want to secure your database ? ask me how! presented by: nitesh chiba, principal consultant, rdc...
TRANSCRIPT
![Page 1: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/1.jpg)
Want To Secure Your Database ?Ask Me How!
Presented by:
Nitesh Chiba, Principal Consultant, RDC
Casper Wolmarans, Service Delivery Manager, RDC
![Page 2: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/2.jpg)
Introduction• The exploits found in this presentation can be easily found on the Internet
and numerous research papers.• With the rise in data theft and the introduction of various compliance laws
in South Africa to protect data (POPI), database security can no longer be ignored.
• To avoid reputational and financial risks the DBA has to ensure that the companies databases are secure.
![Page 3: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/3.jpg)
Agenda
• Man In The Middle Attack• Data Redaction• Privilege Escalation• Oradebug Utility• Project Alcatraz• Recommendations• Summary
![Page 4: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/4.jpg)
Man In The Middle Attack
• A man in the middle attack is where a hacker intercepts communication between two parties.
• Example: TNS Listener Poison Attack.• Can be exploited remotely without a
username or password.
![Page 5: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/5.jpg)
TNS Listener Poison Attack
SAOUG_CLIENTTESTBOX
(Database)
SAOUG_ATTACKER
![Page 6: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/6.jpg)
TNS Listener Poison Attack
DEMO
![Page 7: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/7.jpg)
TNS Listener Poison Attack
Protection:• RAC – use SECURE_REGISTER_listener_name to
restrict instance registration - Doc ID 1340831.1• By default 12c won’t allow remote servers to
register their database instances. In Oracle 11.2.0.4 and Oracle 12c use the “Valid Node Checking for Registration” feature if remote registration is required.
• Disable dynamic registration on single instance databases.
![Page 8: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/8.jpg)
Data Redaction
• Oracle Data Redaction enables you to mask (redact) data that is returned from queries.
Before RedactionEMPLOYEE SALARY
Larry 89000Bill 10000
![Page 9: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/9.jpg)
Data Redaction
• Apply a redaction policy to the column that you want to mask.
RedactionEMPLOYEE SALARY
Larry 0Bill 0
![Page 10: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/10.jpg)
Data RedactionDEMO
![Page 11: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/11.jpg)
Data Redaction
According to the Oracle Documentation:• Not designed to prevent data exposure to
database users who run ad hoc queries directly on the database.
• Need to keep in mind that a malicious user can bypass Data Redaction policies in certain circumstances.
![Page 12: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/12.jpg)
Privilege Escalation
• Privilege Escalation is the act of exploiting a bug or design flaw to gain elevated access.
![Page 13: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/13.jpg)
Privilege EscalationDEMO
![Page 14: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/14.jpg)
Privilege Escalation
• Does Privilege Escalation work on a 12c database ?
![Page 15: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/15.jpg)
Privilege Escalation
• Create any procedure/Execute any procedure works on 12.1.0.1.0
• Create any index – insufficient INHERIT PRIVILEGES in 12.1.0.1.0 and 12.1.0.2.0
• 12c database more secure because of inherit privileges.
• Using DBMS_ADVISOR for privilege escalation is a known issue for 12.1.0.1.0
![Page 16: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/16.jpg)
Privilege Escalation 12cDEMO
![Page 17: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/17.jpg)
Privilege Escalation
Protection:• Work on the principle of least privileges.• Review privileges given to users.• Revoke unnecessary privileges from public.
![Page 18: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/18.jpg)
Oradebug
• Oradebug is an undocumented debugging utility provided with the Oracle database.
• How can we use Oradebug to bypass auditing ?
![Page 19: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/19.jpg)
Oradebug
DEMO
![Page 20: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/20.jpg)
Oradebug
• 11.2.03 apply patch and use _fifteenth_spare_parameter
• _disable_oradebug_commands – available in 11.2.0.4 and 12.1
• none-default• all – disable oradebug (support+online
patching) ,• Restricted – disable certain commands
![Page 21: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/21.jpg)
Project Alcatraz
![Page 22: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/22.jpg)
Project Alcatraz
![Page 23: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/23.jpg)
Project Alcatraz
![Page 24: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/24.jpg)
Project Alcatraz
![Page 25: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/25.jpg)
Project Alcatraz
![Page 26: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/26.jpg)
Recommendations
• Research and review all database security standards and best practices for Oracle.
• Choose a hardening guideline.• Define a security policy for your environment.• Proactively monitor your security policy
(Alctraz or other available tools).• Choose tools to secure your environment.
![Page 27: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/27.jpg)
Summary
• Gone are the days when the DBA only focuses on administration and performance tuning.
• The role of the DBA in securing the database is now more critical.
• Proactive monitoring is key.• Applying the latest CPU/PSU patch is compulsory.• Database security is no longer an option. The DBA
needs to constantly keep up to date with the latest security exploits to ensure that the database is protected.
![Page 28: Want To Secure Your Database ? Ask Me How! Presented by: Nitesh Chiba, Principal Consultant, RDC Casper Wolmarans, Service Delivery Manager, RDC](https://reader033.vdocument.in/reader033/viewer/2022052414/56649d0b5503460f949dee6d/html5/thumbnails/28.jpg)