|There are 56 visitors online|
I am happy to announce that I will be teaching a five day Oracle Security expert seminar class with Oracle University at Oracle offices in Reading, UK from September 26th to September 30th 2016.
This is a 5 days expert class where I will teach all five days of my Oracle security classes back to back. This is a rare opportunity to attend all my classes in one session in the UK.
. The training starts on day 1 and 2 from the premise of reviewing your Oracle database to understand its security posture and then walking through a complete sample audit. On day 3 we discuss secure coding in PL/SQL and on day 3 how to design audit trails for your Oracle database and finally on day 5 we start to pull everything together; We attack a sample database and understand its weaknesses and spend most of the day locking down and protecting the data and database and finally at the end of the day attack the database again to show whether the lockdown has worked or not.
This is in-depth training and each attendee gets to take away hundreds of free scripts and tools developed by me over many years of performing security work for my clients.
I hope to see you there. You can book your place by visiting this link and clicking the fourth tab
I will be teaching 5 days on my Oracle security classes in Paris from 20th June to 24th June with Oracle University at their offices and training suite.
Details of the Oracle Security Event and how to register on Oracles website
The whole week is expert class room based training taught by myself and including a large number of live demos. This is a rare chance to sit down and have 5 days training in one go. I do not do these whole week blocks often so please take the opportunity to register with Oracle and come along. The five days include:
2 days - How to perform a security audit of an Oracle database
1 day - secure coding in PL/SQL
1 day - designing practical audit trails in the database
1 day - locking down and protecting Oracle.
The whole week is structured and we start off by looking at why your databases may have been designed and implemented insecurely. We use the vehicle of a security audit to walk us through the how and why and because it is a security audit we are also covering data access issues, least privilege, user designs, hardening and patching and more. We then have one day on secure coding. Even if you do not code then this day is very valuable as it shows you why and how PL/SQL can become insecure so you can use this information as part of an audit, as a manager to advise others or as a developer to code better. The fourth day is all about audit trails, firewalls and intrusion detection. We cover the whole process of designing and exploring audit trails in the database and as with coding these ideas and designs have benefits not matter what your specific job role is. The final day is the most exciting as we take all of the knowledge learned over the previous four days and use my sample database with two applications as a target to secure. We start by hacking the applications and database and show how and why it is insecure. We then lock down and secure the database including all elements of hardening of the OS, the network and database. We also look in depth to secure all accounts in the database and strive towards least privilege as well as changing the design of the database applications and we also explore context based security and breakglass and at the end of the day we look at the now severely locked down database and try and hack it again and assess the results. As part of the lock down we also bring in audit trail design and implement a comprehensive audit trail and also look at simple ways to solve secure coding issues.
As part of the class attendance you will get from me hundreds of free tools and scripts that includes thousands of lines of code.
To register and get more details please click this link
I will be at the Amis conference next Friday in Leiden not far from Amsterdam in Holland. The conference is held over two days, June 2nd and 3rd But I will be there just on the Friday due to other commitments. I will be doing a one hour and forty minute master class on Database Vault and also what you can do to get similar protections if you do not have Database Vault. I don't mean simply trying to replicate the functionality of Database Vault BUT what can we do with standard controls and good design to achieve similar effects. I will also cover the simple fact that you must also decide and design what to do with Database Vault as its just another application in the database and it must be deployed securely and you also must secure your database first with good design, data access controls and user designs and more. The Amis conference is Next week and details in this link.
I spoke yesterday about compartmentalising Oracle Security and one element that comes out of this is the need to consider what you are trying to achieve; secure actual data and also secure the platform. In general applying security patches will not secure specific data from attack by someone who gains access via a logged on account or by abusing an applications source code (SQL Injection for instance). Hardening a database also will not make specific data any more secure from the same vectors. Hardening and patching are important but in general they will not secure data anymore that it already is secured because that is controlled by object permissions, object owner and system ANY type privileges. Also factor into this the account used to connect end users via an application.
I subscribe to Bruce Schneier's mailing list and in the most recent newsletter he replays an article that he wrote on xconomy.com about the fact that credential stealing is a more important attack vector than a zero day exploit or finding un-patched systems. The article is called Credential Stealing as Attack Vector. I teach the same idea in my two day class - How to Perform a security audit of an Oracle database as I cover simple ways that people attack databases and for me its obvious that if you can steal credentials or find credentials or even guess credentials because of weak passwords then that's a simpler and more effective way to steal data than a pure skilled exploited attack. Also because its simpler you need less skills in some senses to carry out the attack. Clearly we must focus on credentials, password management, storage of hashes, context based access to the database (network restrictions at the net level or database level) and more. A two page flyer for my class is also available to download.
If you would like training then please email me at pete at petefinnigan dot com for more details.
I have been teaching security classes about Oracle Security for many years and they are very popular and I teach many classes per year around the world; mostly in the UK and EEC but I also venture to the Middle East and also as far as Mexico and Singapore and upcoming also probably to Australia and India - basically please where I can get to hassle free (no lengthy visa process in advance or no visa at all). I also teach regularly on-line to customers particularly in the USA (remember the visa process!). One the key messages I use in my classes is that securing Oracle is a complex task and we must understand that there are two things to be done;
The first is that we must secure the data - That is, we identify the data to be secured and we ensure it is secure within the Oracle database using standard database controls and also context based security controls as necessary. This means we are securing data and not Oracle. It is not Oracle security and it is not Oracles responsibility to secure your data; It is your responsibility. In the same way that you design tables, views, screens and whatever you must also design security BUT people do not take the security of data held in an Oracle database as seriously as it should be taken.
The second is that we must also secure the Oracle platform (Database; OS and network specifically related to Oracle) so that the platform is not used as a jump off point to attack the rest of the company network simply because the Oracle platform is large and often default in nature.
So we tend to have two main areas to think about; hardening against platform risks and security of the data specifically. In considering these main areas we can compartmentalise Oracle security into three areas:
1) Patching - covers 1-10% of the task of securing the database - in auditor terms, i.e. its patched or its not patched
2) Hardening - covers 30% of the task of securing the database - in general hardening will not secure the actual data itself but will help with platform level risks BUT some hardening can contribute to the security of the data itself such as adding context based network access
3) Design work - covers 60% of the task of securing the database - This covers data design around access controls for data access, least privilege design of users and context based security as well as audit trail design, secure coding and much more.
What has become clear to me over the years has been the fascination and obsession with applying Oracle CPU and similar security patches and the obsession with testing if a complete patch has been installed by creating checksums of each individual PL/SQL package and more and then testing against these. Patches for me have always been more about is there a proper policy and is it adhered to and are patches applied regularly. Don't get me wrong, security patches are important but in general all of the attack vectors to access data when you should not or steal weak credentials or take advantage of excessive rights and much more are not fixed by applying a patch. The patch is important but it would not fix the other issues.
We must have a holistic approach to securing data and also to securing the platform.
If you would like to learn more and to book a private training class or ask for details about my training courses then please email pete at petefinnigan dot com. Also if you would like to perform a security audit of one or more Oracle databases then have a look at our database security scanner PFCLScan and ask me for details again by emailing pete at petefinnigan dot com. Our engagement license for PFCLScan is fantastic value as you can scan as many databases as you wish from one installation of PFCLScan for 30 days and its just £110 GBP (plus VAT if applicable). Talks to us!
I was asked by Delphix earlier this year to review their product with a particular focus on Oracle security of course. I wrote two papers; the first about Data Masking and Delphix and the second about securing data in non-production databases by taking the already secured production (assuming that it is secured of course) and then using Delphix to clone to non-production. If production already has a template of security then this is a great method as we get non-production already secured with just a small number of additional tasks that may need to be done in each clone database. In my experience most non-production databases are not secured to the same level as production and also often lack controls such as audit trails so taking a clone is a good way to not only replicate a database but also to replicate security.
I have added a link to the new Oracle Security in non-production paper to my Oracle security white papers page and I have also updated the text for the masking paper and also the link as what I had originally from Delphix was a temporary link. Please have a look at both papers (Note: Delphix require you to do a simple registration to get the pdf papers)
I did a webinar with Delphix on 30th March 2016 on USA time. This was a very good session with some great questions at the end from the attendees. I did a talk on Oracle Security in general, securing non-production by virtualising from production with Delphix and also discussed data masking and why people do not mask and also the Delphix data masking solution. I will be also doing the talk again next week on UK/EU time zone at 10am UK tome on the 7th April 2016. If you would like to hear me speak live then details to register are in this blog post.
If you would like to watch the USA webinar then please go to this link and t download the new white paper I have written on Data Masking with Delphix then please download from this link.
I have updated my Oracle Security white papers page to reflect the new paper and I have also create a new Oracle Security Videos page - More on this soon.
We are currently having the whole of this website redesigned and as soon as that is complete we plan to release three new pages on this site; Oracle Security videos about Oracle security in general and also about using our database security scanner PFCLScan, a new Oracle security articles page with some in depth articles on Oracle security and a page with shorter notes/articles around areas to concentrate on to secure your Oracle databases.
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Home and Archives
Other useful blogs
Syndication - Feeds