Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

SANS-RSA and Three Tier Oracle Security

Just landed in at San Francisco and preparing for SANS and RSA conferences where I am due to Speak and have a few minutes to spare so lets catchup on what has been happening in the world of Three Tier Oracle Security:

This article from Alexandr is interesting
http://www.dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Oracle%20database).pdf shows how to make a Windows 2003 server attempt NTLM authentication from its Oracle DB. This is creative thinking and well written though my main thought is that Oracle on Windows has had a lot of problems generally so this is probably best avoided altogether if you have the choice.

April 2009 CPU exploits are out with RDS showing good form with this 11g SQL Injection.
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html among others.

Just finished reading http://www.amazon.com/HOWTO-Secure-Audit-Oracle-10g/dp/1420084127.
I enjoyed the read and of interest was the relatively high performance hit of OAV described on p281. OAV logs as normal via native audit, with its associated performance hit, and then adds an additional performance hit from the collectors. This is good news for Sentrigo AND Guardium though it would be good to see the actual figures for this, as my contacts at Oracle have reported differing results. This emphasises the need for public data that is verifiably correct. The notion of Information Security skills being used more to protect the integrity and availability of widely available data rather than being used primarily to keep secrets is one that I am attracted to and I think will have increasing importance.
In this vein I like Ron’s descriptions of the Oracle Total Recall feature with Flashback Data Archive (p252) which I will be writing in detail on in the near future. This feature provides an “immutable” record of the past states of a tuple which avoids tampering and adds a time dimension to the relational model. It does not, to my knowledge, involve any Arnold Schwarzenegger films, directly.
There is some 9i specific material included in the book for backward compatibility.. but for me the most interesting contribution is the practical HOWTO material describing the actual usage of OAS features.

I have been busy as well and have a new paper that is with Oracle ~ entitled: “Database Malware using Namespace Attacks”. This is due for release soon and has two new elements to it that I know are going to be of interest, but have to follow the ethical reporting process first. Of key interest is the fact that only Host Based DB monitoring systems that can identify the true schema name of an object even when it is not given in the query will be immune to this new type of attack and others that are related. Sentrigo HH is one of these systems that is immune and can identify an attempt to carry out this attack. I am happy to talk in general about the concepts behind this vulnerability at RSA, and how I have tested that Sentrigo HH defends against it plus how to forensically respond to a related incident. Most importantly my experiences of keeping availability and integrity of the business function whilst simultaneously deploying the security solution should make the talk worth attending.

Session Detail
Session Code: HOST-302
Session Title: Protecting Your Enterprise Database: Challenges, Approaches and Best Practices
Scheduled Date/Time: Thursday, April 23 09:10 AM
Purple 304
Session Abstract: With growing incidence of attacks across industries and strong regulatory requirements to secure private data, enterprises need to make database security a top priority. Today, database attacks are more sophisticated than ever, requiring enterprises to take stronger security measures. This panel, comprising of customers, will discuss database security strategies and give practical advice on what organizations should be doing to protect their critical databases.
Panelist: Jason Perkins Senior Application Security Lead
First Advantage
Paul Wright VP Database Application Security Development
Markit Corporation
Ayad Shammout Lead Technical DBA
Caregroup Healthcare System
Patrick Buie Information Security Analyst
Carlson Wagonlit Travel
Moderator: Noel Yuhanna Principal Analyst
Forrester Research

San Francisco is a great place to be and the Golden Gate is a positive symbol of American Technology ~ plus sun is forecast so should be a good week.

RSA summary and the new paper to come shortly.

Best regards,
Paul

Leave a Reply

You must be logged in to post a comment.