know Your Sensitive Data
25
RecommendedSecurity Controls
Copyright © 2020 Oracle and/or its affiliates.25
Know Your Sensitive Data
26
Summary per Risk Level and Category
Copyright © 2020 Oracle and/or its affiliates.26
Know Your Sensitive Data
27
Table level details
Copyright © 2020 Oracle and/or its affiliates.27
Know Your Sensitive Data
28
Column level details
Copyright © 2020 Oracle and/or its affiliates.28
Copyright © 2020 Oracle and/or its affiliates.
Assess Your Database Security Before Hackers Come Knocking
Know Your Overall
DatabaseSecurityPosture
Know Your Sensitive
Data
Know Your Users,
Roles, and Privileges
Stand-alone lightweight tool: quick and easyFREE to current Oracle customers
DBSAT
29
How to Get Started?
Quick & Simple!
Copyright © 2020 Oracle and/or its affiliates.
3-Step Flow
Run ./dbsat collect
Run./dbsat report
Run./dbsat discover
1 2 3
Copyright © 2020 Oracle and/or its affiliates.
Copyright © 2020 Oracle and/or its affiliates.
Collects metadata information on users, roles, privileges, security configuration, and policies in place
Generates summary output with prioritized findings
Over 80 detailed findings with remarks
References to CIS Benchmark, STIG Rules and GDPR articles/recitals
Collector & Reporter
\
Reporter
Collector
HTML Spreadsheet Text
32
Copyright © 2020 Oracle and/or its affiliates.
Get summary and details on Sensitive Data Categories and Types (125+), tables, columns, rows, and risk levels
Get recommendations on which security controls to put in place to protect your sensitive data
DiscovererDiscover
er
HTML Spreadsheet
33
Copyright © 2020 Oracle and/or its affiliates.
Download DBSAT 2.2.1 today fromhttp://www.oracle.com/technetwork/database/security/dbsat.html
Collect security config data by running ‘dbsat collect’ on the target
Run ‘dbsat report’ to generate security assessment report
Run ‘dbsat discover’ to generate sensitive data report
Available to all Oracle database customers with active support contract
Easy to Install and Run
34
Copyright © 2020 Oracle and/or its affiliates.
Next 30 days
Fix obvious mistakes and high risk findings.
Next 90 days
Update Data Security strategy to include database security best practices.
Monday Morning
Run DBSAT to assess current security state.
Action Plan
35
Product Manager
Database Security
Pedro Lopes
Thank You
Copyright © 2020 Oracle and/or its affiliates.36