Data is a treasure. And in my last 20 years of working in security, I’ve found that hackers have understood this better than many of the organizations that own and process the data.
Attackers are relentless in their pursuit of data, but many organizations ignore database security, focusing only on network and endpoint security. When I ask the leaders responsible for securing their data why this is so, the most frequent answers I hear are:
And yet, when they see the results from our field-driven security assessment, the same organizations backtrack. They admit that their databases do, in fact, have sensitive data, and while there may be firewalls, there are very limited security measures in place to directly protect the databases. They are even unsure how secure their databases are, or if they have ever been hacked. Given the high volume of breaches, they realize that they must get ready to face attacks, but don’t know where to start.
Assessing database security is a good first step but it can be quite an arduous task. It involves finding holes from various angles including different points of entry, analyzing the data found, and then prioritizing next steps. With DBAs focused on database availability and performance, spending the time to run security assessments or to develop database security expertise is often not a priority.
Hackers, on the other hand, are motivated to attack and find the fastest way in, and then the fastest way out. They map out the target databases, looking for vulnerabilities in database configuration and over privileged users, run automated tools to quickly penetrate systems, and then exfiltrate sensitive data without leaving behind much of a trail.
If this were a war between organizations and hackers, it would be an asymmetric one. In such situations, assessing your own weaknesses and determining vulnerable points of attack becomes very critical.
I am pleased to announce the availability of the Oracle Database Security Assessment Tool (DBSAT). DBSAT helps organizations assess the security configuration of their databases, identify sensitive data, and evaluate database users for risk exposure. Hackers take similar steps during their reconnaissance, but now organizations can do the same—and do it first.
DBSAT is a simple, lightweight, and free tool that helps Oracle customers quickly assess their databases. Designed to be used by all Oracle Database customers in small or large organizations, DBSAT has no dependency on other tools or infrastructure and needs no special expertise. DBAs can download DBSAT and get actionable reports in as little as 10 minutes.
What can you expect DBSAT to find? Based upon decades of Oracle’s field experience in securing databases against common threats, DBSAT looks at various configuration parameters, identifies gaps, discovers missing security patches, and suggests remediation. It checks whether security measures such as encryption, auditing, and access control are deployed, and how they compare against best practices. It evaluates user accounts, roles, and associated security policies, determining who can access the database, whether they have highly sensitive privileges, and how those users should be secured.
Finally, DBSAT searches your database metadata for more than 50 types of sensitive data including personally identifiable information, job data, health data, financial data, and information technology data. You can also customize the search patterns to look for sensitive data specific to your organization or industry. DBSAT helps you not only discover how much sensitive data you have, but also which schemas and tables have them.
With easy-to-understand summary tables and detailed findings, organizations can quickly assess their risk exposure and plan mitigation steps. And all of this can be accomplished in a few minutes, without overloading valuable DBAs or requiring them to take special training.
Reviewing your DBSAT assessment report may be surprising—and in some cases, shocking—but the suggested remediation steps can improve your security dramatically.
Privacy Regulations and Compliance
DBSAT also helps provide recommendations to assist you with regulatory compliance. This includes the European Union General Data Protection Regulation (EU GDPR) that calls for impact assessments and other enhanced privacy protections. Additionally, DBSAT highlights findings that are applicable to EU GDPR and the Center for Internet Security (CIS) benchmark.
Oracle is a leader in preventive and detective controls for databases, and now with the introduction of DBSAT, security assessment is available to all Oracle Database customers. I urge you to download and try DBSAT—after all, it’s better that you assess your database’s security before the hackers do it for you!