Oracle Database Security Myths

Similar documents
Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

How to Audit the Top Ten E-Business Suite Security Risks

Detecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015

Top Ten Fraud Risks in the Oracle E Business Suite

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Security Implications of Oracle Product Desupport April 23, 2015

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Detecting and Stopping Cyber Attacks against Oracle Databases

Guide to Auditing and Logging in the Oracle E-Business Suite

Securing Oracle E-Business Suite in the Cloud

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

AppSentry Application and Database Security Auditing

Real Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715

New Security Features in Oracle E-Business Suite 12.2

Integrigy Corporate Overview

All Things Oracle Database Encryption

PCI Compliance in Oracle E-Business Suite

New Oracle 12c Security Features Oracle E-Business Suite Perspective

Oracle Security Auditing

Oracle Security Auditing

Top 10 Database. Misconfigurations.

MySQL Security: Best Practices

PCI Compliance in Oracle E-Business Suite

Best Practices for Oracle Databases Hardening Oracle /

Security Analysis. Spoofing Oracle Session Information

Oracle Security Tools

Encrypting Sensitive Data in Oracle E-Business Suite

How To Secure The Org Database

Thick Client Application Security

Database Security & Auditing

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Auditing Data Access Without Bringing Your Database To Its Knees

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

WHITEPAPER. Nessus Exploit Integration

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

AppDefend Application Firewall Overview

D50323GC20 Oracle Database 11g: Security Release 2

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Implementing Database Security and Auditing

NYOUG Spring 2015 Its Only Auditing - Don t Be Afraid

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Oracle Database 11g: Security Release 2

Passing PCI Compliance How to Address the Application Security Mandates

Oracle Audit Vault and Database Firewall

<Insert Picture Here> Oracle Database Security Overview

Database Assessment. Vulnerability Assessment Course

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Introduction. PCI DSS Overview

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Making Database Security an IT Security Priority

Client Security Risk Assessment Questionnaire

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

A Decision Maker s Guide to Securing an IT Infrastructure

McAfee Database Security. Dan Sarel, VP Database Security Products

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Secret Server Qualys Integration Guide

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Payment Card Industry Self-Assessment Questionnaire

<Insert Picture Here> Oracle Database Vault

INCIDENT RESPONSE CHECKLIST

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Oracle Security on Windows

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

locuz.com Professional Services Security Audit Services

Network Security Audit. Vulnerability Assessment (VA)

IBM Managed Security Services Vulnerability Scanning:

Oracle Database 11g: Security. What you will learn:

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

MatriXay Database Vulnerability Scanner V3.0

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Tenable for CyberArk

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Network Test Labs (NTL) Software Testing Services for igaming

GFI White Paper PCI-DSS compliance and GFI Software products

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite

Need for Database Security. Whitepaper

Database Security Guide

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Patch and Vulnerability Management Program

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

FREQUENTLY ASKED QUESTIONS

Hack Your SQL Server Database Before the Hackers Do

Securing SharePoint 101. Rob Rachwald Imperva

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

MySQL Security: What s New & Best Practices. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Proposed Security Framework for ERP Systems

Transcription:

Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation

About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle, Microsoft SQL Server Products Services AppSentry ERP Application and Database Security Auditing Tool AppDefend Enterprise Application Firewall for the Oracle E-Business Suite Validates Security Protects Oracle EBS Verify Security Ensure Compliance Build Security Security Assessments ERP, Database, Sensitive Data, Penetration Testing Compliance Assistance SOX, PCI, HIPAA Security Design Services Auditing, Encryption, DMZ You

Integrigy Published Security Alerts Security Alert Versions Security Vulnerabilities Critical Patch Update July 2011 11.5.10 12.1.x Oracle E-Business Suite security configuration issue Critical Patch Update October 2010 11.5.10 12.1.x 2 Oracle E-Business Suite security weaknesses Critical Patch Update July 2008 Critical Patch Update April 2008 Critical Patch Update July 2007 Oracle 11g 11.5.8 12.0.x 12.0.x 11.5.7 11.5.10 12.0.x 11.5.1 11.5.10 2 Issues in Oracle RDBMS Authentication 2 Oracle E-Business Suite vulnerabilities 8 vulnerabilities, SQL injection, XSS, information disclosure, etc. 11 vulnerabilities, SQL injection, XSS, information disclosure, etc. Critical Patch Update October 2005 11.0.x, 11.5.1 11.5.10 Default configuration issues Critical Patch Update July 2005 Critical Patch Update April 2005 Critical Patch Update Jan 2005 Oracle Security Alert #68 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x Oracle 8i, 9i, 10g SQL injection vulnerabilities Information disclosure SQL injection vulnerabilities Information disclosure SQL injection vulnerabilities Buffer overflows Listener information leakage Oracle Security Alert #67 11.0.x, 11.5.1 11.5.8 10 SQL injection vulnerabilities Oracle Security Alert #56 11.0.x, 11.5.1 11.5.8 Buffer overflow in FNDWRR.exe Oracle Security Alert #55 11.5.1 11.5.8 Oracle Security Alert #53 10.7, 11.0.x 11.5.1 11.5.8 Multiple vulnerabilities in AOL/J Setup Test Obtain sensitive information (valid session) No authentication in FNDFS program Retrieve any file from O/S

Myth: The Oracle Database is secure out of the box Started as Project Oracle at the CIA, Unbreakable marketing campaign,

Reality: The Oracle Database requires significant effort to make it secure and compliant Oracle has significantly improved in 11g the default installation by setting passwords, locking accounts, including better password profiles, and enabling default auditing, but

Myth: An Oracle Database is secure if you implement most items in a security checklist Oracle s Database Security Checklist, Department of Defense STIG, Center for Internet Security Oracle Benchmark, SANS Oracle Database Security Checklist, etc.

Reality: All items in the security checklists are a base minimum and additional steps are required A good starting point but must be tailored to the organization and application and expanded to be effective.

Database Security Checklists Database security checklists are used to secure databases one at a time. Excellent baseline and starting point Often in conflict with application configuration Too many exceptions required to handle application limitations Need to validate compliance with checklist

Oracle Database Security Checklists Security Checklist Versions Last Updated Installation Configuration Administration 1. Oracle s Database Security Checklist 2. DOD DISA STIG Oracle 9i Oracle 10g Oracle 11g Oracle 9i Oracle 10g Oracle 11g Oct 2011 Aug 2010 3. Center for Internet Security (CIS) Oracle Benchmarks Oracle 9i Oracle 10g Oracle 11g Dec 2011 4. SANS Database Security Checklist Oracle 9i Oracle 10g Nov 2006

DB Security Standards - Content What Why How Verification Mitigation What needs to be secured in the database? Why is this a security issue? What s the impact? What are the exact steps required to secure this? Step by step How is this setting verified precisely? A single SQL statement Besides an exception, what else can be done? Auditing?

High percentage of exceptions or variances = FAILURE Database security standards must anticipate common exceptions

Myth: We harden all our Oracle databases at go-live so we are secure today

Reality: Oracle Database security decays over time and steps must be taken routinely to validate security

Database Security Decay Database and application security decays over time due to complexity, usage, application changes, upgrades, published security exploits, etc. Security Database Install Application Install Application & Database Hardening Go Live Security Patch Applied Exploits Published Application Upgrade Application Customization Time

Default Oracle Password Statistics Database Account Default Password Exists in Database % Default Password % SYS CHANGE_ON_INSTALL 100% 3% SYSTEM MANAGER 100% 4% DBSNMP DBSNMP 99% 52% OUTLN OUTLN 98% 43% MDSYS MDSYS 77% 18% ORDPLUGINS ORDPLUGINS 77% 16% ORDSYS ORDSYS 77% 16% XDB CHANGE_ON_INSTALL 75% 15% DIP DIP 63% 19% WMSYS WMSYS 63% 12% CTXSYS CTXSYS 54% 32% * Sample of 120 production databases

How to Check Database Passwords Use Oracle s DBA_USERS_WITH_DEFPWD - Limited set of accounts - Single password for each account Command line tools (orabf, etc.) - Difficult to run command line only AppSentry - Checks all database accounts - Uses passwords lists - > 1 million passwords - Allows custom passwords

Myth: (i) Your IT Security team is protecting Oracle Databases (ii) Your DBAs are protecting your Oracle Databases

Reality: Securing Oracle Databases is hard and requires a focused effort from a multidisciplinary team Oracle DBAs, application teams, IT Security, and Internal Audit must work together to make Oracle Databases secure and compliant

Organizational Misalignment Oracle Database technical security often not effectively handled in most organizations and falls between the cracks. Database and Application Administrators Priority is performance, maintenance, and uptime IT Security No understanding of Oracle Database security Internal Audit Focused on application controls, segregation of duties

What should you do? Ensure the database is securely configured Work with DBAs to understand what has been done and not done Understand how data is accessed and protected Learn what sensitive data is in each Oracle database, who accesses it, and what is done to protect it Periodically validate security and configuration Security and configuration is changing over time

Quiz Database CPU ACTION_TIME ACTION VERSION COMMENTS 18-JUN-08 03.13.45.093449 PM UPGRADE 10.2.0.3.0 Upgraded from 9.2.0.8.0 18-JAN-09 06.51.32.425375 AM APPLY 10.2.0.4 CPUJan2009 09-APR-09 04.48.14.903718 PM UPGRADE 10.2.0.4.0 Upgraded from 10.2.0.3.0 18-JUL-09 08.50.30.021401 AM APPLY 10.2.0.4 CPUJul2009 16-OCT-10 07.18.57.042620 AM APPLY 10.2.0.4 CPUOct2010 30-OCT-10 06.42.55.108783 AM UPGRADE 11.1.0.7.0 Upgraded from 10.2.0.4.0 What CPU Level is this database patched to? A. January 2007 B. January 2009 C. January 2010 D. October 2010

Quiz Database CPU ACTION_TIME ACTION VERSION COMMENTS 18-JUN-08 03.13.45.093449 PM UPGRADE 10.2.0.3.0 Upgraded from 9.2.0.8.0 18-JAN-09 06.51.32.425375 AM APPLY 10.2.0.4 CPUJan2009 09-APR-09 04.48.14.903718 PM UPGRADE 10.2.0.4.0 Upgraded from 10.2.0.3.0 18-JUL-09 08.50.30.021401 AM APPLY 10.2.0.4 CPUJul2009 16-OCT-10 07.18.57.042620 AM APPLY 10.2.0.4 CPUOct2010 30-OCT-10 06.42.55.108783 AM UPGRADE 11.1.0.7.0 Upgraded from 10.2.0.4.0 What CPU Level is this database patched to? A. January 2007 B. January 2009 C. January 2010 D. October 2010

Myth: When installing or upgrading, the latest Oracle Critical Patch Updates (CPU) are already included

Reality: For the Oracle Database, only the latest CPU at time of release is included Almost always have to install the latest CPU when doing a fresh installation or upgrade to the database

Critical Patch Updates Baselines Database Version Upgrade Patch Included CPU 10.2.0.4 April 2008 10.2.0.5 October 2010 11.1.0.6 October 2007 11.1.0.7 January 2009 11.2.0.1 January 2010 11.2.0.2 January 2011 11.2.0.3 July 2011 At time of release, usually the latest available CPU is included

Myth: A database security tool will address our database security issues

Reality: No silver bullet exists to address all necessary aspects for database security Significant security impact as Oracle EBS has a massive footprint

Traditional Database Security Approaches The database security tool is purchased to solve the database security problem. Database monitoring and auditing tools are only part of the solution Expensive and time consuming to implement Complex applications cause deployment problems

Database Security Program Components Inventory Configuration Access Auditing Monitoring Vulnerability Encryption Review existing database inventories Define scope of database discovery Perform hybrid database discovery Review existing database configuration standards Define database security and compliance requirements Develop measureable database security standards Define database access management definition Select and implement access solutions or policies for privileged and end-user accounts Development auditing requirements for DAM Define baseline auditing for all databases Define auditing for key applications and databases based on compliance and data Development monitoring requirements for DAM Define and implement database IDS Define and implement log monitoring integration Development vulnerability assessment requirements for DAM Implement monitoring and compliance of configuration standard Implement periodic scanning Define encryption requirements Select and implement encryption solution for initial databases Develop on-going encryption implementation Outputs Database inventory Data inventory for key databases Database security and compliance requirements Database security standards Database access management Policies for database account management Database auditing definition for (1) all databases and (2) key databases Database monitoring and alerting definition Log monitoring integration Rules for measuring compliance with database security standards Encryption requirements with policies Encryption implementation process

Program Implementation Inventory DB Discovery Data Discovery Update Change Mgmt Living DB Inventory Living Data Inventory Configuration Configuration Standards Configuration Standard Auditing Access DB Access Management Definition Implement Access Solution Access Controls/Policies Access Profiling Auditing Baseline Database Auditing Key Application Auditing Monitoring Vulnerability DAM Definition and Architecture DAM Selection and Implement Database IDS Log Monitoring Integration Implement Configuration Std Periodic Vulnerability Scans Encryption Encryption Requirements Solution Selection and Implement Data Encryption Process Planning Implementation On-going

Myth: Oracle Database passwords are safe and secure

Reality: Oracle Database password hashes can be brute forced

Brute Forcing Database Passwords A number of efficient password brute forcing programs exist for Oracle Speed is at least 1 million passwords per second for desktop/laptop Speed is around 100 million passwords per second for specialized hardware (FGPA/GPU) Only the username and hash are required Estimated time to brute force a password of x length Length Permutations Time (desktop) Time (GPU) 1 26 (26) 0 seconds 0 seconds 2 1,040 (26 x 39) 0 seconds 0 seconds 3 40,586 (26 x 39 x 39) 0 seconds 0 seconds 4 1,582,880 1.5 seconds 0 seconds 5 61,732,346 2 minute 6 seconds 6 2,407,561,520 40 minutes 24 seconds 7 93,894,899,306 1 day 15 minutes 8 3,661,901,072,960 42 days 10 hours 9 142,814,141,845,466 1,600 days 16 days

Oracle Database Passwords Oracle Database password algorithm published Oracle 11g hash changed to SHA-1 old DES hash also stored Hash is unique to the username, but common across all versions and platforms of the Oracle database SYSTEM/MANAGER is always D4DF7931AB130E37 in every database in the world Database password hashes cloned to development Security and configuration is changing over time

Myth: Oracle Database audit data is always accurate and reliable

Reality: Most Oracle Database audit data fields can be spoofed

Audit Trails Destinations and Values Session Value V$SESSION SYS_CONTEXT SYS.AUD$ FGA_LOG$ Audit View Function DBA_AUDIT_* AUDIT_TRAIL Vault DB User Name Schema Name OS User Name Machine Terminal Program IP Address Client Process ID Module Action Client Info Client ID

Auditing Session Data Database User Name IP Address OS User Name Machine/ User host Schema Name Terminal Program Client Process ID Module Action Client Info Client ID

Auditing Session Data Spoofable Database User Name IP Address OS User Name Machine/ User host Schema Name Terminal Program Client Process ID Module Action Client Info Client ID

Contact Information Stephen Kost Chief Technology Officer Integrigy Corporation web: www.integrigy.com e-mail: info@integrigy.com blog: integrigy.com/oracle-security-blog youtube: youtube.com/integrigy

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information