Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Data Leak Prevention Win-Win

Initially a DLP implementation can be labour intensive especially if it requires the categorisation of data into appropriate sensitivity levels. Most security measures have a corresponding cost. This was borne out in Tom Kyte’s presentation on Encryption at UKOUG this year where the encryption routines were measured to show the performance hit of encrypting data within PL.

However, there are some security measures that have double benefits e.g. bind variables also giving quicker performance. It is important in security to emphasise these Win-Wins.

An example of a DLP precaution that also has performance benefits is the enforcement of a custom profile on low privileged DB users. It is usually the case that DB users do not need to select more than 100 rows in a single statement. By using an Oracle profile with a limit on CPU/IO per session and per call, access to Oracle can be regulated like a tap regulates water flow.

For example:

ALTER PROFILE DLP_PROTECTED_USER LIMIT FAILED_LOGIN_ATTEMPTS 3;
ALTER PROFILE DLP_PROTECTED_USER LIMIT connect_time 500;
ALTER PROFILE DLP_PROTECTED_USER LIMIT cpu_per_call 2000;
ALTER PROFILE DLP_PROTECTED_USER LIMIT cpu_per_session 20000;
ALTER PROFILE DLP_PROTECTED_USER LIMIT logical_reads_per_call 500;
ALTER PROFILE DLP_PROTECTED_USER LIMIT logical_reads_per_session 100000;
ALTER USER low_priv_users PROFILE DLP_PROTECTED_USER;

Rationing resource via profiles has normally been the reserve of the performance folks but it is an easy DLP prevention measure. Resource metering in security has been used for many years and a web related presentation that springs to mind is by Gunter Ollman whilst at the newly acquired NGSSoftware.

Back to the DB example of Oracle Profiles …once an attacker is sharply limited in the amount of data they can select out of the DB then they have to be cleverer about finding exactly the right data in the DB to select out. Oracle’s built-in RegEx support is superb but should be monitored to make sure it is not being used to locate sensitive data. This book is a handy reference for Oracle RegEx http://oreilly.com/catalog/9780596006013/. POSIX compliance makes learning Oracle RegEx reasonably painless and here are some example RegExs already written.

A simple Sentrigo Hedgehog rule to alert on searches using Oracle RegEx for credit card numbers would look something like this.

statement CONTAINS '(([0-9]{4})([[:space]])){3}[0-9]{4}'

Of course CCs should be encrypted but even then the length of the encrypted value can give away its contents or the encryption algorithm used. On this forensic slant I note David is giving a presentation on Oracle Forensics http://www.securityfocus.com/archive/1/499120 on Thursday using his new CADFILE toolkit. I like to get a lot of my new forensics information from this URL http://sansforensics.wordpress.com/

Anyhow.. congratulations to Chris Hoy for winning Sports Personality of the Year. He had my support given the 3 medals and unlucky Lewis ~ there will be another time.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.