8/12/2019 Oracle Secuirty Configuration
1/25
CPE SessionMarch 02, 2014ISACA-Dhaka Chapter
Md. Mushfiqur RahmanMember ID: 839745
8/12/2019 Oracle Secuirty Configuration
2/25
Consolidate Oracle DatabaseSecurity
8/12/2019 Oracle Secuirty Configuration
3/25
Get to know
DATABASE Security
8/12/2019 Oracle Secuirty Configuration
4/25
8/12/2019 Oracle Secuirty Configuration
5/25
8/12/2019 Oracle Secuirty Configuration
6/25
8/12/2019 Oracle Secuirty Configuration
7/25
8/12/2019 Oracle Secuirty Configuration
8/25
8/12/2019 Oracle Secuirty Configuration
9/259
8/12/2019 Oracle Secuirty Configuration
10/25
8/12/2019 Oracle Secuirty Configuration
11/25
8/12/2019 Oracle Secuirty Configuration
12/25
8/12/2019 Oracle Secuirty Configuration
13/25
8/12/2019 Oracle Secuirty Configuration
14/25
8/12/2019 Oracle Secuirty Configuration
15/25
8/12/2019 Oracle Secuirty Configuration
16/25
8/12/2019 Oracle Secuirty Configuration
17/25
8/12/2019 Oracle Secuirty Configuration
18/25
Steps to a Secure Oracle Database
ServerWhy do we continue to encounter Oracle servers with misconfigurations and
other vulnerabilities that can easily avoided by just a little effort by DBAs?
There are many reasons:
Understaffed Security Teams - Simply a lack of internal or third-party security
professionals to bring visibility to the importance of database security. If there are no
security professionals in the organization, or ones that lack the skills or resources toperform periodic security assessments of databases, database misconfigurations will
often go undetected.
DBA's "don't do" security - The reality in many organizations is that DBAs are
administrators that are focused on database availability and performance and not
security. DBAs might be reluctant to implement secure configurations due to a lack offull understanding of the security risks- the vulnerability and exposure of not
implementing the secure configuration, or due to fear that the secure configuration
will unintentionally break some functionality. To boil it down, DBAs might have some
fear, uncertainty, and doubt (FUD) about implementing secure database
configurations.
8/12/2019 Oracle Secuirty Configuration
19/25
Steps to a Secure Oracle Database
Server
1. Lock Down Default Accounts!
2. Require all database connections to use a strong
SID
3. Apply Oracle Critical Patch Updates ASAP4. Remove all unnecessary privileges from the
PUBLIC role
5. Enable Database Auditing
Audit SYS OperationsEnable Database Auditing
Enable Auditing on Important Database Objects
8/12/2019 Oracle Secuirty Configuration
20/25
6. Setup Database Triggers for Schema
Auditing and Logon/Logoff EventsLogon Trigger
DDL_Trigger
Error Trigger
7. Implement a Database Activity Monitoring(DAM) Solution
Steps to a Secure Oracle Database
Server
S S O
8/12/2019 Oracle Secuirty Configuration
21/25
8. Enable Password Management for all Oracle Logins
A. Creating Profiles
B. Account Lockout
C. Password Expiration
D. Password History
E. Password Complexity Verification
In general, the password verification function should ensure users passwords
incorporate the following criteria:
Differs from their username
Not a dictionary wordAt least 10 characters in length
Include at least 1 alpha, 1 numeric, and 1 special character
9. Perform Regular Database Security Assessments
Steps to a Secure Oracle Database
Server
S S O l D b
8/12/2019 Oracle Secuirty Configuration
22/25
10. Encrypt Database Traffic
Security Threats and Countermeasures
Security threats can be addressed with different types of measures:
A. Procedural, such as requiring data center employees to display security badges
B. Physical, such as securing computers in restricted-access facilities
C. Technical, such as implementing strong authentication requirements for critical business
systems
D. Personnel-related, such as performing background checks or "vetting" key personnel
E. Consider whether the appropriate response to a threat is procedural, physical, technical,
personnel-related, or a combination of the such measures.
Steps to a Secure Oracle Database
Server
St t S O l D t b
8/12/2019 Oracle Secuirty Configuration
23/25
Issues and Actions for Policies to Address
A. Establish & maintain application-level security
B. Manage privileges & attributes (system/object/user)
C. Create, manage, and control roles (database, enterprise)
D. Establish the granularity of access control desired
E. Establish & manage the use of encryption
F. Establish & maintain security in 3-tier applications
G. Control query access, data misuse, and intrusions
Steps to a Secure Oracle Database
Server
8/12/2019 Oracle Secuirty Configuration
24/2524
Skill-sets needed for Oracle DBA?
Conceptual
System Analysis & Design skills Database Design skills
Physical Disk Storage skills
Data Security skills
Backup and Recovery skills Change Control Management
skills
8/12/2019 Oracle Secuirty Configuration
25/25
Thank you
Top Related