Network Security 2013

Topics

Securing Oracle

• Oracle architecture
• Leveraging SQL scripts
• Developing an Oracle security policy
• Using commercial and open-source third party tools

Foundations

• Oracle CPUs
• Configuration Management Pack
• Physical and logical configuration and architecture
• Documenting software revisions and database configuration
• Resources for Oracle Security, including exploits and new vulnerabilities
• Using Google to find Oracle components and vulnerabilities
• Using My Oracle Support to identify vulnerabilities
• Using tools such as OScanner and Scuba to find vulnerabilities

Oracle attack vectors and security features

• Inherent issues from a default install
• Insecure configurations caused by the organization
• Third party application configuration issues
• Local and remote attacks
• Internal and external threats
• SQL injection attacks
• Cross-site scripting attacks
• Attacking vulnerable software: buffer overflows
• Escalation of privileges and Oracle stored procedures
• SQL buffer overflows
• Oracle security features to combat attack vectors

Host operating system security

• Hardening the host OS
• Auditing file permissions on Windows and Unix
• Important files of interest - control, redo, data, archive, trace, export...
• Understanding and exploiting external tables
• Deploying host IDS systems
• Leveraging network IDS systems

Identifying passwords in the environment

• Running batch processes and tools silently
• Auditing and securing process lists
• Secure methods to stop password exposure
• Auditing for password and username leakage
• Auditing and understanding clear text authentication

Exercises for day one include

• Writing Oracle scripts
• Exploiting vulnerabilities to obtain DBA access
• Developing a questionnaire to track system configuration
• Conducting SQL injection attacks
• Identifying and protecting operating system files
• Locating exposed passwords on the file system

Topics

Authentication methods

• Understanding proprietary database authentication
• Identify weaknesses in the Oracle authentication process
• Oracle pass-through OS authentication for Unix and Windows
• Configuring and deploying single sign
• Oracle Advanced Security and SSL
• Third party authentication
• Managing SYSDBA, SYSOPER, and INTERNAL
• Understand the 11g authentication process

Default users and password audits

• The easiest way in - examples
• Testing common user accounts
• Finding default accounts and passwords
• Auditing default roles
• Auditing user accounts for weak passwords
• Exploring home-grown and commercial password crackers
• Using tools such as Hash Attack, CheckPwd, OrakelCrackert, and orabrute
• Connection throttling

Schema and application owners

• Third party authentication mechanisms
• Passwords in the database, access, and encryption
• Sharing user accounts
• Proxy users
• Row level security

Implementing password management

• Developing password change and management procedures
• Coding password functions and change history management
• Auditing database connections - when, where, and by whom

Exercises for day two include

• Identifying default username and password accounts
• Utilizing network trace capacities to observe database internals
• Spoofing operating system authentication
• Password cracking for Oracle databases
• Auditing stored passwords
• Implementing password verification functions
• Implementing user profiles

Topics

Access and output

• Controlling user access to the operating system
• Critical packages, configuration settings, and software functionality
• Auditing and securing external procedures
• Restricting access to critical data
• Managing the SYSTEM tablespace
• Object ownership in default tablespaces
• Leveraging triggers to protect and audit objects
• Critical database tables and objects

Roles and users

• Oracle Database Vault
• Audit users and roles for critical privileges
• Designing roles, packages, and triggers for secure data access
• Restricting access to roles
• Protecting administrative roles
• Managing and auditing external users
• Consistently deploying the least privilege principle

Configuration

• Oracle Data Masking to protect confidential data
• Vital documented and undocumented database initialization parameters
• Review and secure key parameters
• Confirming running parameters match the configuration
• Tools to identify and review system configuration
• Using bootable CDs, such as Backtrack3, to pen test and review Oracle security configuration

PUBLIC privileges, profiles, packages, and objects

• Key public packages
• Review public privileges
• Access and use of critical packages
• Invoker and definer rights issues and risks
• Risks associated with dynamic SQL

Exercises for day three include

• Analyzing object ownership
• Analyzing roles
• Implementing a DBA role based on organizational requirements
• Analyzing critical system privileges
• Undocumented configuration parameters
• Auditing configuration parameters
• Definer versus invoker rights
• Creating Trojanized PL/SQL

Topics

Oracle auditing - myths and facts

• Storage and maintenance of audit records
• Configuring audit
• Choosing what to audit
• Privileged auditing
• Basic audit setup - connections, privileges, failures
• Auditing to the OS or to the database
• Alternative audit options - timestamps, triggers, FGA

Reviewing the audit trail

• Develop business procedures for management of the audit trail
• Develop process and reports
• Identifying suspicious activity
• Auditing and reviewing other audit information sources
• Oracle Audit Vault

Forensics

• Forensics without auditing
• Using Oracle LogMiner
• Using alert log, trace, listener log, SQL*Net log
• Forensic analysis of incidents
• Detecting if the audit trail has been altered
• Protecting the audit trails

Fine Grained Audit

• Introduction to Fine Grained Audit (FGA)
• When and how FGA should be used
• Implementing FGA
• Deploying FGA with examples
• Flashback
• Total recall

Securing Exposed Services

• Bind and Microsoft DNS compared
• Running split DNS
• The problems with recursion and how to avoid them
• Proper Web server permissions and access
• Web Application vulnerabilities and how to protect
• Logging extended properties with IIS
• How to avoid becoming a spam relay
• Tools to test your DNS and SMTP setup
• Tools to test your web applications
• The importance of scrubbing banners

Exercises for day four include

• Implementing basic auditing
• Conducting and detecting brute force attacks
• Developing an audit policy
• Developing audit reports
• Conducting a forensic assessment
• Implementing Fine Grained Auditing

Topics

Auditing the Oracle listener

• Listener configuration
• Listener password restrictions
• Attacking the listener
• Using listener logging and trace functions

Network Access to Oracle

• Restricting client access
• Firewalls
• Web Application Firewalls
• Oracle Database Firewall
• IDS/IPS
• Oracle proxy agents
• Protecting administrative clients
• Database links
• Securing Apache
• 11g network access controls and parameters
• Backup and recovery considerations
• Tunneling TNS traffic with SSH
• Using sniffers to capture data
• Wireshark, tcpdump, windump

Encryption

• Properly encrypting data stored in the database
• Symmetric versus asymmetric encryption
• Key storage and management issues
• Circumventing encryption controls
• Using dbms_crypto
• Transparent data encryption
• Encrypting data, columns, and tablespaces

Restricting developer and access tools

• Restricting developer tools that can connect
• Using Product User Profile (PUP)
• Login.sql and glogin.sql files
• Leveraging login triggers
• Securing iSQL*Plus

Exercises for day five include

• Auditing the listener
• Securing the listener
• Auditing Internet accessibility
• Developing a backup procedure
• Auditing database links
• Sniffing cleartext communications with wireshark
• Encrypting data in the database
• Encrypting communications with SSH
• Restricting developer tools

Topics

Oracle programming issues

• Managing Java and PL/SQL
• Wrapping code
• Checksums and data integrity
• Resource limits
• Using public synonyms
• Application-based security

Web application vulnerabilities

• Common Web application vulnerabilities that affect the Oracle database
• Information leakage and improper error handling
• Broken authentication and session management
• Accessing unauthorized files
• Exploiting SQL injection vulnerabilities
• Blind SQL injection
• Exploiting cross-site scripting vulnerabilities
• Cross-site request forgery
• Controlling applications
• Reviewing what accesses the database

Controlling applications and tools

• Decommissioning applications and products
• Adding new applications
• Movers, leavers, and joiners
• Reporting tool interfaces
• Secure application roles
• Virtual private databases

Controlling application internals

• Application file permissions and object privileges
• Application authentication mechanisms
• Backdoors - viruses and malignant code
• Preventing development on production databases
• Auditing and preventing ad-hoc queries
• Managing development and test databases
• Implementing change control management
• Reviewing tools for stored passwords
• Database information disclosure through public sources

Oracle security future

• 11g and future databases
• Additional resources for database security
• Viruses and worms
• Oracle rootkit concepts

Exercises for day six include

• Wrapping PL/SQL
• Exploiting Web application vulnerabilities that affect the database
• Implementing a process to track users in the environment
• Developing a script to audit for altered PL/SQL code
• Create an Oracle rootkit
• Identifying sensitive Oracle configuration and vulnerabilities via the Internet