Wednesday Mar 19, 2014

Oracle Open World 2014 Call for Proposals (Papers)

Oracle Database Security Experts Wanted!

The 2014 Call for Proposals for Oracle OpenWorld is open. It’s worth the time to share your expertise with thousands of Oracle users.

If you’re an Oracle Database security expert, conference attendees want to hear it straight from you. So don’t wait-proposals must be submitted by April 15.

Share if you are planning to attend and/or present.  We look forward to meeting you.

Monday Mar 10, 2014

Part 4: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the fourth and final excerpt from Chapter 1 of Securing Oracle Database 12c: A Technical Primer ebook, Oracle Press. You can read the complete chapter on controlling data access and restricting privileged data by downloading your own copy. Thanks for reading.

Controlling Privileged Users

System privileges and powerful roles give significant control of the database, including the ability to view all data and make changes to the data. Some administrative users need these powerful privileges for maintenance, tuning, and backups, but they don’t need access to all of the data. Even though the administrative users are trusted, it is important to secure company data assets and personal information even from these privileged accounts in order to prevent unauthorized use by insiders or attackers.

Oracle Database Vault provides several kinds of operational controls within the database including realms, which enforce limits on access to specified objects such as tables and views. After creating a Database Vault realm, objects are added to the realm and database users can be designated as realm participants. This provides access only to the realm participants, and excludes other users, even if they have powerful system privileges like SELECT ANY TABLE that would otherwise allow them to access the objects in the realm.

The following illustration shows an example of two realms, protecting database schemas containing human resources (HR) and finance (FIN) data. Once enabled, the realms prevent privileged administrative users or other application owners from using their elevated privileges to access data. The privileged application owner HR is prevented from accessing data inside the FIN realm, and even an administrator with the DBA role is unable to access data in the HR and FIN realms.

Oracle Database Vault Realms

In addition to regular realms, Oracle Database 12c adds the ability to create mandatory realms. A regular realm will block the use of system privileges such as SELECT ANY TABLE if the user is not a realm participant, but it doesn’t block the schema owner or other users who gain access to the data using object privileges. Mandatory realms prevent access by anyone who is not a realm participant. One popular use for a mandatory realm is to continue to protect sensitive data during patching and upgrades, when an administrator needs to make changes to the application schema but should not have access to the data tables in that schema.

When Oracle Database Vault is configured, a couple of additional users are created. The first of these is the Database Vault owner, who can create and manage realms to control access to sensitive data. The second user is the Database Vault account manager, who has the responsibility for creating users in the database. While a single user could perform both functions, the ability to divide these duties among multiple users allows for separation of duty as described earlier. Furthermore, there is a DVOWNER role that can be granted to other users to delegate the ability to manage Database Vault realms. This role should be granted to administrators who are responsible for the security configuration of the database, rather than the general database administrator.

The following illustration shows the use of the Database Configuration Assistant for enabling Oracle Database Vault. Management of Database Vault requires the use of these specialized users and roles. The SYSDBA administrative privilege cannot be used for realm or user management when Database Vault is enabled.

Oracle Database Vault and Label Security

From the free ebook, Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo.

Friday Feb 28, 2014

February Edition of Security Inside Out Newsletter, Now Available

Get the latest edition of our bi-monthly (that's every other month) Security Inside Out newsletter featuring both database security and identity management news. This month's articles:

SANS Study Explores Maturity of Security Strategies Among Healthcare Organizations

A new report from the SANS Institute, a leading security education and research organization, surveys real-world organizations to discover how the healthcare industry is adapting to this new security landscape. Find out how organizations like yours are responding to the new challenges of more-stringent regulations and new mobile and cloud technologies.

New Report Puts Oracle Audit Vault and Database Firewall to the Test

A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives: audit collection, SQL traffic monitoring, and security event reporting.

Key Cloud Security Paradigms and Oracle’s Identity Management Roadmap

Find out the most common approaches to achieving security in the cloud and whether using a third-party identity management solution is a good strategy. 

Read more here

Bitcoin Exchange Files Bankruptcy in Wake of Cyber Attack

There are a lot of interesting nuggets to pull from the downfall of Mt. Gox, but the Christian Science Monitor sums it up under "What it All Means":

Mt. Gox serves as a reminder that you're not just buying Bitcoins; you're also involved in the company performing the exchange. There are no watchmen to answer to, and things can go downhill quickly if a breach happens. It's not an isolated incident, either: In 2012, the exchange site Bitcoinica was hacked for over $460,000 worth of Bitcoins, according to The Verge.

If you're not familiar with the story, Mt Gox (Picture Source: The building that houses the Mt. Gox offices in Tokyo. Photo: Ariel Zambelich/WIRED) was targeted by hackers who stole around $350 million in Bitcoins over a two year period and they have stopped exchanging bitcoins as of Tuesday.

The building that houses the Mt. Gox offices in Tokyo. Photo: Ariel Zambelich/WIRED

Wired has a great write-up here on the exploit and alleged repercussions and predictions of the attack, some of which have already come true: bankruptcy. The hackers exploited a bug in Mt. Gox's website, but it's not clear exactly what they did at this point:

Now, according to the alleged leaked document, it looks like hackers had been exploiting that bug for two years, and even removing bitcoins from supposedly secure “cold” wallets that the company had stored offline. Typically, cold wallets are disconnected from the internet and cannot be emptied by online attackers. However, the “cold storage has been wiped out due to a leak in the hot wallet,” the document states.

Wired is referring to this leaked document.  Analysis at the end of the document says "Expertise to find: Analysts, top class developers (crypto), IT security expert..." I'll say they need an IT security expert. 

There's more to learn on this one. 

Thursday Feb 27, 2014

Part 3: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the third post on controlling data access and restricting privileged data in Oracle Database, pulled from the free ebook, Securing Oracle Database 12c: A Technical Primer. Here are the first and second posts. The book highlights new security features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.

Users with Administrative Privileges

Certain users can connect with special administrative privileges, such as SYSDBA and SYSOPER, to allow maintenance operations even when the database is not open. These users can authenticate using a network-based authentication service such as Oracle Internet Directory or based on membership of the connecting user in a particular operating system group.

If a user must connect with administrative privilege using a password for authentication, the password is stored outside the database in a password file, which is administered using the orapwd command. User management functions such as locking an account after multiple failed login attempts are not available for users in the password file, although each failed attempt will cause an exponentially increasing delay to limit password guessing when the database is running.

Proxy Authentication and Authorization

Sometimes administrators need to connect to an application schema to perform maintenance. Sharing the application schema password among several administrators would provide no accountability. Instead, proxy authentication allows the administrators to authenticate with their own credentials first and then proxy to the application schema. In such cases, the audit records show the actual user who performed the maintenance activities. This form of proxy authentication is supported in Oracle Call Interface (OCI), JDBC, and on the SQL*PLUS command line. Here is an example where the user app_dba is allowed to connect to the database and act as hrapp.

ALTER USER hrapp GRANT CONNECT THROUGH app_dba;

Now the user app_dba can connect using his own password and assume the identity of the hrapp user by proxy as follows:

CONNECT app_dba[hrapp]
Enter password: <app_dba_password>

Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here. Also, let me know if you are enjoying these posts by adding comments below.  

Friday Feb 21, 2014

Part 2: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the second post on controlling data access and restricting privileged data in Oracle Database, pulled from the ebook, Securing Oracle Database 12c: A Technical Primer. The first post can be found here. The book highlights new features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.

Storing Passwords

Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

To configure password storage using an Oracle wallet, set the WALLET_LOCATION parameter in the sqlnet.ora file. The applications can then connect to the database without providing login credentials, as follows:

CONNECT /@hr_db.example.com

Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here.

Thursday Feb 20, 2014

New Blog Focused on Oracle Advanced Security

I wanted to let folks know that Todd Bottger, Oracle's product manager for ASO, has a new blog on Oracle Advanced Security. He'll be taking the conversation a lot more technical, so go subscribe to learn more.

Wednesday Feb 19, 2014

Controlling Data Access and Restricting Privileged Data in Oracle Database

In a series of blog posts I will be pulling excerpts directly from the ebook Securing Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo. Previously, I posted the introduction of the book and now I will continue with the first chapter: Controlling Data Access and Restricting Privileged Users. If you don't want to wait for each post, I encourage you to download your own free copy of the book.

Controlling Data Access and Restricting Privileged Users

The most fundamental step in securing a database system is determining who should be able to access which data. This chapter describes the management of user accounts and the mechanisms for determining the access that each user has. It continues with a discussion of the types of privileged access that a user may have and available tools for removing any additional access they do not need.

User Management

All access to the database is through users, whether these are administrative users, application accounts, or regular users. As the users have direct connection to the database, it is important that they are properly authenticated and have appropriate roles, and that their accounts cannot easily be compromised. It is also important to ensure that there are proper resource constraints on their usage, or else the rest of the database may be indirectly affected.

The CREATE USER statement is used to create a database user and its associated schema. In the following example, the user is identified by a password, and the account follows the policy specified by org_profile.

CREATE USER jsmith IDENTIFIED BY NoOne!Knows PROFILE org_profile DEFAULT TABLESPACE data_ts TEMPORARY TABLESPACE temp_ts;

A profile specifies a named set of resource limits and password parameters that restricts excessive consumption of system resources and enforces constraints on the passwords. The password-specific parameters provide password management including account locking, password aging, password history, and password complexity verification. The password verification function is perhaps the most important control to ensure that users pick complex passwords, making it difficult for intruders to guess them. The FAILED_LOGIN_ATTEMPTS parameter limits brute-force password-guessing attacks by locking the account after a specified number of incorrect logins.

CREATE PROFILE org_profile LIMIT
 FAILED_LOGIN_ATTEMPTS 6 -- attempts allowed before locking
 PASSWORD_LIFE_TIME 180 -- max life-time for the password 
 PASSWORD_VERIFY_FUNCTION ora12c_verify_function; -- Password complexity check

The dictionary views DBA_USERS and DBA_PROFILES describe the users and profiles, respectively. The privilege to create users must be limited to the DBA or the security administrator. Each user should have an assigned tablespace; otherwise, any objects they create would go into the SYSTEM tablespace, thus creating contention between the data dictionary objects and the user objects.

Oracle Multitenant Database Users

Oracle Multitenant, an Oracle Database 12c option, includes both common and local users. A common user is created in the container database and has the same user name and password in all of the pluggable databases that are part of the container database. The common user can have privileges that are granted at the container level, and other privileges that are granted in each pluggable database. The privileges can be different in each of the pluggable databases, but the user doesn’t need to be created in each pluggable database.

To create a common user for the container database and all of the pluggable databases, log in to the container database as SYSTEM and create a user with CONTAINER=ALL. Note that all common user names begin with the prefix C##.

SQLPLUS> CONNECT SYSTEM@root
Enter password: **********
Connected.
SQLPLUS> CREATE USER C##DB_ADMIN
IDENTIFIED BY IronMan4
CONTAINER = ALL;

A local user, on the other hand, is created in the pluggable database, and does not have access to the container. This is good for the administrator who manages a pluggable database but does not manage the overall system. To create a local user, connect to the pluggable database as SYSTEM, create the user, and grant the needed roles and privileges as before, but specify CONTAINER=CURRENT instead of CONTAINER=ALL.

SQLPLUS> CONNECT SYSTEM@pdb1
Enter password: *********
Connected.
SQLPLUS> CREATE USER pdb1_admin
IDENTIFIED BY SpiderMan3
CONTAINER = CURRENT;

 Stay tuned for more...

Tuesday Feb 11, 2014

Webcast with ISACA - Want Better Data Security?

Insecure database silos make protecting data challenging and costly. Increasingly, organizations find that database consolidation and private cloud initiatives reduce complexity, risk, and drive down the cost of protecting data and meeting regulatory compliance. 

In this webcast, you will learn how to:

  • Consolidate databases securely
  • Address database security at the infrastructure level
  • Adopt a defense in depth strategy 
Watch Now and learn the controls needed to safeguard your mission critical enterprise data.  

Sunday Feb 09, 2014

Oracle Data Redaction Article in Oracle Magazine

Another nice article on Oracle Data Redaction (part of Oracle Advanced Security). This one by Arup Nanda, Oracle ACE Director. Hide from Prying Eyes is found in the latest edition of Oracle Magazine. 

Wednesday Feb 05, 2014

Recent Breaches Prove Risks to Retail Industry Higher than Ever

Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014.

In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants.

What can retailers do to lower their risk?

Know Who Wants Your Data

The Verizon report demonstrates that there exists a relationship between industry, attack motive, and threat actor. Payment card data is often stolen from retailers by organized criminals from many different geographies. They are going for volume and so should you. Protect your biggest targeted assets first – your databases.

Know Where Your Data Resides and Who Has Access

Common attacks leverage legitimate user credentials to access sensitive databases and steal sensitive payment card data. Implement controls around what users have access to and enforce least privilege, especially in consolidated environments. Also, audit database activity to detect and stop unauthorized activity as well as collect critical forensic data that might be needed.

Develop a Security Inside Out Strategy

Despite following PCI DSS requirements, data breaches are a constant reminder that compliance is not enough to thwart a motivated attacker. Assess your existing controls to identify your company-specific vulnerabilities that put your organization's data at risk.

Oracle suggests retailers adopt a defense-in-depth approach to protect sensitive data from the inside out and future-proof against evolving regulatory requirements such as the new Payment Card Industry Data Security Standards.

To learn more about Oracle’s Security Inside Out approach and assess your data security posture for potentially disastrous vulnerabilities in your environment, please contact your Oracle Security account team to setup a complementary consultation. 

Nice Article on Oracle Data Redaction

Gavin Soorma provides a nice article on the new Data Redaction feature in Oracle Database 12c (and backported to 11g R2). Very nice blog-demo, complete with explanations and screenshots.

Wednesday Jan 22, 2014

SANS Analyst Reviews Oracle Audit Vault and Database Firewall

New SANS Institute Report Puts Oracle Audit Vault and Database Firewall to the Test

A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives:

  • audit collection,
  • SQL traffic monitoring, 
  • security event reporting.  
SANS Analyst Review of Oracle Audit Vault and Database Firewall

With Oracle Audit Vault and Database Firewall, organizations can monitor both Oracle and non-Oracle database traffic, and detect and block threats. It also enhances compliance by consolidating audit data from disparate sources—including databases, operating systems, directories, custom applications, and more—into a secure data warehouse for reporting and alerting.

"Our review concluded that AVDF did what it claimed to do and is a valuable solution for organizations looking for a first line of defense that protects their data and databases, says SANS Analyst, Tanya Baccam. "The functionality of AVDF became apparent through the review as we looked at audit trails and reports and tested SQL injections. AVDF comes with a variety of useful audit reports based on multiple regulations and standards, and it can monitor for malicious activity out of the box."

Register for the report here

Watch the webcast here

Oracle at RSA Conference 2014, Meet the Authors and Experts

Amidst the increasing frequency and growing onslaught of security attacks, data breaches and mobile threats, it's critical to have access to the latest in security insights, solutions, products and a network of peers facing the same issues you do. Attend RSA Conference, February 24 - 28 and prepare for five intensive days of knowledge gathering and information sharing.

Join Oracle (Booth #1509) as we demonstrate how our complete, best-of-breed security solutions enable you to secure critical applications and sensitive data, lower operational costs, and comply with regulatory requirements. Learn more about:

  • Oracle's Security Inside Out approach
  • Comprehensive defense in depth database security
  • The platform approach to identity management for cloud, mobile and social

To secure your complimentary RSA Conference 2014 Exhibit Hall Pass, click here and enter Oracle Code EC4ORACL by Friday, February 21.

Meet the Authors
Plan to meet the authors of the new book Securing Oracle Database 12c: A Technical Primer, as they give out autographed copies of their new book, while supplies last.

Book-signing hours:
Monday, February 24, 2014
6:30 p.m. – 7:30 p.m.

Tuesday, February 25, 2014
1:00 p.m. – 2:00 p.m.

Wednesday, February 26, 2014
5:00 p.m. – 6:00 p.m. (During Pub Crawl)

Event Exhibition: Meet the Experts
Visit with our security experts, see live product demonstrations, and more:

Monday, February 24, 2014
6:00 p.m. – 8:00 p.m. (Welcome Reception – Delegates & Expo Plus Only)

Tuesday, February 25, 2014
11:00 a.m. – 6:00 p.m.

Wednesday, February 26, 2014
11:00 a.m. – 6:00 p.m. (South Expo – Pub Crawl from 5:00 – 6:00 pm)
10:00 a.m. – 5:00 p.m. (North Expo)

Thursday, February 27, 2014
11:00 a.m. – 3:00 p.m.

OASIS Security Standards Showcase
Oracle will be demonstrating products that support OASIS KMIP and PKCS11 standards at the OASIS XACML Interop in booth #1909. The showcase hours are the same as the exhibit hours.

Thursday Jan 09, 2014

Now Available, Securing Oracle Database 12c: A Technical Primer eBook

Get your complimentary copy of the new database security ebook: Securing Oracle Database 12c: A Technical Primer.

The book is for database administrators who want to learn more about Oracle Database security and for security professionals who want to learn more about how to secure Oracle Databases in an overall IT environment. While the title references Oracle Database 12c, most of the content is applicable to Oracle Database 9i and above.

Add this to your electronic book shelf and keep readily available as your new go-to book for Oracle Database 12security. 

The book was written by two members of our database security team: Paul Needham, Senior Director of Product Management, and Scott Rotondo, Consulting Member of Technical Staff; as well as Michelle Malcher, IOUG President and DBA Team Lead, DRW Holdings. What they've compiled is a great technical primer of the security capabilities available for Oracle Database 12c and how you can take advantage of them now.

And a big thanks to Tom Kyte (and here) for writing the forward to the book.  

Also, please submit your comments about the ebook below, we'd love to hear what you think!

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« September 2015
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today