Data breaches are common nowadays and regulations related to data privacy are becoming stricter and mandate by law organizations to protect their employees and customers’ personal data. This is why organizations need now to implement basics countermeasures to limit their exposure to internal and external hacking. In this article we’ll explain why and how it’s now mandatory for our key customers to protect sensitive data stored in their databases based on real life examples.
To simplify our understanding, one can say there are 2 ways of accessing sensitive data: either attack the system from the outside by using vulnerabilities in the network or web sites such as SQL injection (i.e; submitting and executing in an Web form attribute a SQL request such as SELECT ALL FROM customer table), or attack from the inside by using privileged accesses such DBA accounts to read the data and send it outside. This latest kind of attacks can not only be done by rogue users, but also by Trojan horses downloaded from the Web.
Oracle approach is to recommend securing systems from the inside, as opposed to secure the boundaries of an IT system only. Therefore it’s key to identify the vulnerabilities in the databases, applications and systems that are exposed to external and internal users, including DBAs. Oracle Consulting can provide a detailed questionnaire with more than 300 check points, including database scripts, to identity those vulnerabilities quickly. For example, we can assess if the database passwords are enforced, if non-used IP ports are still available such as FTP which can be used one day to extract sensitive data, or if the database PUBLIC profile, inherited by all users, have unlimited privileges such as read/write in any table.
When running assessments to analyze vulnerabilities and risks in a subset of databases, it’s also important to analyze the overall security strategy and existing processes to audit security policies implementation in IT organization and systems. We often discover, as an example, that data privacy policies may not be yet defined in the security strategy, and therefore there are no processes or tools to enforce data privacy in IT systems. We also discover that accesses to database machines may be well protected and traced, but once connected to the machine, the DBA can access the databases hosted on the same machine, without any proper control or audit of the database accesses and transactions.
What are the basic countermeasures to implement?
The first thing customers should do is address the “need to know” requirement. What do we mean by that? Well, it’s simply being able to know “who did what” in the systems. The “who” must be a physical person that can be identified without ambiguity. For example, if a DBA is using a system account, such as the “SYS” account, it will not be possible to know who is behind by just looking at the database logs. But if the access logs to the desktop, the database machine and the database itself are correlated using timestamps, it will be possible to know exactly who was behind the access at a given time.
This is one of the use cases organizations can start implementing with Oracle AuditVault & DB Firewall (AVDF) product. It will be used to collect access logs from critical databases, concatenate and send those logs to an enterprise SIEM tool which will then correlate this information with desktops and servers’ accesses. This SIEM tool will answer the “who?” question. For the “what”, Oracle AVDF will log the database key transactions such as “DROP table”, or “SELECT ALL FROM table”, and will provide reports and alerts if needed. In addition, Oracle AVDF will protect the log data, as it may contain sensitive information as well.
Once knowing “who is doing what”, the second things that can be done is protecting sensitive data. Several technologies can be implemented here such as encryption, data redaction and segregation of duties within the database (database vault) or data masking. However, each of them addresses a very specific vulnerability and use case, and as stated before, assessing the risks will help prioritizing the features to implement and optimize the costs.
What Oracle Consulting can do?
Oracle Consulting can do an assessment of critical databases vulnerabilities and risks, review the data security policies and existing countermeasures, and recommend a roadmap to security with priorities and total cost of ownership.
Then we can help implementing each of the database security products either with quick start packages or deploy them at the enterprise level using architecture frameworks and patterns that we have built in former engagements.
We can also help customers building specific solutions for regulatory compliance requirements such as PCI DSS and the EU Global Data Privacy Regulation, by identifying the gaps with existing strategy, processes and tools, and then implement key features to improve compliance.
Please contact Oracle Consulting for more information.