SANS 2013

Orlando, FL | Fri Mar 8 - Fri Mar 15, 2013

AUD445: Auditing Security and Controls of Oracle Databases

* Updated and includes Oracle 12c!

Over the past few years we have seen attackers target data since there is a financial incentive to being able to compromise valuable data. The media seems to be reporting new data compromises constantly. That means auditors need to be effectively auditing the controls that should exist to protect this valuable organizational asset.

Oracle Databases often store the data that's being targeted. Oracle Databases are very complex and challenging to audit! Auditors need to be able to effectively audit the processes and controls in place around the database to ensure the asset is being properly protected and the risks properly managed.

This course provides all of the details, including the IT process, procedural and technical controls, that you as an auditor should look for when conducting an Oracle database audit. Even better, you have the opportunity to get firsthand experience extracting and interpreting data from a live Oracle Database which allows you to be able to return and immediately conduct an Oracle Database audit. By getting hands-on experience, you get a better understanding of exactly how an Oracle Database operates and what data is available for audit purposes. The course is also put together in such a way that you can add additional value to the business and provide further security recommendations and benefits for the database being audited.

Course Syllabus
Course Contents InstructorsSchedule
  AUD445.1: Day 1 Tanya Baccam Wed Mar 13th, 2013
9:00 AM - 5:00 PM
Overview

In order to properly audit Oracle databases, auditors have to have an understanding of what is involved in an Oracle database and how the database operates. These foundations are more will be covered to provide a solid foundation to build from throughout the course.

CPE/CMU Credits: 6

Topics

Foundations

  • Reasons for database auditing
  • Governance controls
  • Risk evaluation, identification and assessments
  • Audit scripts used to successfully audit an Oracle database
  • Oracle security solutions and resources available for Oracle databases

Oracle Database Concepts

  • Oracle's physical and logical structure
  • Schemas, databases, instances and their relationship
  • SQL, DML and DDL
  • Foundational database terms such as data types, primary keys, stored procedures, views, etc.
  • Using SQL*Plus effectively in an audit
  • Oracle's data dictionary
  • Key v$ views for auditors

Physical and Environmental Controls

  • Data center controls
  • Physical access to data

Architectural and Inventory Controls

  • Physical and logical diagrams
  • Data flows
  • Obtaining an inventory of databases
  • Tools to assist in verifying the inventory

Change Control, Patch Management and Vulnerabilities

  • Processes for identifying vulnerabilities
  • Dev, test, staging and prod environments
  • Change control procedures
  • Oracle CPUs/PSUs
  • Using opatch to determine patching history
  • Vulnerability testing tools

OS, Network and Application Controls

  • Key OS accounts to audit
  • OS permissions
  • Oracle database files to review at the operating system level
  • Including:
    • How to find their locations
    • External Tables
    • Methods to control network access
    • Database Firewalls
    • Common application risks
 
  AUD445.2: Day 2 Tanya Baccam Thu Mar 14th, 2013
9:00 AM - 5:00 PM
Overview

There are many authentication and access control options available for Oracle databases. Auditors must understand what the options are and how they can be implemented so they are properly audited. This day begins by looking at the risks related to the listener, and then moves into the controls around authentication and access control.

CPE/CMU Credits: 6

Topics

Listener Security

  • What the listener does and how it operates
  • Key files related to the listener
  • Types of listener entries
  • Listener logging
  • Checklist for Auditing the listener

Authentication Process and Methods

  • Authentication architecture
  • 03Logon and 05Logon process
  • Controls for authentication methods including:
    • Database
    • Operating system
    • Password file
    • Single sign-on

Oracle Advanced Security

  • Auditing to protect against sniffing and spoofing attacks
  • Auditing for brute force attacks
  • Methods for securing authentication weaknesses

Access Controls including User Accounts, Roles and Passwords

  • Administrative access controls
  • Auditing vendor, contractor and consultant access
  • Auditing user accounts - including auditing for dormant accounts and shared accounts
    • Password controls
    • Password complexity
    • Password storage
    • Password history
  • Session limits
  • Profiles
  • Auditing roles
  • Virtual Private Databases (VPDs)
  • Transparent Data Encryption (TDE)
  • Data Redaction

 
  AUD445.3: Day 3 Tanya Baccam Fri Mar 15th, 2013
9:00 AM - 5:00 PM
Overview

Continuing to build the audit program, Oracle specific risks such as links, parameters, data integrity controls and auditing will be discussed. Links provide database to database communication and therefore can be a risk to the database. Students understand the important privileges and parameters to look at, as well as controls that should be in place related to backups and auditing.

CPE/CMU Credits: 6

Topics

Links

  • Types of database links
  • Connection types for links
  • Controls that should exist related to links
  • Auditing for links being used

Privileges

  • Views used to audit privileges
  • dba_sys_privs, dba_tab_privs, dba_col_privs and dba_role_privs
  • Privilege Analysis in 12c

Triggers

  • Object ownership
  • System privileges
  • Packages, including the higher risk packages that must be audited
  • PUBLIC privileges
  • Synonyms
  • Database vault
  • Data Masking
  • Encryption controls for data at rest and data in transit

Parameters

  • What parameters are and how they are used in Oracle Databases
  • Listing of all parameters that should be audited and their recommended values

Backups, DRP and BCP

  • Backup controls
  • Reducing single-points of failure
  • Standby databases

Restricting Tools and Data Integrity Controls

  • Methods to restrict access to data
  • Data integrity controls

Auditing

  • Oracle database methods for auditing
  • Oracle audit vault and best practices
  • Standard auditing
  • Fine-grained auditing
  • Triggers
  • LogMiner
  • Flashback
  • Total Recall
  • Unified Auditing in Oracle 12c

 
Additional Information
 
  Laptop Required

Students need to bring a laptop computer with an Ethernet network card and a CD-ROM drive. Students should use Windows and have a functional Oracle 11gR2 or later client installed with SQL*Plus. The Oracle client software can be downloaded from Oracle's Web site. Students will also need the capability to set an IP address and install tools on the system. Additional tools such as Oracle Enterprise Manager are not required.

Please download the install instructions for this class here.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Internal Auditors
  • IT Specialist Auditors
  • IT Auditors
  • IT Audit Managers
  • Information System Auditors
  • Information Technology Auditors
  • Information Security Officers

 
  Other Courses People Have Taken

Other Courses People Have Taken

  • Any of the other audit courses.
  • After taking this course, the student will also be prepared to take the Security 509 course.

 
  What You Will Receive

The course CD includes audit queries, scripts and tools that will assist in conducting an Oracle Database audit.

 

Author Statement

Oracle Databases are foundational to many organizations and their operations today. Data is what differentiates many companies, and databases are where the data is obtained. Unfortunately, many times the business risks that an Oracle database poses to an organization are not identified and mitigated due to a lack of knowledge around the controls that should exist. Oracle databases are very complex, and it is not enough to just follow a checklist if you do not have a comprehensive understanding of the security features available within Oracle. This course focuses on understanding, identifying and mitigating business risks presented by Oracle databases. The course starts by covering foundational information, including an introduction to SQL and an architectural understanding of Oracle. Once the foundation is built, students explore the Oracle environment and how to identify weaknesses. Hands-on exercises give students the opportunity to not only hear about the vulnerabilities, but also identify the vulnerabilities themselves. Oracle specific security solutions will also be discussed including database auditing, TDE encryption, virtual private databases, label security, database vault, audit vault, FGA, total recall, configuration scanning, ASO and data masking and how they can by incorporated into current business processes, or what it means for the business process if these tools are missing. Multiple tools, queries and techniques will be explored in order to obtain a comprehensive understanding on how to audit Oracle databases. Auditors will walk away with a new understanding of how Oracle databases operate and the controls that should be present. -Tanya Baccam