Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Security Training"] [Next entry: "Oracle Security And Merry Xmas And A Happy New Year"]

Data Loss

Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers Oracle databases, designs and policies and code and help them resolve issues that would make it easy for someone to breach their databases or worse steal or damage data.

Data is pervasive; I always like the example that you are trying to protect data not Oracle; of course you must use Oracle to protect your data but the goal is to protect your data. In order to protect that data you must understand where that data is (in motion and at rest) so the whole process must include protecting data everywhere and not just in the database. If data is loaded by end users and stored in the database but also reports are produced or parts of the data are exposed in reports / papers/ websites / documents then they also must be protected. It may be necessary to involve network security, server security, desktop security and even physical security (i.e. where is that printer and who has access to it; where are the paper reports kept and who sees them...). I would always still start with the Oracle database; what data should be secured and protected; where is it stored; how is it accessed; basically create a flow of that data from user to storage and back out again. Track the data both at rest and also in flow. We need to understand how the data leaves the database and to where - backups, reports, paper or what ever. The core idea is to assess whether it should leave the database and how secure it is when it does; can it be obfuscated or masked, is it necessary anyway to remove the data?

Once we know where the data is and how it works then we can assess and design the best controls and solutions to secure the data both in the database and also outside of it. We use various tools in these assignments including PFCLScan our Security scanner for Oracle databases. This is a very cost effective tool and very useful for securing data.

What if the data is given away or made public? This is a problem if the data is exposed internally to a small group or larger group or worse to the public (Internet) as anyone can read it and copy it and more. This data can then be replicated anywhere. Once its copied it is no longer under your security controls. The only way to protect this copied data is to not let it be copied in the first place.

Once data has been read it cannot be "unread"!!

I had a good example of this public data loss last week. Someone emailed me and asked me a question about one of the many Oracle Security presentations I have made available on my site over the years. This question stood out because of the URL he sent me which was to my MS PPT (saved as a pdf) on and not on my site. This was not the question askers problem and he was not to blame. I publish my MS PPTs and other papers and I expect people to read them on my site and download and read on their PC / device. I do not expect (or indeed want) anyone to re-publish my papers to anywhere else. The account on that had this particular paper also published literally hundreds of papers from others as well; I cannot say for sure now but I would say almost all of what this person posted he did not own the copyright. My MS PPTs do include a page with legalese that states in simple terms that these PDFs cannot be re-hosted/published or whatever anywhere else - so this was ignored. I did a quick search and found 6 of my papers and even a screen dump of one page of my website published to - This was a simple search and indeed there could be more if I searched with more keywords. Each person with an account on scribd who published mine had also published other peoples work as well in contradiction to copyright or individual licenses such as the one I have included on my paper. Scribd took down my papers within a few hours but that's not the point. I am not allowed to complain to scribd by a DMCA request that I found other papers I wrote that have copyright owned by someone else (i.e. others paid me to write them). They will not take down anything unless you are the copyright owner. I have not searched elsewhere as I am sure this is not just an issue with scribd as I simply do not have the time to do detailed searches (not a good excuse!).

Data once put out there is hard to control. This is a fact. To control and protect data you MUST know where it is and control all access to all of the data and understand the risks of it leaving the database in the first place. My papers of course were not in an Oracle database but were about Oracle Security.