SECURITY 509

Securing Oracle

Tuesday, May 5, 2009 - Sunday, May 10, 2009
Tanya Baccam, SANS Senior Instructor
6 CPE Credits per day

Laptop RequiredFree

Experts agree that Oracle is one of the most complex software packages available today. Unfortunately, complexity often introduces an increased risk for vulnerabilities. These vulnerabilities are being increasingly targeted by attackers. It is not uncommon for the SANS Internet Storm Center to see hundreds of thousands of hack attempts against Oracle databases each month.

SANS recognizes the need for comprehensive Oracle security training to help organizations protect their most critical information resources. In this course, the student is lead through the process of auditing and securing Oracle by defining the risks to data, using auditing techniques for detecting unauthorized access attempts, using Oracle access controls and user management functions, developing reliable backup and restore processes and techniques to secure the Oracle database, as well as applications.

Throughout the course the student will be exposed to the database as seen through the eyes of an attacker, including public and unreleased techniques that are used to compromise the integrity of the database or escalate a user's privileges. In this fashion, the student gains a better understanding of how an attacker sees a database as a target, and how we can configure the database to be resistant to known and unknown attacks.

This course has been updated for versions of Oracle up to and including 11g on Unix and Windows operating systems.

Prerequisite

The course assumes students have basic SQL and PL/SQL skills, as well as an understanding of the Oracle database architecture and features. Students should be familiar with configuring software such as the Oracle client. Students are also encouraged to be able to read and understand simple shell scripts for Unix or Windows systems.

Special Characteristics

There are a number of other SANS tracks that would be useful to the students. These include the operating system tracks for Windows and Unix, the auditing tracks and also the forensics tracks.

I have no idea how I was doing my job without this information.
-Jonathon Turner, Paycom Payroll

Author Statement

Oracle is one of the most exciting and challenging databases that exist. When it comes to securing an Oracle database, there are many challenges that Administrators and security professionals will face. This course is designed to be a fully comprehensive and intense introduction to planning, auditing and securing an Oracle database. The course doesn't just mention the vulnerabilities, but it explains why the issues may exist and how they could be leveraged by an attacker. Multiple hands-on exercises reinforce the content we learn in class. This aids the student in thinking like an attacker, which needs to be done to protect the databases. Students are often amazed at how many different ways exist that an attacker might use to compromise an Oracle database! Ultimately, the goal is to teach how to protect one of the most important organizational assets - the data. Data provides information, information leads to knowledge and knowledge is power in the business world. This course is an exciting and interesting journey on protecting this critical organizational asset!