Upload
trandien
View
228
Download
1
Embed Size (px)
Citation preview
Objectives
• The Basics of IT Auditing
• Analyzing an IT environment
• Auditing Data Security
• Class Exercises
Case Scenario – Singapore DMV
• Objectives of the Audit:1. Analyze the DMV IT environment
for data
2. Identify known threats and vulnerabilities to the databases
3. Recommend controls to strengthen the DMV’s data security
Definition of IT Auditing
• What is Information Systems Auditing or IT Audit?
• An examination of the IT controls
• Obtaining evidence to assure the:• Safeguarding of assets
• Maintenance of data integrity, and
• IT is operating effectively
• IT controls should mitigate IT risks
6
• Planning & Gain an Understanding• Obtain an understanding of the organization’s
internal controls within its control environment
7The Basics of IT Auditing
Analyze the DMV IT environment for Data
Scope the Audit
Windows Server Hosts
Oracle Database Server 11g
Registration Data
Unix Server Hosts:
Oracle Database Server 11g
Driver’s License and Credit Card Data
The Basics of IT Auditing
• Risk Assessment• Identify risks that could prevent the business
from achieving its objectives
Risk Assessment
RISK is thePROBABILITY that aTHREAT will exploit aVULNERABILITY to cause harm to anASSET
The Risk formula is often displayed in the following two formats:
Threat Landscape x Vulnerability x Asset
R = f(T, V, A)
11
The Threat Landscape Update
• ONE: “Hacktivism”
• Political idealists or common criminals?
• Weaknesses exploited in 2012, according to Verizon Business Study
1. Default or guessable passwords
2. Backdoor malware
3. Stolen log-in credentials
4. Backdoor command control channels
5. Key loggers and spyware
6. SQL injection
14
0%
5%
10%
15%
20%
25%
30%
35%
Default ofguessablepasswords
Backdoormalware
Stolen log-incredentials
Backdoor orcommandcontrol
channels
Key Loggersand spyware
SQLinjection
Weakness Exploited by Hacktivists
Source: Leo Howell & NotebookReview.com: RSA’s Five Top Internet Security Threats in 2012
Internal Control Identification & Testing
DMV Management:• Considered the
“Hacktivism” risks
• Responded to the Risks by adopting Center for Internet Security (CIS) standards
15
Evaluate the organization’s response to those risks
Did the organization implement controls?
Audit Areas
1. Data Dictionary
2. Privileges
3. Parameters
4. Accounts & Passwords
5. Profiles
6. Roles
7. Links
8. Audit Logs
9. Encryption
10. Server and Application Level Configuration Settings
Data Dictionary Risks
• Hackers can gain valuable information about the database, including all of the accounts and encrypted passwords, and could destroy the database by deleting key tables.
Data Dictionary Controls
• Access to the data dictionary should be limited to only those accounts that need access to fulfill their job duties.
• Normally, only the database administrators should have access.
Audit Procedure
Check Configuration:
O7_DICTIONARY_ACCESSIBILITY is set to the approved settings as defined within the approved standards.
CIS recommends O7_DICTIONARY_ACCESSIBILITY=FALSE;
Privileges Risks
• Excessive access granted to system tables and critical application tables may lead to:
• Unauthorized changes to data
• Denial of services
Privileges Controls
• Privileges should be granted based on principle of least access
• Polices, procedures, and standards should support privilege granting decisions
• Privileges on system and database objects should be carefully assessed, documented, and granted to the proper accounts and roles
• Typically end-user accounts should not be granted system privileges except create session
• Insert, Update, Delete on critical tables should be limited to required users
System Privileges - Audit Procedures
Control Rationale: Check Conf. Item:
Restrict system
privileges
All system privileges except for CREATE SESSION must be restricted to DBAs, application object
owner accounts/schemas (locked accounts) and default Oracle accounts. Developers may be
granted limited system privileges as required on development databases.
REVOKE ALL <PRIVS> FROM
<USER>;
Prevent granting of
privileges that
contain the keyword
ANY
The ANY keyword grants the ability for the user to set privileges for the entire catalogue of
objects in the database.
Check for any user or role that
has the ANY keyword and
revoke this role where possible.
Prevent granting of
all privileges
The GRANT ALL PRIVILEGES must not be used; it gives full access to all tables, views and objects
to the user or role it is granted to.
REVOKE ALL PRIVILEGES FROM
<USER/ROLE> GRANT <SPECIFIC
PRIVILEGES> TO <USER/ROLE>;
Prevent granting of
EXEMPT ACCESS
POLICY (EAP)
Revoke this privilege if not necessary. The EAP privilege provides access to all rows regardless of
Row Level Security assigned to specific rows.
REVOKE EXEMPT ACCESS POLICY
FROM <USER>;
Prevent granting of
privileges that have
WITH ADMIN
Check for any user or role that has been granted privileges WITH ADMIN and revoke where
possible. The WITH ADMIN privilege allows a user to grant the same privileges they possess.
REVOKE <ROLE> FROM <USER>;
GRANT <ROLE> TO <USER>;
Prevent granting of
privileges that have
WITH GRANT
Check for any user or role that has been granted privileges WITH GRANT and revoke where
possible. The WITH GRANT privilege allows a user to grant the same privilege to other users.
REVOKE GRANT OPTION FOR
<PRIV> ON <TABLE> FROM
<USER>;
System Privileges - Audit Procedures
Control Rationale: Check Conf. Item:
Prevent granting of
EXEMPT ACCESS
POLICY (EAP)
Revoke this privilege if not necessary. The EAP privilege provides access to all rows regardless of
Row Level Security assigned to specific rows.
REVOKE EXEMPT ACCESS
POLICY FROM <USER>;
Prevent granting of
privileges that have
WITH ADMIN
Check for any user or role that has been granted privileges WITH ADMIN and revoke where
possible. The WITH ADMIN privilege allows a user to grant the same privileges they possess.
REVOKE <ROLE> FROM
<USER>; GRANT <ROLE> TO
<USER>;
Prevent granting of
privileges that have
WITH GRANT
Check for any user or role that has been granted privileges WITH GRANT and revoke where
possible. The WITH GRANT privilege allows a user to grant the same privilege to other users.
REVOKE GRANT OPTION FOR
<PRIV> ON <TABLE> FROM
<USER>;
Prevent granting of
privileges that have
CREATE
Check for any user that has object creation privileges and revoke where possible. Excessive create
privileges can allow an attack to create arbitrary objects, tables, and views.
REVOKE CREATE <PRIV>
FROM <USER/ROLE>
Prevent granting of
CREATE LIBRARY
Check for any user or role that has this privilege and revoke where possible. The CREATE LIBRARY
privilege allows a user to create an object associated with a shared library. Allowing arbitrary library
creation can compromise the integrity and security of the Oracle database.
REVOKE CREATE LIBRARY
FROM <USER/ROLE>;
Prevent granting of
ALTER SYSTEM
Check for any user or role that has this privilege and revoke where possible. The alter system
privilege allows a user to dynamically alter the Oracle instance.
REVOKE ALTER SYSTEM FROM
<USER/ROLE>;
System Privileges - Audit Procedures
Control Rationale: Check Conf. Item:
Prevent granting of
CREATE
PROCEDURE
CREATE PROCEDURE allows a user to create a stored procedure in the
database and should be restricted to administrative or development users.
Check for any user or role that has this privilege and revoke where
possible.
REVOKE CREATE PROCEDURE
FROM <USER/ROLE>;
Prevent granting of
BECOME USER
BECOME USER allows a user to inherit the rights of another oracle system
user and should not be used if possible.
REVOKE BECOME USER FROM
<USER/ROLE>
Prevent granting of
SELECT ANY
TABLE
Check for any user that has access and revoke where possible. If application data is sensitive, and it
is possible, revoke this privilege from the DBA accounts as well.
REVOKE SELECT ANY
<OBJECT> FROM <USER>;
Prevent granting of
AUDIT SYSTEM
Review which users have audit system privileges and limit as much as possible to ensure audit
commands are not revoked.
REVOKE <PRITILEGE> FROM
<USER>;
Grant privileges only
to rolesGrant privileges only to roles. Do not grant privileges to individual users.
Revoke all individual privileges
from users. Create a role
defining the needed privileges.
Grant the role to the users.
Review privileges
granted to PUBLICReview all privileges granted to PUBLIC. Limit or revoke unnecessary PUBLIC privileges.
REVOKE PUBLIC FROM
<USER/ROLE>;
Schema
• A schema is a collection of database objects.
• A schema is owned by a database user and has the same name as that user.
• Schema objects are logical structures created by users to contain, or reference, their data.
• Schema objects include structures like tables, views, and indexes.
Examples of Schema Database Objects
• tables
• views
• sequences
• synonyms
• indexes
• clusters
• database links
• snapshots
• procedures
• functions
• packages
Schema Object Privileges
• Privileges on tables, views, and stored procedures within a particular schema
• Typically used to control access to production application data
• Key Audit Step is to determine the schemas that own the critical application data
Schema Object Privileges Audit Procedures
Schema Object Privileges:
Revoke access to the following tables from all users and roles except for SYS and DBA accounts.
These tables are: • 'AUD$',
• 'USER_HISTORY$',
• 'LINK$', 'USER$',
• 'SOURCE$':
Schema Object Privileges Audit Procedures
Allowing users to alter the AUD$ table can compromise the audit trail or integrity of the Oracle database - This is only applicable if the audit trail parameter is set to db or db_extended;
Schema Object Privileges Audit Procedures
• Allowing users to alter the USER_HISTORY$ table can compromise the audit trail or integrity of the Oracle database.;
Schema Object Privileges Audit Procedures
• Sensitive user and password data is stored in the LINK$ table and USER$. Non administrative or system users should be prevented from accessing this table;
Schema Object Privileges Audit Procedures
Allowing users to alter codes in the SOURCE$ table can compromise the security and integrity of the Oracle database.
Schema Object Privileges Audit Procedures
• REVOKE ALL ON <table_name FROM <USER> ;
• SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WERE TABLE_NAME in ('AUD$', 'USER_HISTORY$', 'LINK$', 'USER$', 'SOURCE$');
• SELECT * from DBA_TAB_PRIVS WHERE TABLE_NAME in ('AUD$', 'USER_HISTORY$', 'LINK$', 'USER$', 'SOURCE$');
Parameter Risks
• Improperly configured parameters could allow:
• unauthorized access to sensitive data
• unauthorized control of the database
• Parameters files should be restricted
• Check the permissions of parameter files.
Parameter Controls
• All default configuration parameters should be modified
• Files or tables with configuration parameters should be restricted
Parameters to Audit
At a minimum, the following parameters should be reviewed :
• Set _trace_files_public= FALSE • (default: FALSE)
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%TRACE_FILES_PUBLIC%’;
Parameters to Audit
• Set global_names= TRUE • (Default is TRUE)
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%GLOBAL_NAMES%’;
Parameters to Audit
• Set REMOTE_OS_AUTHENT= FALSE
•
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_OS_AUTHENT %’;
Parameters to Audit
• Set REMOTE_OS_ROLES=FALSE • (Default is FALSE)
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_OS_ROLES %’;
Parameters to Audit
• Set REMOTE_LISTENER=’ ’
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_LISTENER%’;
Parameters to Audit
• Set AUDIT_TRAIL to OS
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%AUDIT_TRAIL%’;
Parameters to Audit
• Set OS_AUTHENT_PREFIX=’ ’.
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%OS_AUTHENT_PREFIX %’;
Parameters to Audit
• Set OS_ROLES=FALSE.
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%OS_ROLES %’;
Parameters to Audit
• SQL92_SECURITY= TRUE
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%SQL92_SECURITY %’;
Parameters to Audit
• REMOTE_LOGIN_PASSWORDFILE=NONE
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME)=‘REMOTE_LOGIN_PASSWORDFILE’;
Parameters to Audit
• DB_SECUREFILE=ALWAYS
• SELECT * FROM V$PARAMETER WHERE UPPER(NAME)=‘DB_SECUREFILE’;
Default Account & Passwords Risks
• Initial passwords should be changed after database installation
• Default accounts and passwords are well known and could be used to allow unauthorized access to the database.
Default Account & Passwords Controls
• All initial passwords should be changed
• Some default user accounts should be removed or locked as appropriate.
Default Accounts & PasswordsAudit Procedures
Determine if the following actions were taken with default accounts. The order of preference is as follows:
• Drop the user account
• Lock the user account, or
• Change the default password
Change Default Accounts & Password
• SELECT * FROM DBA_USERS_WITH_DEFPWD; (DBA_USERS_WITH_DEFPWD)
• SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS;
• SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS WHERE USERNAME in (list of default accounts);
Profile Risk
• Profiles may not properly restrict users from performing operations that exceed reasonable resource utilization.
• Examples of resources that need to be managed:
• Disk storage space.
• Connect time.
• how user passwords are reused
Profile Audit Procedures
SELECT * FROM DBA_PROFILES;
Determine if values have been set to meet standards:
• failed_login_attempts must be set to 3 (default 10 counts);
• password_life_time must be set to 90 (default 180 days);
• password_lock_time must be set to 1 (default ? days)
Profile Audit Procedures
SELECT * FROM DBA_PROFILES;
Reset values as follows:
• password_reuse_max must be set to 20• (default unlimited counts)
• password_reuse_time must be set to 365• (default unlimited days)
Profile Audit Procedures
SELECT * FROM DBA_PROFILES;
Reset values as follows:
• password_grace_time must be set to 3 • (default ? days)
• idle_time must set to a number • (default unlimited minutes);
• connect_time must set to a number • (default unlimited minutes);
Profile Audit Procedures
• password_verify_function must contains a password verification function name.
• The password verification function can be obtained from DBA_SOURCE table:
• SELECT * FROM DBA_SOURCE WHERE TYPE='FUNCTION';
Roles Risks
• Default roles can give privileges not needed
• The ability to assume a role with elevated privileges exists
• Employee changes require continuing maintenance
Roles Controls
• Passwords should be assigned to roles with important privileges
• Maintenance procedures should exist
• Evidence should exist that maintenance procedures are followed
• Default roles should not be used
Links Risks
• Unknown user in the remote database
• Clear text password in the data dictionary
• Multiple databases could be exposed
• Public links are not uncommon
Links Controls
• Public links are not used
• No links to the data dictionary table
• The use of links should be restricted
• No Links between test, development, or production databases
Auditing Risks
• If auditing is disabled:• no accountability for actions will be tracked
• Data could be stolen without the knowledge of the database owners
• The database can be damaged or misconfigured without knowledge of the database owners until something goes wrong
Auditing Controls
• Policies and procedures should exist defining what auditing is to be done within the agency
• Auditing should be enabled
• Audit logs should be monitored
• Audit logs should be secured within the database or the operating system
Encryption Risks
• Without encryption, hackers and unauthorized personnel can read confidential and sensitive data.
Encryption Controls
• REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT TO PUBLIC;
• SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE' AND UPPER(TABLE_NAME)='DBMS_OBFUSCATION_TOOLKIT';
Encryption - Audit Procedures
Control Rationale:
Where possible, use a procedure
that employs a content data element
as the encryption key that is unique
for each record.
By employing a procedure that uses data elements that change for each record the resulting ciphertext will be
unique. As an example if the same value, key, and encryption are used for a value in a record the resulting
ciphertext will be identical. Someone knowing the value of one of the records independent of the ciphertext can by
inference know the value of other records that display the same ciphertext.
Use RAW or BLOB for the storage of
encrypted data.
Storing data in CLOB may result in a failure in decryption if the same number letter symbol set is not used. The use
of RAW or BLOBs prevents this error and preserves the data.
Revoke the PUBLIC execute
privileges from the
DBMS_OBFUSCATION_TOOLKIT
.
The DBMS_OBFUSCATION_TOOLKIT has been replaced with the DBMS_CRYPTO package, but the
DBMS_OBFUSCATION_TOOLKIT is still needed for some tasks that are not available in the DBMS_CRYPTO
package. As an example; the generation of a pseudorandom string requires the DBMS_OBFUSCATION_TOOLKIT.
By removing public access to the DBMS_OBFUSCATION_TOOLKIT the means to decrypt the data is not available
for malicious use.
Remediation:
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT TO PUBLIC;
Audit:
SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC' AND PRIVILEGE='EXECUTE'
AND TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT';
Use HSM for storage of master key. Where possible use an HSM to store the master keys for Transparent Data Encryption. All encryption and
decryption operations that use the master encryption key are performed inside the HSM. This means that the
master encryption key is never exposed in insecure memory.
Tablespace Encryption When a table contains a large number of columns of PII it can be beneficial to encrypt an entire tablespace rather
than columns.
Where possible, use a procedure
that employs a content data element
as the encryption key that is unique
for each record.
By employing a procedure that uses data elements that change for each record the resulting ciphertext will be
unique. As an example if the same value, key, and encryption are used for a value in a record the resulting
ciphertext will be identical. Someone knowing the value of one of the records independent of the ciphertext can by
inference know the value of other records that display the same ciphertext.
Password & Account Management
Control Rationale for Recommendation Default
Setting
CIS Standard
Setting
Ensure appropriately strong passwords that are adequately managed to reduce the risk of
compromise
Enforce password
history
Protects against past compromised password 24
remembered
>= 24
Max password age Shorten attack time window 42 days <= 90 days
Min password age Prevent quick cycle through to favorite old
password
0 days >= 1 day
Min password length Protect against dictionary and brute force
attacks
0 characters 8 to 12 chars
Passwords must meet
Complexity
Lower likelihood of compromise Disabled Enabled
Password reversible
encryption
Much easier to compromise system, and
applications
Disabled Disabled
Account lockout
duration
Prevents intentional DoS; frustrates
attackers to move to next target
Not Defined 15+ mins
Account lockout
threshold
Protects against brute force password
attacks
0 invalid
attempts
SSLF – 10
ENT - 15
Reset account lockout
counter after
Reduces helpdesk calls and prevent extended
self-inflicted DoS
0 15+ mins
Enforce user logon
restrictions
Prevents bypass attacks for Kerberos-related
attributes, e.g. max lifetime for user ticket
Enabled Enabled
Patch Management
Control Rationale Default Setting CIS
Recommended
Setting
Configure automatic updates
Help to ensure the system has the
most recent critical operating
system updates and service packs
installed
Not configured Enabled:
3 - Auto
download and
notify for
install
Reschedule automatic
updates scheduled
installations
Help to ensure that the system
updates do not fail to install or
impact system startup by avoiding
system conflict with startup
procedures
Not configured Enabled
Security Hardening
Control Rationale for
Recommendation
Default
Setting
CIS Recommended Setting
Reduce the surface of vulnerability as much as possible to reduce the risk of successful attacks
Accounts: Rename
administrator account
Reduce unauthorized access
via password-guessing
Administrator Not contain “admin”
Disable anonymous SID/name
translation too
Accounts: Rename guest
account
Reduce unauthorized access
via the guest
Guest Not contain “guest”
Accounts: Guest account
status
Reduce remote
unauthenticated attack
surface
Disabled Disable
Network access: Do not allow
storage of credentials or .NET
Passports for network
authentication
Reduce confidentiality risks
for credentials and
unauthorized access to
systems and data
Disabled Enabled
Network access: Let Everyone
permissions apply to
anonymous users
Protect against anonymous
enumeration of usernames
and shared resources – limit
attack surface for DoS,
password guessing, etc.
Disabled Disabled
Network access: Named Pipes
that can be accessed
anonymously
Reduce system remote
attack surface
Browser SSLF MS – browser
SSLF DC – netlogon, lsarpc, samr,
browser
ENT MS & DC – Not Defined
Security Hardening
Control Rationale for
Recommendation
Default Setting CIS
Recommended
Setting
Network access:
Remotely accessible
registry paths
Reduce system remote attack
surface
System\CurrentControlS
et\Control\ProductOptio
ns
System\CurrentControlS
et\Control\Server
Applications
Software\Microsoft\Win
dows NT\CurrentVersion
ENT MS & DC –
not defined
SSLF MS & DC –
[default]
Network access: Restrict
anonymous access to
Named Pipes and Shares
Ensures only explicitly defined
individuals have access to these
resources
The registry key does
not exist
Enabled
Network access: Shares
that can be accessed
anonymously
Ensures only explicitly defined
individuals have access to these
resources
None None
Network access: Sharing
and security model for
local accounts
Ensures individual identification
and facilitate individualized
access control
Classic – local users
authenticate as
themselves
[default]
Security Hardening
Control Rationale for Recommendation Default Setting CIS
Recommended
Setting
Network security: Do not
store LAN Manager hash
value on next password
change
Protects against attackers
deriving credentials via attacks
on the Security Accounts Manager
(SAM) file
Enabled Enabled
Disable Remote Desktop
Sharing
Reduce remote attack surface
(can’t do NetMeeting!)
Not Configured Enabled
User Management (User Account Control & User Rights)
Control Rationale for
Recommendation
Default Setting CIS Recommended Setting
Limit application privilege to standard user until authorized, and to reinforce the principle of least
privilege
UAC: Behavior of
the elevation
prompt for standard
user
Standard users will not
have credentials
required
Prompt for
credentials
Automatically deny elevation
requests
Access this
computer from the
network
Protects against
unauthorized user
network access
Everyone,
Admins, Users,
Backup Operators
SSLF - Admins & AuthN Users
ENT & SSLF DCs – Admins, AuthN
users, Enterprise Domain Admins
Act as part of the
operating system
Prevents circumventing
of local system access
controls
No one All Profiles – No one
Back up files and
directories
Prevent unauthorized
disclosure or cover-up
of sensitive data
Admins
Backup Ops
SSLF MS & SSLF DC – Admins
ENT MS & DCs – Not Defined
Bypass traverse
checking
Protects against
unauthorized access to
sensitive data
Everyone, Admin,
AuthNted Users,
Backup Ops, Local
& Network
Service
ENT MS – Admins, AuthN users,
Backup ops, Local & Net. service
ENT DCs – Not Defined
SSLF MS – Admins, AuthN users,
Local & Net. service
Control Rationale for
Recommendation
Default
Setting
CIS Recommended Setting
Deny access to this
computer from the
network
Protects against
unauthorized account
access
Guests All Profiles - Guests
Force shutdown from
a remote system
Limit the potential for DoS
attacks
Admins SSLF MS & DC – Administrators
ENT MS & DCs – Not Defined
Shut down the
system
Limit potential for DoS and
unauthorized shutdown
Admins,
Backup Ops
All Profiles – Administrators
Generate security
audits
Log flooding or overwrite to
hide malicious activities
Local service
Network
Service
ENT MS, SSLF MS, SSLD DC – Local
service, Network service
ENT DC – Not Defined
Log on as a batch job Low risk, but seldom used
IIS, ASP.NET, etc. needs it…
Admins,
Backup Ops,
Perf Log User
SSLF MS & DC – Administrators
ENT MS & DCs – Administrators,
Backup Ops
Take ownership of
files or other objects
Bypass system ACLs, putting
data CIA at risk
Administrator All Profiles - Administrators
User Management (User Account Control & User Rights)
Re-Assess Risk
• Based on your testing, are controls mitigating the risks?
• What is the potential impact of unmitigated risks (if any) identified?
84
Evaluation & Reporting
• Assess your results, issue findings and draftyour audit report
• Include practical and meaningful recommendations that you propose to the DMV to strengthen data security
• Any Questions????
85
References
The Center for Internet Security: Security Configuration Benchmark forOracle Database Server 11g, Version 1.1.1, January 2009-http://www.cisecurity.org/
NotebookReview.com: RSA’s Five Top Internet Security Threats in 2012 –www.notebookreview.com
Wikipedia, the free encyclopedia - http://www.wikipedia.org/
Money Minute & Kron4.com:
86