The truth about database security


The truth about database security!

Most attacks on databases are difficult to detect.
75% of attacks are internal.
80% of enterprises dont have a database security plan.
20% of enterprises take advanced security measures.
70% behind in security patches.
DBAs spend less than 5% on database security
Most dont implement data security policies.

Hardening checklists:
Databases are complex
You need to be a database expert to understand all the parameters to confiure.
100s of tedious configuration checks to secure the database infrastructure.
Industry standards are available.

Hardening the database — Overview
Choose a hardening checklist that’s based on industry best pratices
Remove privileges you dont need.
Ensure you users are using strong passwords.
Use an automated vulnerablity assessment tool to check for:
 -Software vulnerabilities such as missing patches.
 -Misconfigurations such as Oracle directory and file permissions.
 -Misuse of the database such as the sharing of priviledge Credentials.
Create and maintain a secure configuration baseline.
Implement defense-in-depth of your database infrastructure.
Understand Oracle Critical Patch Update. CPU
Sanitize test data.

Ensure Users Are Using Strong Passwords.

“Many experts consider default passwords to be one of the major reasons why attacks occur”

Oracle 11g has a view that shows all accounts with default passwords – make sure to use it periodically”

Syntax:  select * from dba_users_withdefpwd;

Ensure password profile is enabled.

Any system Privileges:
 – There are over 99 system privileges
    .But the ANY system privileges are the most dangerous.
. Need to be very controlled(and validate)
. This means you will be the equivalent of the “ROOT” user in Unix or Adminstrator for WINDOWS.

Nearly every ANY system privilege can be used by an attacker to assume DBA privileges:

-GRANT ANY PRIVILEGE
.obvious – I can now give anybody any privilege, such as i give to Eva

Grant DBA to Eva

If you cant patch immediately, use virtual patching to protect against known.

Från Khan SQL DBA – MCITP

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s