introducing oracle database security assessment tool 2.0...oracle database security assessment tool...

Product Manager

Database Security, Oracle

Pedro Lopes

Learn how secure your databases are with DBSAT

Oracle Database Security Assessment Tool

Copyright © 2020 Oracle and/or its affiliates.

Security Zones of Control for Oracle Databases

* unique to Oracle

Password, PKI, Kerberos, RadiusProxy Users, Password Profiles

Oracle & Active Directory

Users

Crypto ToolkitVirtual Private Database

Label SecurityReal Application Security

Data

Encryption & Key VaultData Masking, Data Redaction Database Vault

Prevent

Activity Auditing/MonitoringAudit VaultDatabase Firewall

Detect

Security-Assessment (DBSAT) Data DiscoveryPrivilege Analysis

Assess

Data & Users

2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

Safe Harbor


http://www.oracle.com/investor

4 Copyright © 2020 Oracle and/or its affiliates.

Data drives everything

• Analytics and automation

• Advertising and marketing budgets

• Personalization and improved experience

• Business analytics and decisions

• Government policies and plans

Data is today’s capital“The world’s most valuable resource is no longer oil, but data”

Overall, data helps improve products and services, provide better user experience, and

support and grow businesses

PII DataFinancial DataTrade Secrets

Competitive DataEmployment DataHealthcare DataIT Security Data

Transaction DataBrowsing Data…


Data breaches are exploding world wide

• Database is the most common asset involved in breaches

Data losses can be catastrophic for businesses impacting

• Finances due to compensations, penalties, legal, PR, recovery cost

• Brand reputation, customer trust, intellectual property, competitiveness

• Overall business and revenue

Fast evolving, stringent regulatory landscape

• Across industries and regions

• Laws that aim to protect data and citizen privacy

Data can be a liabilityThe scary side of data economy


Evolving Attack Tools and Techniques

Buffer Overflow

Phishing

App Exploits

Unpatched Systems

SQL Injection

Stolen Credentials

Privilege Escalation

XSS Attacks

6


Think Like a Hacker

Known UsersCommon Passwords

Privileged UsersOpen PortsDatabase

Encrypted DataAuditing On

Database VersionKnown Vulnerabilities

Known Packaged AppsInsider / Outsider Data Owner

7


Is the database configured according to best practices?

What security controls are already in place?

What users are in the database?

What access do users have?

What sensitive data is in this database?

Start Here

8

• No Database Security policies/strategy in place

• No patching/patch management policy in place

• No personalized accounts; No separation of duties; Over-privileged accounts

• No encryption of sensitive/regulated data

• No monitoring/auditing in place

• No password policies; Weak password management

• Non-Production (DEV/TEST/TRAINING) systems with production data

• No cleanup of test/sample accounts

• No anonymization of data sent to third parties

• No OS hardening

From Database Security AssessmentsTop 10 Findings

9 Copyright © 2020 Oracle and/or its affiliates.9


Database Security Assessment Tool

Introducing

10


35,000+ Downloads since introduction of DBSAT 2.0.1, January 2018

Celebrating

11


Assessment Reports

Summary and detailed information.

Prioritized & actionable recommendations.

Mapping to EU GDPR, STIG and CIS Benchmark.

Runs on 10g to 19c Oracle Databases.

Discover Sensitive Data

What type, where, and how much?

Sample pattern files for Greek, German, Dutch, French, Spanish, Italian, and Portuguese based data models as well.

Identify Risky Users

Database accounts

User privileges

User roles

Assess Configuration

Patches

Data Encryption

Auditing policies

OS file permissions

Database configuration

Listener configuration

Fine-grained access control

Assess Your Database Security Before Hackers Come Knocking

12

Enhanced Finding:

• AUDIT.UNIFIEDNow lists if audit policies are enabled on role(s). Object Actions are now listed.

Update Severity for:

• USER.AUTHVERS, USER.VERIFIERS, USER.NOLOCK, PRIV.CBAC, PRIV.USER, PRIV.EXFIL, AUTH.PRIV, ACCESS.REDACT, ACCESS.VPD, ACCESS.TSDP, CONF.BKUP, CONF.DIR.

• NET and AUDIT all.

Improved Autonomous Databases checks

Improved checks for PUBLIC grants

Updated remarks and recommendations

Performance improvement in Sensitive Data Discovery

New Finding:

• USER.SESSIONSChecks if there is a limit on the number of user sessions that are allowed to be open concurrently.

New Features in DBSAT 2.2.1 (May 2020)

Copyright © 2020 Oracle and/or its affiliates.13


How can DBSAT Help?



Know Your Overall

DatabaseSecurityPosture

Know Your Sensitive

Data

Know Your Users,

Roles, and Privileges

15


16

Know Your Overall



Know Your Overall Database Security Posture


Know Your Users,




Know Your Users, Roles, and Privileges



21

(*) With Admin Option(D) Direct Grant(C) Common Grant

SQL> grant advisor to C##DBA_DEBRA container=all;



22

Direct and Indirect grants


Know Your Sensitive

Data



Know Your Sensitive Data

24

Sensitive Data Summary



25

RecommendedSecurity Controls



26

Summary per Risk Level and Category



27

Table level details



28

Column level details




Know Your Overall


Know Your Sensitive

Data

Know Your Users,


Stand-alone lightweight tool: quick and easyFREE to current Oracle customers

DBSAT

29

How to Get Started?

Quick & Simple!


3-Step Flow

Run ./dbsat collect

Run./dbsat report

Run./dbsat discover

1 2 3



Collects metadata information on users, roles, privileges, security configuration, and policies in place

Generates summary output with prioritized findings

Over 80 detailed findings with remarks

References to CIS Benchmark, STIG Rules and GDPR articles/recitals

Collector & Reporter

\

Reporter

Collector

HTML Spreadsheet Text

32


Get summary and details on Sensitive Data Categories and Types (125+), tables, columns, rows, and risk levels

Get recommendations on which security controls to put in place to protect your sensitive data

DiscovererDiscover

er

HTML Spreadsheet

33


Download DBSAT 2.2.1 today fromhttp://www.oracle.com/technetwork/database/security/dbsat.html

Collect security config data by running ‘dbsat collect’ on the target

Run ‘dbsat report’ to generate security assessment report

Run ‘dbsat discover’ to generate sensitive data report

Available to all Oracle database customers with active support contract

Easy to Install and Run

34

http://www.oracle.com/technetwork/database/security/dbsat.html


Next 30 days

Fix obvious mistakes and high risk findings.

Next 90 days

Update Data Security strategy to include database security best practices.

Monday Morning

Run DBSAT to assess current security state.

Action Plan

35

Product Manager

Database Security

Pedro Lopes

Thank You


introducing oracle database security assessment tool 2.0...oracle database security assessment tool...

Documents