oracle secuirty configuration

8/12/2019 Oracle Secuirty Configuration

1/25

CPE SessionMarch 02, 2014ISACA-Dhaka Chapter

Md. Mushfiqur RahmanMember ID: 839745


2/25

Consolidate Oracle DatabaseSecurity


3/25

Get to know

DATABASE Security


4/25


5/25


6/25


7/25


8/25


9/259


10/25


11/25


12/25


13/25


14/25


15/25


16/25


17/25


18/25

Steps to a Secure Oracle Database

ServerWhy do we continue to encounter Oracle servers with misconfigurations and

other vulnerabilities that can easily avoided by just a little effort by DBAs?

There are many reasons:

Understaffed Security Teams - Simply a lack of internal or third-party security

professionals to bring visibility to the importance of database security. If there are no

security professionals in the organization, or ones that lack the skills or resources toperform periodic security assessments of databases, database misconfigurations will

often go undetected.

DBA's "don't do" security - The reality in many organizations is that DBAs are

administrators that are focused on database availability and performance and not

security. DBAs might be reluctant to implement secure configurations due to a lack offull understanding of the security risks- the vulnerability and exposure of not

implementing the secure configuration, or due to fear that the secure configuration

will unintentionally break some functionality. To boil it down, DBAs might have some

fear, uncertainty, and doubt (FUD) about implementing secure database

configurations.


19/25


Server

1. Lock Down Default Accounts!

2. Require all database connections to use a strong

SID

3. Apply Oracle Critical Patch Updates ASAP4. Remove all unnecessary privileges from the

PUBLIC role

5. Enable Database Auditing

Audit SYS OperationsEnable Database Auditing

Enable Auditing on Important Database Objects


20/25

6. Setup Database Triggers for Schema

Auditing and Logon/Logoff EventsLogon Trigger

DDL_Trigger

Error Trigger

7. Implement a Database Activity Monitoring(DAM) Solution


Server

S S O


21/25

8. Enable Password Management for all Oracle Logins

A. Creating Profiles

B. Account Lockout

C. Password Expiration

D. Password History

E. Password Complexity Verification

In general, the password verification function should ensure users passwords

incorporate the following criteria:

Differs from their username

Not a dictionary wordAt least 10 characters in length

Include at least 1 alpha, 1 numeric, and 1 special character

9. Perform Regular Database Security Assessments


Server

S S O l D b


22/25

10. Encrypt Database Traffic

Security Threats and Countermeasures

Security threats can be addressed with different types of measures:

A. Procedural, such as requiring data center employees to display security badges

B. Physical, such as securing computers in restricted-access facilities

C. Technical, such as implementing strong authentication requirements for critical business

systems

D. Personnel-related, such as performing background checks or "vetting" key personnel

E. Consider whether the appropriate response to a threat is procedural, physical, technical,

personnel-related, or a combination of the such measures.


Server

St t S O l D t b


23/25

Issues and Actions for Policies to Address

A. Establish & maintain application-level security

B. Manage privileges & attributes (system/object/user)

C. Create, manage, and control roles (database, enterprise)

D. Establish the granularity of access control desired

E. Establish & manage the use of encryption

F. Establish & maintain security in 3-tier applications

G. Control query access, data misuse, and intrusions


Server


24/2524

Skill-sets needed for Oracle DBA?

Conceptual

System Analysis & Design skills Database Design skills

Physical Disk Storage skills

Data Security skills

Backup and Recovery skills Change Control Management

skills


25/25

Thank you

oracle secuirty configuration

Documents