|There are 37 visitors online|
I will be at the Amis conference next Friday in Leiden not far from Amsterdam in Holland. The conference is held over two days, June 2nd and 3rd But I will be there just on the Friday due to other commitments. I will be doing a one hour and forty minute master class on Database Vault and also what you can do to get similar protections if you do not have Database Vault. I don't mean simply trying to replicate the functionality of Database Vault BUT what can we do with standard controls and good design to achieve similar effects. I will also cover the simple fact that you must also decide and design what to do with Database Vault as its just another application in the database and it must be deployed securely and you also must secure your database first with good design, data access controls and user designs and more. The Amis conference is Next week and details in this link.
I spoke yesterday about compartmentalising Oracle Security and one element that comes out of this is the need to consider what you are trying to achieve; secure actual data and also secure the platform. In general applying security patches will not secure specific data from attack by someone who gains access via a logged on account or by abusing an applications source code (SQL Injection for instance). Hardening a database also will not make specific data any more secure from the same vectors. Hardening and patching are important but in general they will not secure data anymore that it already is secured because that is controlled by object permissions, object owner and system ANY type privileges. Also factor into this the account used to connect end users via an application.
I subscribe to Bruce Schneier's mailing list and in the most recent newsletter he replays an article that he wrote on xconomy.com about the fact that credential stealing is a more important attack vector than a zero day exploit or finding un-patched systems. The article is called Credential Stealing as Attack Vector. I teach the same idea in my two day class - How to Perform a security audit of an Oracle database as I cover simple ways that people attack databases and for me its obvious that if you can steal credentials or find credentials or even guess credentials because of weak passwords then that's a simpler and more effective way to steal data than a pure skilled exploited attack. Also because its simpler you need less skills in some senses to carry out the attack. Clearly we must focus on credentials, password management, storage of hashes, context based access to the database (network restrictions at the net level or database level) and more. A two page flyer for my class is also available to download.
If you would like training then please email me at pete at petefinnigan dot com for more details.
I have been teaching security classes about Oracle Security for many years and they are very popular and I teach many classes per year around the world; mostly in the UK and EEC but I also venture to the Middle East and also as far as Mexico and Singapore and upcoming also probably to Australia and India - basically please where I can get to hassle free (no lengthy visa process in advance or no visa at all). I also teach regularly on-line to customers particularly in the USA (remember the visa process!). One the key messages I use in my classes is that securing Oracle is a complex task and we must understand that there are two things to be done;
The first is that we must secure the data - That is, we identify the data to be secured and we ensure it is secure within the Oracle database using standard database controls and also context based security controls as necessary. This means we are securing data and not Oracle. It is not Oracle security and it is not Oracles responsibility to secure your data; It is your responsibility. In the same way that you design tables, views, screens and whatever you must also design security BUT people do not take the security of data held in an Oracle database as seriously as it should be taken.
The second is that we must also secure the Oracle platform (Database; OS and network specifically related to Oracle) so that the platform is not used as a jump off point to attack the rest of the company network simply because the Oracle platform is large and often default in nature.
So we tend to have two main areas to think about; hardening against platform risks and security of the data specifically. In considering these main areas we can compartmentalise Oracle security into three areas:
1) Patching - covers 1-10% of the task of securing the database - in auditor terms, i.e. its patched or its not patched
2) Hardening - covers 30% of the task of securing the database - in general hardening will not secure the actual data itself but will help with platform level risks BUT some hardening can contribute to the security of the data itself such as adding context based network access
3) Design work - covers 60% of the task of securing the database - This covers data design around access controls for data access, least privilege design of users and context based security as well as audit trail design, secure coding and much more.
What has become clear to me over the years has been the fascination and obsession with applying Oracle CPU and similar security patches and the obsession with testing if a complete patch has been installed by creating checksums of each individual PL/SQL package and more and then testing against these. Patches for me have always been more about is there a proper policy and is it adhered to and are patches applied regularly. Don't get me wrong, security patches are important but in general all of the attack vectors to access data when you should not or steal weak credentials or take advantage of excessive rights and much more are not fixed by applying a patch. The patch is important but it would not fix the other issues.
We must have a holistic approach to securing data and also to securing the platform.
If you would like to learn more and to book a private training class or ask for details about my training courses then please email pete at petefinnigan dot com. Also if you would like to perform a security audit of one or more Oracle databases then have a look at our database security scanner PFCLScan and ask me for details again by emailing pete at petefinnigan dot com. Our engagement license for PFCLScan is fantastic value as you can scan as many databases as you wish from one installation of PFCLScan for 30 days and its just £110 GBP (plus VAT if applicable). Talks to us!
I was asked by Delphix earlier this year to review their product with a particular focus on Oracle security of course. I wrote two papers; the first about Data Masking and Delphix and the second about securing data in non-production databases by taking the already secured production (assuming that it is secured of course) and then using Delphix to clone to non-production. If production already has a template of security then this is a great method as we get non-production already secured with just a small number of additional tasks that may need to be done in each clone database. In my experience most non-production databases are not secured to the same level as production and also often lack controls such as audit trails so taking a clone is a good way to not only replicate a database but also to replicate security.
I have added a link to the new Oracle Security in non-production paper to my Oracle security white papers page and I have also updated the text for the masking paper and also the link as what I had originally from Delphix was a temporary link. Please have a look at both papers (Note: Delphix require you to do a simple registration to get the pdf papers)
I did a webinar with Delphix on 30th March 2016 on USA time. This was a very good session with some great questions at the end from the attendees. I did a talk on Oracle Security in general, securing non-production by virtualising from production with Delphix and also discussed data masking and why people do not mask and also the Delphix data masking solution. I will be also doing the talk again next week on UK/EU time zone at 10am UK tome on the 7th April 2016. If you would like to hear me speak live then details to register are in this blog post.
If you would like to watch the USA webinar then please go to this link and t download the new white paper I have written on Data Masking with Delphix then please download from this link.
I have updated my Oracle Security white papers page to reflect the new paper and I have also create a new Oracle Security Videos page - More on this soon.
We are currently having the whole of this website redesigned and as soon as that is complete we plan to release three new pages on this site; Oracle Security videos about Oracle security in general and also about using our database security scanner PFCLScan, a new Oracle security articles page with some in depth articles on Oracle security and a page with shorter notes/articles around areas to concentrate on to secure your Oracle databases.
I have just updated the public Oracle Security training dates on our Oracle Security training page to remove the public trainings that have already taken place this year and to add a new training in York for 2016. After the success of the Oracle security training event that I held last year in York we have decided to run a new public training for three days from May 17th to May 19th 2016. This will include our most popular 2 day class - How to perform a security audit of an Oracle database and our 1 day class - secure and lock down Oracle. These two classes are a great combination to see the whole process from cradle to grave of auditing, securing and locking down your valuable data in your Oracle databases.
There are more details on the Oracle security in York training page and if you would like to secure your place then please email email@example.com with your details.
I look forward to meeting you on my class in York!
My daily work is helping my customers secure their Oracle databases. I do this in many ways from performing detailed security audits of key databases to helping in design of secure lock down policies to creating audit trails to teaching people how to secure their own databases through attendance on my Oracle security classes and much more. Talking to customers either generally or as part of an audit often reveals common Oracle database security issues over and over again.
My efforts in helping securing Oracle is not lead by the goal of securing Oracle itself. My focus is to help secure data. We must locate the data that is critical to the business and understand where that data is held across the organization. The goal is to ensure all copies of that data are secure. Obviously we must use the features of the Oracle database to secure the data in the database BUT the emphasis is not on securing Oracle but securing data.
My motivation is aimed generally on the production database and data. Therefore one major issue I come across often is the fact that I can help advise the customer to use the production database to lock down their data but they regularly advise me that data is also copied to test and development and UAT and sometime external suppliers as well. This is so that the applications and database can be developed and tested. Almost always companies are happy to lock and secure production but do not secure the data in these other databases. This is a problem as the potential risk or threat moves to test and development from production.
Customers are willing to spend money and assign budget to secure and lock down the production database with less efforts targeted at securing a test or development system. Similar is the issue of creating and building audit trail solutions; the client is happy to spend money on production for audit trails but usually not to test and development systems.
My aim is to secure data across all databases BUT often money is spent on production only. What if we could secure production and add audit trails to production and then copy all of that Oracle database security to all test and development systems? More importantly what if we could set up and mask the data once but copy just the masked data to all test and development systems without the clear data ever leaving production? Securing and setting audit trails once and having those configurations copied to every cloned database could be a great benefit to most companies but masking once and copying only masked data to all cloned databases is a marked improvement over the often lack of Oracle data masking seen in the real world in all databases. Data masking in Delphix is a very flexible tool and combined with the virtualized facilities it becomes very powerful.
I am going to be delivering a webinar with Delphix on the 30th March at 10am PST (USA time) and also the 7th April at 10am UK time where I am going to explore these Oracle security issues and more and also look at what Delphix can offer to help solve some of these issues with a detailed look at the problems often voiced as to why customers do not mask data in cloned databases. Please join me for the USA webinar by registering on the Delphix registration page or if you would prefer to join me for the UK/EU webinar then please register on the Delphix registration page for that event.
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Home and Archives
Other useful blogs
Syndication - Feeds