Call: +44 (0)7759 277220 Call
PeteFinnigan.com Limited Products, Services, Training and Information
Secure your data

Secure your data

This is my presentation to the UKOUG last December on securing your data.

Slide 1 - Secure Your Data Or Bust
Secure Your Data Or Bust

Brexit, GDPR, Guy Fawkes, Anonymous, Eric Bloodaxe

Slide 2 - Legal notice
Legal notice


Secure Your Data Or Bust

Published by
PeteFinnigan.com Limited
Tower Court
3 Oakdale Road
York
England, YO30 4XL

Copyright © 2025 by PeteFinnigan.com Limited

No part of this publication may be stored in a retrieval system, reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, scanning, recording, or otherwise except as permitted by local statutory law, without the prior written permission of the publisher. In particular this material may not be used to provide training of any type or method. This material may not be translated into any other language or used in any translated form to provide training. Requests for permission should be addressed to the above registered address of PeteFinnigan.com Limited in writing.

Limit of Liability / Disclaimer of warranty. This information contained in this course and this material is distributed on an “as-is” basis without warranty. Whilst every precaution has been taken in the preparation of this material, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions or guidance contained within this course.

TradeMarks. Many of the designations used by manufacturers and resellers to distinguish their products are claimed as trademarks. Linux is a trademark of Linus Torvalds, Oracle is a trademark of Oracle Corporation. All other trademarks are the property of their respective owners. All other product names or services identified throughout the course material are used in an editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this course.

Slide 3 - Background
Background

Pete Finnigan – Background, Who Am I?


  • Oracle Security specialist and researcher
  • CEO and founder of PeteFinnigan.com Limited in February 2003
  • Writer of the longest running Oracle security blog
  • Author of the Oracle Security step-by-step guide and “Oracle Expert Practices”, “Oracle Incident Response and Forensics” books
  • Oracle ACE for security
  • Member of the OakTable, SYM 42
  • Speaker at various conferences UKOUG, PSOUG, BlackHat, more..
  • Published many times, see http://www.petefinnigan.com for links
Slide 4 - Agenda
Agenda
  • Data Security landscape
  • Major fines
  • The rise of hacking
  • The data gold rush
  • Pure crime
  • The rise of the empire
  • The main threats to Oracle databases
  • Current data and Oracle Security landscape
  • The main focus in fixing database security
  • Secure your data or BUST
Slide 5 - Data Security Landscape
Data Security Landscape

Data Security Landscape

Slide 6 - Hacking And Data Theft
Hacking And Data Theft
  • Data security is not a niche subject anymore
  • The BBC even has a dedicated breach page
  • Experts no longer wheeled in to discuss a breach
  • It is main stream

I had a conversation with a taxi driver recently and he didn’t know what a data breach was BUT proceeded to tell me how he was scammed out of a loan payment. His identity was stolen and he paid a loan repayment but never got any money

Slide 7 - Major Fines
Major Fines

Major Fines

Slide 8 - The biggest GDPR Fine so far – UK ICO
The biggest GDPR Fine so far – UK ICO

No indication that this is Oracle database or applications related in any way but relevant for the size of the fines for data loss

Slide 9 - 2nd Largest Fine by ICO - Marriot
2nd Largest Fine by ICO - Marriot

What about the other 27 EU States + the rest of the world who lost their data (339 Million records lost) – More fines?

Slide 10 - Marriot is an Oracle Database Story
Marriot is an Oracle Database Story

Oracle customer story!

Slide 11 - The Rise of Hacking
The Rise of Hacking

The Rise of Hacking

Slide 12 - In The Beginning We have Bragging Rights
In The Beginning We have Bragging Rights
  • Phiber Optik – Mark Abene – Masters of Deception – Legion of Doom - https://en.wikipedia.org/wiki/Mark_Abene
  • Erik Bloodaxe – Chris Goggans – Legion of Doom – editor of Phrack - https://en.wikipedia.org/wiki/Erik_Bloodaxe_(hacker)
  • The great Hacker War – 1990/91 - https://en.wikipedia.org/wiki/Great_Hacker_War - Phiber Optik stated it was a fabrication by US Government
  • 2600 Emanuel Goldstein - Ed, Captain Crunch, Hackerdom, Defcom…
  • Kevin Mitnik – The Darkside, The Condor.. The most wanted man - https://en.wikipedia.org/wiki/Kevin_Mitnick - A judge thought he could start a nuclear war by whistling into a pay phone!
  • Solo – Gary McKinnon – accused of the biggest military hack of all time - https://en.wikipedia.org/wiki/Gary_McKinnon - Free energy suppression and UFO cover-ups! – perl for blank/ default passwords
Slide 13 - Snowdon and NSA Tools – Government Hacking
Snowdon and NSA Tools – Government Hacking
  • Edward Snowdon – copied and leaked CIA, NSA highest level data in 2013 - https://en.wikipedia.org/wiki/Edward_Snowden and ran to Hong Kong and then Russia.
  • Leaked details of government level hacking, global surveillance, cyber attacks, tools and much more
  • The key point for us is that he had “virtually unlimited access to data” and was able to exfiltrate 50,000 to 200,000 files / records
  • Created the NSA backup system!
  • Julian Assange - in the Equador embassy from 2012 to 2019 – wiki leaks – but also hacker in 1987 hacking as Mendax - https://en.wikipedia.org/wiki/Julian_Assange - hacking US government and Pentagon
  • NSA hacking tools hacked - http://thehackernews.com/2016/12/nsa-hack-shadow-brokers.html - can be downloaded for free
Slide 14 - Hacking Team – Hacking tools for Sale
Hacking Team – Hacking tools for Sale
  • Hacked in July 2015
  • Phineas Fisher – pseudo name – hacked “Hacking Team” with over 100 hours of effort – He was never found
  • 400gb of emails, documents, embarrassing information and most importantly the hacking toolkit Remote Control System (RCS) they sell to countries stolen
  • Posted to Pastebin with details of how the hack happened - http://pastebin.com/raw/0SNSvyjJ
  • 0-Days used, found a Blackberry password and then accessed to a domain server allowed all other user passwords to be found in email. Then Fisher found a sysadmins email to get a github password for source code and bridge to the internal dev network

Hacking team purchased by InTheCyber in April 2019 to become Memento Labs

Slide 15 - Ashley Madison – Embarrassing Hacking
Ashley Madison – Embarrassing Hacking
  • Hacked in July 2015 by “Impact Team”
  • Details - https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
  • 25 Gig of personal data leaked
  • Company policy not to delete personal data – Real names, home addresses, search history, credit cards
  • Attacker said it was an attack on owner Avid Life Media and blamed so called “Deceptive practices” by them
  • It was alleged that Ashley Madison required innocent people to pay money to have fake profiles deleted
  • Avid Life Media called the attackers Terrorists
  • Thousands of .mil and .gov addresses registered as well as 1200 .sa (punishable by death in Saudi Arabia)
  • 4000 passwords of 123456, 11 Million passwords cracked
Slide 16 - The Data Gold Rush
The Data Gold Rush

The Data Gold Rush

Slide 17 - Data Gold Rush
Data Gold Rush
  • Data is the new gold – think 1896 to 1899 klondike in the Yukon
  • Usage patterns
  • User and customer behaviour
  • Company data
  • Tracking data – all GDPR
  • Companies are starting to realise the importance of data
  • Social media is massive
  • Data driven advertising
  • Facebook, Google, Snowden and the NSA!
  • Cultivated data is the way forwards
  • Not necessarily massive computing power and big data
  • Not always volume and velocity of data
Slide 18 - The Data Gold Rush - 2
The Data Gold Rush - 2
  • Companies produce inordinate amounts of data every day
  • Companies main product may not be data (initially?)
  • Lack of AI specialists out there to help this growth
Slide 19 - Pure Data Crime
Pure Data Crime

Pure Data Crime

Slide 20 - Criminals Steal Data – It is Easier Than Violence
Criminals Steal Data – It is Easier Than Violence
  • There is a major upsurge in data theft now
  • It is safer for criminals to steal data than to walk into a bank with a sawn off shotgun
  • It is not about bragging rights anymore
  • Hard to know if Oracle is involved in each data theft case
  • There is a ready market for stolen data on the dark web
  • Breaches listed (some) at http://www.breachlevelindex.com
  • ICO summary of data breaches - https://ico.org.uk/action-weve-taken/data-security-incident-trends/ - e.g. Bounty UK fined £400,000 – not extensive list
  • I personally have been involved in post breach investigations against quite a few Oracle based systems
Slide 21 - Data Hacks are Now Commonplace
Data Hacks are Now Commonplace
  • http://www.petefinnigan.com/weblog/archives/00001129.htm - 25 million child benefit identities lost on two discs (not stolen but lost)
  • Data breaches in:
  • April 2018 – 76,611,721 records; May 2018 – 17,273,571 records breached; June 2018 – 145,942,680 records breached
  • Some examples of data breaches; (source: https://www.wired.co.uk/article/hacks-data-breaches-in-2018 ):
  • July 2018 - TimeHop - https://www.timehop.com/security
  • 21 Million emails; 3.5 Million name, Dob, email, address
  • 2004 – University of Greenwich - 19,500 students details lost – fined in 2018
  • Feb to June – MyHeritage - 92 million peoples details lost
  • 2017 – Equifax - 147 Million peoples details lost

https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-june-2018-145942680-records-leaked/

Slide 22 - The Rise of The Empire
The Rise of The Empire

The Rise of The Empire

Slide 23 - GDPR
GDPR
  • General Data Protection Regulation (GDPR) (Regulation EU 2016/679)
  • Replaces the data protection derivative 95/46/EC in 1995
  • Adopted by EU 27 April 2016
  • Enforced from 25th May 2018
  • Does not require national governments to pass any enabling legislation so was binding straight away in May 2018
  • Each member state will establish a Supervising Authority (SA)
  • Authority in the UK is the ICO (Information Commissioners Office)

See https://gdpr-info.eu for details


Also USA data breach notification laws (1386), Sox, GLB, Hippa

Slide 24 - The Scary Parts of GDPR
The Scary Parts of GDPR
  • 20M Euro or 4% of companies GDP fines for breach
  • It is incredibly complex – over 100 Pages, 11 Chapters, 99 Articles, notes (Recitals)…
  • Did the law makers understand how much time and money this will cost companies to investigate and implement?
  • Brexit will not stop GDPR for UK companies
  • Will Affect non EU countries who process EU persons data
  • Most companies will need to do something technical!!
  • The SME get out in the data protection act has been removed
  • Have you started to secure your data for GDPR?

My experience is that GDPR is regarded as a legal problem and not a technical one – a legal disclaimer will not prevent a fine if you have willfully lost data

Slide 25 - Current Data and Oracle Security Landscape
Current Data and Oracle Security Landscape

Current Data and Oracle Security Landscape

Slide 26 - My Current Security State of Oracle Databases
My Current Security State of Oracle Databases

My current experience of the state of Oracle database security can be summed up below.

Slide 27 - Oracle Security in 2019
Oracle Security in 2019
  • I see a reliance on traditional security ideas
  • Network security, firewalls, desktop, AD, anti-virus
  • I also see too big a focus on things like the CIS benchmark
  • This is focused on patch and harden
  • It is missing many things, 12c, 18c, 19c, CDB/PDB, ASM, newer…
  • It is a consensus but the consensus is too small
  • Its 10-15 years out of date
  • I see a push to tick boxes
  • Buy TDE but don’t otherwise secure the data in motion
  • Buy Database Vault but still have one admin with root, Oracle, SYSDBA and DV realm owner, DV admin etc
Slide 28 - Oracle Security is Free and Cost Option
Oracle Security is Free and Cost Option
  • Oracle added lots of database security products but not free
  • BUT there are many free features that you can use to secure your data
  • The problem; Even basics you have to do yourself:
  • Design permissions – it is not automatic
  • Identity is difficult and not there by default
  • Audit trails are simplistic since 10g and not adequate
  • Encryption is possible BUT you have to do key management…
  • Most sites have open network routing still with no segmentation and no data security, no data firewalls, I even see databases in the DMZ
Slide 29 - Main Threats to Oracle Databases
Main Threats to Oracle Databases

Main Threats to Oracle Databases

Slide 30 - Oracle Database Security Threats
Oracle Database Security Threats
  • I see and perform audits of a lot of Oracle databases and I see a similar level of lack of security across all verticals
  • One of the biggest threats is that security is not the default in Oracle
  • Oracle provide lots of security options BUT you have to configure them; so they are not usually implemented
Slide 31 - Some Of The Core Threats That I See
Some Of The Core Threats That I See
  • Lack of patching or regular patching
  • Legacy applications, bad designs, no separation, no security
  • Lack of data security in applications
  • Reliance on the application to “do security”
  • Too much reliance on physical and network security but the database is open
  • Your biggest threat is your staff; they know the data and have the tools – you gave them the tools
  • No budget to do “data security”
Slide 32 - Often I See
Often I See
  • Weak passwords – SYS, SYSTEM not changed for 14 years
  • Lack of decent audit trails at the database level
  • Applications and features installed that you don’t need – APEX
  • 44k PUBLIC rights in 12c/18c/19c
  • Lack of security of data
  • No schema separation
  • No grants
  • Applications have DBA, all grants, grants with GRANT…
  • Most applications that I see have MOST PRIVILEGES not LEAST PRIVILEGES
  • Absolute lack of focus still on data security design
Slide 33 - The Focus
The Focus
  • Most sites have a focus on
  • Functionality
  • Service Level Agreements
  • Performance
  • Retrofitting data security to COTS or legacy is hard
  • Security cannot be measured in advance
  • It is insurance; try selling insurance..
  • GDPR should change that; I hope
Slide 34 - The Move to Cloud
The Move to Cloud
  • Oracle and others have a big push to cloud?
  • People see Oracle security as a legal issue only? – Cloud and GDPR
  • But data security must be first
  • A database with data insecurities on premise is not magically secure in the cloud
Slide 35 - Main Focus When Fixing Database Security
Main Focus When Fixing Database Security

Main Focus When Fixing Database Security

Slide 36 - Compartmentalise Data Security?
Compartmentalise Data Security?

Compartmentalise Data Security?

Slide 37 - Platform Security / Data Security
Platform Security / Data Security
  • 10/30/60
  • Platform security / data security
  • Applications layer security
  • Insistence that the application “does security” whilst most staff have (or can get) direct data access
  • Cloud push? – if you have good data security on site then it maps to Cloud – if not then its worse
  • Do data obfuscation – its hard to do!
Slide 38 - Build Onion Layers
Build Onion Layers
  • Focus on the data security
  • Don’t forget hardening and patching but the most value is in actual data security
  • Stop people connecting (network, triggers…)
  • Limit people, IP, tools
  • Build strong password controls
  • Build a strong audit trail
  • Build least rights
  • Separate data and users – i.e. don’t connect users direct to the data
Slide 39 - Secure Data or Bust
Secure Data or Bust

Secure Data or Bust

Slide 40 - Secure Data Or Go Bust!!
Secure Data Or Go Bust!!
  • You must secure your data or go bust
  • A legal contract does not stop someone stealing your data
  • A pentest will not identify data security issues in your database
  • They maybe find 5 or 6 issues, I find 200
  • If you have 1000 databases that’s 200,000 fixes
  • Build a realistic and achievable security for data
Slide 41 - More!!
More!!
  • I have been doing Oracle security for almost 20 years but there is no rush to follow me; why?
  • No budget?
  • Lack of roles available?
  • It is hard to learn Oracle for security people but easier for Oracle people to learn security
  • If you can really crack your Oracle security then move to think about
  • Adaptive security
  • Adaptive audit Cloud –
  • There is nothing inherently wrong with cloud – if your servers are not in your building already then its just a remote server already;
  • The risk is producer / consumer responsibilities and who you are sharing with
  • It is the risk that data security is not adequately done in legacy already; adding TDE or DV does not correct inherent design issues and moving legacy bad data doesn’t make security.
Slide 42 - Conclusions
Conclusions
  • Understand the big picture
  • Learn as much as you can about all security issues of a key strategic database
  • Do not try and fix 200 issues in each database
  • Build a policy
  • Aim to separate data / code / connected users – then you can do security
  • Focus on data first
Slide 43 - Questions
Questions
  • Brexit – had to be mentioned; does not cancel GDPR,
  • GDPR = The Empire strikes back!!,
  • 5th November 1605 - Guy Fawkes captured – I live in York and he was born and educated in York, Anonymous mask
  • Eric Bloodaxe – Chris Goggans from Dallas, Texas - The last viking king of England – also from York (Jorvik)
Slide 44 - Secure Your Data Or Bust
Secure Your Data Or Bust

Secure Your Data Or Bust