Network Security 2013

Las Vegas, NV | Sat Sep 14 - Mon Sep 23, 2013

SEC509: Securing Oracle Databases

Experts agree that Oracle is one of the most complex software packages available today. Unfortunately, complexity often introduces an increased risk for vulnerabilities. These vulnerabilities are being increasingly targeted by attackers. It is not uncommon for the SANS Internet Storm Center to see hundreds of thousands of hack attempts against Oracle databases each month.

SANS recognizes the need for comprehensive Oracle security training to help organizations protect their most critical information resources. In this course, the student is led through the process of auditing and securing Oracle by defining the risks to data, using techniques for detecting unauthorized access attempts, using Oracle access controls and user management functions, and developing reliable processes to secure the Oracle database, as well as applications.

Throughout the course the student will be exposed to the database as seen through the eyes of an attacker, including public and unreleased techniques that are used to compromise the integrity of the database or escalate a user's privileges. In this fashion, the student gains a better understanding of how an attacker sees a database as a target and how we can configure the database to be resistant to known and unknown attacks.

This course has been updated for versions of Oracle up to and including 11g on Unix and Windows operating systems.

Course Syllabus
Course Contents InstructorsSchedule
  SEC509.1: Securing Oracle Foundations Tanya Baccam Mon Sep 16th, 2013
9:00 AM - 5:00 PM
Overview

The student is introduced to various techniques used by an attacker to compromise the database, including buffer overflows, SQL injection attacks, exploiting Oracle stored procedures, and cross-site scripting attacks. We look at the process of installing the database in a secure fashion after hardening the host operating system with strong file system permissions. An overview of all the Oracle offered security features will be covered.

CPE/CMU Credits: 6

Topics

Securing Oracle

  • Oracle architecture
  • Leveraging SQL scripts
  • Developing an Oracle security policy
  • Using commercial and open-source third party tools

Foundations

  • Oracle CPUs
  • Configuration Management Pack
  • Physical and logical configuration and architecture
  • Documenting software revisions and database configuration
  • Resources for Oracle Security, including exploits and new vulnerabilities
  • Using Google to find Oracle components and vulnerabilities
  • Using My Oracle Support to identify vulnerabilities
  • Using tools such as OScanner and Scuba to find vulnerabilities

Oracle attack vectors and security features

  • Inherent issues from a default install
  • Insecure configurations caused by the organization
  • Third party application configuration issues
  • Local and remote attacks
  • Internal and external threats
  • SQL injection attacks
  • Cross-site scripting attacks
  • Attacking vulnerable software: buffer overflows
  • Escalation of privileges and Oracle stored procedures
  • SQL buffer overflows
  • Oracle security features to combat attack vectors

Host operating system security

  • Hardening the host OS
  • Auditing file permissions on Windows and Unix
  • Important files of interest - control, redo, data, archive, trace, export...
  • Understanding and exploiting external tables
  • Deploying host IDS systems
  • Leveraging network IDS systems

Identifying passwords in the environment

  • Running batch processes and tools silently
  • Auditing and securing process lists
  • Secure methods to stop password exposure
  • Auditing for password and username leakage
  • Auditing and understanding clear text authentication

Exercises for day one include

  • Writing Oracle scripts
  • Exploiting vulnerabilities to obtain DBA access
  • Developing a questionnaire to track system configuration
  • Conducting SQL injection attacks
  • Identifying and protecting operating system files
  • Locating exposed passwords on the file system
 
  SEC509.2: Securing Oracle's Authentication Process Tanya Baccam Tue Sep 17th, 2013
9:00 AM - 5:00 PM
Overview

Oracle's authentication process has some significant weaknesses that need to be understood to secure the environment. Additionally, 11g made some significant changes to the authentication process. We review the authentication process in detail. Oracle default user accounts, roles, and grants will be reviewed, including audit techniques to identify user accounts with weak passwords. Multiple password cracking techniques and tools will be analyzed. Auditing user accounts and application schema accounts is discussed in detail covering third party authentication, shared accounts, and proxy authentication implemented in third party applications. The day concludes with a complete discussion of password management, including enforcing and creating a password management policy and utilizing profiles to control access to database resources.

CPE/CMU Credits: 6

Topics

Authentication methods

  • Understanding proprietary database authentication
  • Identify weaknesses in the Oracle authentication process
  • Oracle pass-through OS authentication for Unix and Windows
  • Configuring and deploying single sign
  • Oracle Advanced Security and SSL
  • Third party authentication
  • Managing SYSDBA, SYSOPER, and INTERNAL
  • Understand the 11g authentication process

Default users and password audits

  • The easiest way in - examples
  • Testing common user accounts
  • Finding default accounts and passwords
  • Auditing default roles
  • Auditing user accounts for weak passwords
  • Exploring home-grown and commercial password crackers
  • Using tools such as Hash Attack, CheckPwd, OrakelCrackert, and orabrute
  • Connection throttling

Schema and application owners

  • Third party authentication mechanisms
  • Passwords in the database, access, and encryption
  • Sharing user accounts
  • Proxy users
  • Row level security

Implementing password management

  • Developing password change and management procedures
  • Coding password functions and change history management
  • Auditing database connections - when, where, and by whom

Exercises for day two include

  • Identifying default username and password accounts
  • Utilizing network trace capacities to observe database internals
  • Spoofing operating system authentication
  • Password cracking for Oracle databases
  • Auditing stored passwords
  • Implementing password verification functions
  • Implementing user profiles
 
  SEC509.3: Oracle Access Controls - Configuration Tanya Baccam Wed Sep 18th, 2013
9:00 AM - 5:00 PM
Overview

Access control techniques are used to protect database objects. We cover many of the countless database configuration options with recommendations that make the database more resistant to common attacks, including both intentional and accidental incidents. We also dedicate time to the problems associated with the growing number of PUBLIC privileges including the techniques authenticated users can use to escalate their privilege levels. Tools such as Database Vault and Data Masking are also explored.

CPE/CMU Credits: 6

Topics

Access and output

  • Controlling user access to the operating system
  • Critical packages, configuration settings, and software functionality
  • Auditing and securing external procedures
  • Restricting access to critical data
  • Managing the SYSTEM tablespace
  • Object ownership in default tablespaces
  • Leveraging triggers to protect and audit objects
  • Critical database tables and objects

Roles and users

  • Oracle Database Vault
  • Audit users and roles for critical privileges
  • Designing roles, packages, and triggers for secure data access
  • Restricting access to roles
  • Protecting administrative roles
  • Managing and auditing external users
  • Consistently deploying the least privilege principle

Configuration

  • Oracle Data Masking to protect confidential data
  • Vital documented and undocumented database initialization parameters
  • Review and secure key parameters
  • Confirming running parameters match the configuration
  • Tools to identify and review system configuration
  • Using bootable CDs, such as Backtrack3, to pen test and review Oracle security configuration

PUBLIC privileges, profiles, packages, and objects

  • Key public packages
  • Review public privileges
  • Access and use of critical packages
  • Invoker and definer rights issues and risks
  • Risks associated with dynamic SQL

Exercises for day three include

  • Analyzing object ownership
  • Analyzing roles
  • Implementing a DBA role based on organizational requirements
  • Analyzing critical system privileges
  • Undocumented configuration parameters
  • Auditing configuration parameters
  • Definer versus invoker rights
  • Creating Trojanized PL/SQL
 
  SEC509.4: Auditing Oracle Tanya Baccam Thu Sep 19th, 2013
9:00 AM - 5:00 PM
Overview

Some organizations think auditing within Oracle's environment is difficult, if not impossible. This day delves into auditing the Oracle environment in a manageable and simple way. We examine the built-in Oracle auditing features, including Fine-Grained Auditing. Audit Vault will also be reviewed. Forensic assessment of Oracle databases is also covered in this day, including data recovery and retracing the steps of an attacker. If your organization is encumbered by federal restrictions and legal requirements in information management, this day will provide vital information that you can deploy immediately after completing this course.

CPE/CMU Credits: 6

Topics

Oracle auditing - myths and facts

  • Storage and maintenance of audit records
  • Configuring audit
  • Choosing what to audit
  • Privileged auditing
  • Basic audit setup - connections, privileges, failures
  • Auditing to the OS or to the database
  • Alternative audit options - timestamps, triggers, FGA

Reviewing the audit trail

  • Develop business procedures for management of the audit trail
  • Develop process and reports
  • Identifying suspicious activity
  • Auditing and reviewing other audit information sources
  • Oracle Audit Vault

Forensics

  • Forensics without auditing
  • Using Oracle LogMiner
  • Using alert log, trace, listener log, SQL*Net log
  • Forensic analysis of incidents
  • Detecting if the audit trail has been altered
  • Protecting the audit trails

Fine Grained Audit

  • Introduction to Fine Grained Audit (FGA)
  • When and how FGA should be used
  • Implementing FGA
  • Deploying FGA with examples
  • Flashback
  • Total recall

Securing Exposed Services

  • Bind and Microsoft DNS compared
  • Running split DNS
  • The problems with recursion and how to avoid them
  • Proper Web server permissions and access
  • Web Application vulnerabilities and how to protect
  • Logging extended properties with IIS
  • How to avoid becoming a spam relay
  • Tools to test your DNS and SMTP setup
  • Tools to test your web applications
  • The importance of scrubbing banners

Exercises for day four include

  • Implementing basic auditing
  • Conducting and detecting brute force attacks
  • Developing an audit policy
  • Developing audit reports
  • Conducting a forensic assessment
  • Implementing Fine Grained Auditing
 
  SEC509.5: Networking, Encryption, and Developer Tools Tanya Baccam Fri Sep 20th, 2013
9:00 AM - 5:00 PM
Overview

Since the Oracle listener can be the first recipient of attacks from adversaries seeking to compromise the database, we cover topics related to securing the listener. Network design recommendations for the database and administrative workstations are also addressed, including Oracle's Database Firewall. The day continues by discussing the challenges of encryption within the database or outside of the database. Encryption is looked at for both data at rest and data in transit. Finally, we conclude the day by looking at techniques to secure the SQL*Plus and iSQL*Plus tools, including techniques to enforce and restrict the use of specific applications that are allowed to connect to the database.

CPE/CMU Credits: 6

Topics

Auditing the Oracle listener

  • Listener configuration
  • Listener password restrictions
  • Attacking the listener
  • Using listener logging and trace functions

Network Access to Oracle

  • Restricting client access
  • Firewalls
  • Web Application Firewalls
  • Oracle Database Firewall
  • IDS/IPS
  • Oracle proxy agents
  • Protecting administrative clients
  • Database links
  • Securing Apache
  • 11g network access controls and parameters
  • Backup and recovery considerations
  • Tunneling TNS traffic with SSH
  • Using sniffers to capture data
  • Wireshark, tcpdump, windump

Encryption

  • Properly encrypting data stored in the database
  • Symmetric versus asymmetric encryption
  • Key storage and management issues
  • Circumventing encryption controls
  • Using dbms_crypto
  • Transparent data encryption
  • Encrypting data, columns, and tablespaces

Restricting developer and access tools

  • Restricting developer tools that can connect
  • Using Product User Profile (PUP)
  • Login.sql and glogin.sql files
  • Leveraging login triggers
  • Securing iSQL*Plus

Exercises for day five include

  • Auditing the listener
  • Securing the listener
  • Auditing Internet accessibility
  • Developing a backup procedure
  • Auditing database links
  • Sniffing cleartext communications with wireshark
  • Encrypting data in the database
  • Encrypting communications with SSH
  • Restricting developer tools
 
  SEC509.6: Development and Securing Applications Tanya Baccam Sat Sep 21st, 2013
9:00 AM - 5:00 PM
Overview

End-user tools created with PL/SQL and Java can introduce their own security risks. This day covers secure programming for the database including protecting source code confidentiality and integrity and settings resource limits to prevent attacks. Security application roles and other techniques will be explored as options for protecting data. We also look at some of the common Web application vulnerabilities and the affect they can have on the Oracle database. The final module of this intense day covers where we think Oracle security is going, exploring early techniques in the design of viruses and worms specific to Oracle.

CPE/CMU Credits: 6

Topics

Oracle programming issues

  • Managing Java and PL/SQL
  • Wrapping code
  • Checksums and data integrity
  • Resource limits
  • Using public synonyms
  • Application-based security

Web application vulnerabilities

  • Common Web application vulnerabilities that affect the Oracle database
  • Information leakage and improper error handling
  • Broken authentication and session management
  • Accessing unauthorized files
  • Exploiting SQL injection vulnerabilities
  • Blind SQL injection
  • Exploiting cross-site scripting vulnerabilities
  • Cross-site request forgery
  • Controlling applications
  • Reviewing what accesses the database

Controlling applications and tools

  • Decommissioning applications and products
  • Adding new applications
  • Movers, leavers, and joiners
  • Reporting tool interfaces
  • Secure application roles
  • Virtual private databases

Controlling application internals

  • Application file permissions and object privileges
  • Application authentication mechanisms
  • Backdoors - viruses and malignant code
  • Preventing development on production databases
  • Auditing and preventing ad-hoc queries
  • Managing development and test databases
  • Implementing change control management
  • Reviewing tools for stored passwords
  • Database information disclosure through public sources

Oracle security future

  • 11g and future databases
  • Additional resources for database security
  • Viruses and worms
  • Oracle rootkit concepts

Exercises for day six include

  • Wrapping PL/SQL
  • Exploiting Web application vulnerabilities that affect the database
  • Implementing a process to track users in the environment
  • Developing a script to audit for altered PL/SQL code
  • Create an Oracle rootkit
  • Identifying sensitive Oracle configuration and vulnerabilities via the Internet
 
Additional Information
 
  Laptop Required

Students need to bring a laptop computer with an Ethernet network card and a CD-ROM. Students should use Windows and have a functional Oracle 11gR2 or later client installed with SQL*Plus. The Oracle client software can be downloaded from Oracle's Web site. Students will also need the capability to set an IP address and install tools on the system. Additional tools such as Oracle Enterprise Manager are not required.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 

Author Statement

Database compromises are a significant risk faced by organizations today. Data compromises seem to be constantly occurring, and many of the huge breaches that we know about today resulted because database security was improperly addressed. Databases are key targets because they store one of our most valuable resources - our data. The data needs to be protected. Oracle is one of the most exciting and challenging databases that exists. When it comes to securing an Oracle database, there are many challenges that Administrators and security professionals will face. This course is designed to be a fully comprehensive and intense introduction to planning, auditing, and securing an Oracle database. The course doesn't just mention the vulnerabilities, but it explains why the issues may exist and how an attacker could leverage them. Multiple hands-on exercises reinforce the content we learn in class. This aids the student in thinking like an attacker, which needs to be done to protect the databases. Students are often amazed at the many different ways an attacker might compromise an Oracle database! Ultimately, the goal is to teach how to protect one of the most important organizational assets - the data. This course is an exciting and interesting journey in protecting this critical organizational asset!

- Tanya Baccam