This content has been marked as final. Show 8 replies
there are three competent effect On Security confidential, availability and integrity each one of them has its own description and must be consider when you are secure your application , The First Threats in System or databases is ignorant user , So You must Learn And Put Small Fortune to educate User to teach them how to deal with Internal Network.
i wrote Once About database threats and you can find this article in my Blog https://osamamustafa.blogspot.com There's lot of threats that could be consider ad critical
1- escalation of privileges Why should I gave users privileges more than they need
2 - Unnecessary Services that enable On any Operating system Linux . Unix , or windows
3 -weak password any company should provide strong Password authentication and this can b done by mutli way in 10g, 11g.
4 - buffer overflow , and this way of hacking is very effective if you have application and you do so you must try to avoid this way of attack
5 -SQL injection Which is consider one of Top 10 Vulnerabilities for any databases
6 -ignore encryption for data
there's lot more but this is what came to my mind , Secure system starting from the basic steps like password and privileges and let us don't forget auditing is necessary to monitor users and what they do, There's no secure system 100% The Rules For Securing Any System is "If the Attackers Want to hack my system and he will all i can do is make it harder for them" simple rule but true.
Just as note you need always check the connecting user on database By Enable audit or triggers Oracle provide lot of oracle security tools such as
Also Its good idea to check the below document by oracle :
Data Encryption Virtual Private Database Database Auditing Backup Encryption Export file encryption Proxy Authentication Enterprise User Security Secure Application Roles Fine Grained Auditing
Thanks so far. But people have only listed security controls which I mentioned was not the only thing I want to cover. I am pretty sure security is far from the only risk attribute to a business critical database. What other controls outside of security need to be looked at? I was hoping for some expert input here but even I no backup/restore procedures must be pretty vital controls and definately in a top 15, but people havent even mentioned those.
Edited by: user599292 on Jan 17, 2013 5:39 AM
Edited by: user599292 on Jan 17, 2013 5:45 AM
Osama_mustafa wrote:any control that isnt related to security
What other controls outside of security need to be looked at?Could you please define and explain what You mean by " controls outside of security"
changing a default password - security control
having an effective backup/restore process - continuity control
Its more about risks and subsequent controls. Not every risk to an oracle database can be protected by a security control, I would assume.
The best database security tips that I've read has been [Pete Finnegan's blog|http://www.petefinnigan.com/weblog/entries/].
I'm not entirely sure what you're asking, but I'll make some random guesses if I was to be an auditor. These are the first few things that are off the top of my head...
Power roles: make sure no-one has powerful roles - such as DBA - without a justified reason
CREATE/SELECT/ALTER ANY privileges: make sure all users/roles who have these privileges need them. The same goes with other powerful privileges: ALTER SYSTEM, ALTER DATABASE, etc
WITH ADMIN OPTION: check that anyone with this privilege, especially on important tables, really deserves it
User profiles: ensure that individual user accounts have password rules to follow (expiration, etc)
User accounts: ensure that anyone who no longer works at the company does not have a user account in any database
Database links: do you really need public links and do the linked users really need all that access?
The bigger Audit firms generally have their own lists of Database and Change Management Controls that they look for. These have evolved over the years, particularly since the introduction of SOX.
Some tool vendors also have built in SOX Control checks in their Security tools.
A google search for Oracle Database SOX Auditing would also throw up a number of documents.
SOX controls are a good starting point. You can then "negotiate down" some of the controls if SOX doesn't apply to your organisation.
As for Database Security guidelines specifically, you could start with Chapter 10 of the Security Guide
Hemant K Chitale