Embed Size (px)
Citation preview
Want To Secure Your Database ?Ask Me How!
Presented by:
Nitesh Chiba, Principal Consultant, RDC
Casper Wolmarans, Service Delivery Manager, RDC
Introduction• The exploits found in this presentation can be easily found on the Internet
and numerous research papers.• With the rise in data theft and the introduction of various compliance laws
in South Africa to protect data (POPI), database security can no longer be ignored.
• To avoid reputational and financial risks the DBA has to ensure that the companies databases are secure.
Agenda
• Man In The Middle Attack• Data Redaction• Privilege Escalation• Oradebug Utility• Project Alcatraz• Recommendations• Summary
Man In The Middle Attack
• A man in the middle attack is where a hacker intercepts communication between two parties.
• Example: TNS Listener Poison Attack.• Can be exploited remotely without a
username or password.
TNS Listener Poison Attack
SAOUG_CLIENTTESTBOX
(Database)
SAOUG_ATTACKER
TNS Listener Poison Attack
DEMO
TNS Listener Poison Attack
Protection:• RAC – use SECURE_REGISTER_listener_name to
restrict instance registration - Doc ID 1340831.1• By default 12c won’t allow remote servers to
register their database instances. In Oracle 11.2.0.4 and Oracle 12c use the “Valid Node Checking for Registration” feature if remote registration is required.
• Disable dynamic registration on single instance databases.
Data Redaction
• Oracle Data Redaction enables you to mask (redact) data that is returned from queries.
Before RedactionEMPLOYEE SALARY
Larry 89000Bill 10000
Data Redaction
• Apply a redaction policy to the column that you want to mask.
RedactionEMPLOYEE SALARY
Larry 0Bill 0
Data RedactionDEMO
Data Redaction
According to the Oracle Documentation:• Not designed to prevent data exposure to
database users who run ad hoc queries directly on the database.
• Need to keep in mind that a malicious user can bypass Data Redaction policies in certain circumstances.
Privilege Escalation
• Privilege Escalation is the act of exploiting a bug or design flaw to gain elevated access.
Privilege EscalationDEMO
Privilege Escalation
• Does Privilege Escalation work on a 12c database ?
Privilege Escalation
• Create any procedure/Execute any procedure works on 12.1.0.1.0
• Create any index – insufficient INHERIT PRIVILEGES in 12.1.0.1.0 and 12.1.0.2.0
• 12c database more secure because of inherit privileges.
• Using DBMS_ADVISOR for privilege escalation is a known issue for 12.1.0.1.0
Privilege Escalation 12cDEMO
Privilege Escalation
Protection:• Work on the principle of least privileges.• Review privileges given to users.• Revoke unnecessary privileges from public.
Oradebug
• Oradebug is an undocumented debugging utility provided with the Oracle database.
• How can we use Oradebug to bypass auditing ?
Oradebug
DEMO
Oradebug
• 11.2.03 apply patch and use _fifteenth_spare_parameter
• _disable_oradebug_commands – available in 11.2.0.4 and 12.1
• none-default• all – disable oradebug (support+online
patching) ,• Restricted – disable certain commands
Project Alcatraz
Project Alcatraz
Project Alcatraz
Project Alcatraz
Project Alcatraz
Recommendations
• Research and review all database security standards and best practices for Oracle.
• Choose a hardening guideline.• Define a security policy for your environment.• Proactively monitor your security policy
(Alctraz or other available tools).• Choose tools to secure your environment.
Summary
• Gone are the days when the DBA only focuses on administration and performance tuning.
• The role of the DBA in securing the database is now more critical.
• Proactive monitoring is key.• Applying the latest CPU/PSU patch is compulsory.• Database security is no longer an option. The DBA
needs to constantly keep up to date with the latest security exploits to ensure that the database is protected.
