Pete Finnigan's Oracle Security Weblog

I have been quiet on here for a while due to a large workload and also in the last weeks writing a new book - Oracle Incident Response and Forensics" to be published by Apress. The book is complete as first draft and now in the editing phase. Apress tell me that it will be published in December; but I don't have a link to the book yet on the Apress website.

The book is around 110 pages long and covers how to deal with a potential incident in an Oracle database and covers in Chapter 1 the background of what is a breach, whats an incident, whats incident response and also a brief look at how Oracle works at a high level to understand where evidence of a a breach may be found with inside and outside of the database. This chapter also covers dealing with incident data - the so caller chain-of-custody.

Chapter 2 covers the different types of artifacts that are available inside and out of the database to assist an investigation with examples. We also cover deleted data and the importance of time.

Chapter 3 lays out an approach to building an incident response process for the Oracle database and building a team and also suitable tools to use in an incident.

Chapter 4 starts with a brief description of an attack on a database that supports two applications; a public facing website and an an internal customer and product data processing system. This application is hacked and I created a Youtube video of the hacks which will be available as a link in the book so that you can see what the hacks actually looked like at the end of chapter 5 when the incident response process has been worked through and the forensic analysis has looked at what the attacker did and how he did it. Chapter 4 focuses on the collection of the evidence

Chapter 5 looks at the forensic analysis using the sample attack described earlier as a basis for the investigation. This starts with establishing that the attack is real and proving where the data was stolen from and then goes on to use other evidence to answer some basic questions; what was the time scale of the attack - when did it start and when did it end; how did the attacker gain entry to the database; what user did the attacker use; what did he do in the database, including what did he see in terms of data and what the actions did he do - DDL or DML; what could he have done if he had more skill or time? and more. The chapter closes with a brief look at whats wrong with the system.

Chapter 6 looks at what to do next; this recaps the main thoughts of the book and also looks at what you should do to prevent an attack in the first place including Oracle security controls and of course a comprehensive audit trail.

The book is based on my existing one day training class around Oracle incident response and forensics and there will be some free scripts for download from my website to assist in data gathering in a potential incident.

I will post again when i have more details and a link to the book from Apress.