Pete Finnigan's Oracle Security Weblog

I spoke yesterday about compartmentalising Oracle Security and one element that comes out of this is the need to consider what you are trying to achieve; secure actual data and also secure the platform. In general applying security patches will not secure specific data from attack by someone who gains access via a logged on account or by abusing an applications source code (SQL Injection for instance). Hardening a database also will not make specific data any more secure from the same vectors. Hardening and patching are important but in general they will not secure data anymore that it already is secured because that is controlled by object permissions, object owner and system ANY type privileges. Also factor into this the account used to connect end users via an application.

I subscribe to Bruce Schneier's mailing list and in the most recent newsletter he replays an article that he wrote on xconomy.com about the fact that credential stealing is a more important attack vector than a zero day exploit or finding un-patched systems. The article is called http://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/# - (broken link) Credential Stealing as Attack Vector. I teach the same idea in my two day class - How to Perform a security audit of an Oracle database as I cover simple ways that people attack databases and for me its obvious that if you can steal credentials or find credentials or even guess credentials because of weak passwords then that's a simpler and more effective way to steal data than a pure skilled exploited attack. Also because its simpler you need less skills in some senses to carry out the attack. Clearly we must focus on credentials, password management, storage of hashes, context based access to the database (network restrictions at the net level or database level) and more. A two page flyer for my class is also available to download.

If you would like training then please email me at pete at petefinnigan dot com for more details.