Best Practices for Oracle Database Security
None of the database management systems is secure by default. However, you can avoid most of threats by configuring the environment properly. In this article, we summarize our knowledge of the Oracle Database security and list the measures you should consider when working with Oracle Database.
1. Get Rid of Default Passwords
The very first thing to deal with when it comes to database security. If you use passwords that can be easily hacked or brute-forced, any other security measures will be as useless as a shoe shop in the Shire. Attackers start with easy ways that cause maximum damage. We hope that after recent infamous attacks on misconfigured MongoDB and MySQL databases, the majority got the message. DO NOT leave default or weak passwords and make sure stored passwords are encrypted.
Use the following script to find user accounts that have default passwords.
sqlpus sys as sysdba Enter password: password SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;
Use the Checkpwd tool to identify accounts with weak passwords. It is a dictionary-based password checker for Oracle databases. The tool reads password hashes from the dba_users view and compares local hashkeys with the hashkeys from the supplied dictionary file. It shows the list of expired accounts and weak passwords so you can change them.
>checkpwd system/oracle@//127.0.0.1:1521/orcl password_list.txt
2. Update and Patch
The next step is to install the latest version of the database management system. Once updated, you can work without bugs and other already fixed issues. Developers are constantly trying to make the Oracle Database safer, which is especially noticeable in Oracle Database 12c.
Four times a year Oracle releases the Critical Patch Update that resolves tons of critical security vulnerabilities in various platforms, including Oracle Database. With the update, Oracle trots out the general information about fixed vulnerabilities, which attackers instantaneously start to analyze and exploit. According to the latest Wallarm report, it takes 2 to 4 hours until hackers start exploiting a newly reported vulnerability. Thus, do not miss the update.
Check the timetable of Critical Patch Updates here.
3. Separate Duties
You know that pipeline architecture where each member of the system does only its job and nothing more? Sounds boring but yet you should consider implementing the likewise architecture in the corporate environment. Think twice before starting to distribute privileges like fliers.
Generally, the best practice is to remove all privileges and start to grant them on a ‘need-to-know’ basis. Get a fresh start. It will help you avoid the scenarios when a security guy wasn’t careful enough to notice that a John from management department had an access to proprietary information and trade secrets.
4. Manage Passwords
For years administrators stored the account passwords unencrypted in a script or a configuration file. Oracle has released the Secure Password Store to address the problem. The feature allows you to create a wallet file where you can securely store database credentials.
Oracle Database has a set of tools to protect passwords. Some of them are disabled by default.
- Verification of Password Complexity
There is a simple password verification function in the PL/SQL scripts UTLPWDMG.SQL ($ORACLE_HOME/rdbms/ admin). The script is disabled by default. To enable it, log in to SQL*Plus with administrative privileges and run the script.
CONNECT SYS/AS SYSDBA Enter password: password @$ORACLE_HOME/RDBMS/ADMIN/utlpwdmg.sqlThe parameters specifying password requirements are set by default but you can change their value at your own discretion. Since the 11g version, case sensitivity for passwords is enabled by default.
- Account Lockout
Enable locking accounts after 3 invalid attempts for a certain period of time. It will greatly reduce the risk of brute-force attacks. Set the following parameters to specify account lockouts for an Oracle profile:
FAILED_LOGIN_ATEMPTS 3 PASSWORD_LOCK_TIME 10The argument of the second parameter is set to 10 days.
Use the INACTIVE_ACCOUNT_TIME parameter to set inactivity period after which the account will be locked (the value is also expressed in days).
5. Change Default Audit Settings
Oracle 12c has introduced Unified Audit Data Trail which combines SYS.AUD$ for the database audit trail, SYS.FGA_LOG$ for fine-grained auditing, DVSYS.AUDIT_TRAIL$ for Oracle Database Vault, and Oracle Label Security.
In Oracle 12c the default value of audit_sys_operations is TRUE, but if you use the older version, you need to enable the parameter so that SQL commands by user sys will be audited.
Use the following command to enable it and reboot the system.
SQL> alter system set audit_sys_operations=true scope=spfile;
Enable the audit_trail to audit SQL commands.
SQL> alter system set audit_trail=DB,EXTENDED scope=spfile;
When starting to work with Oracle Database 12c, you can use the mixed mode by creating a policy with the CREATE AUDIT POLICY command then enable it with the AUDIT command. You can also use predefined policies (refer here to learn about default audit policies).
6. Implement Strong Authentication Methods
Authentication of user identity is imperative in distributed environments. Apart from default authentication, Oracle Database supports third-party industry-standard authentication protocols and services. To utilize them, implement some configuration changes.
Authentication protocol designed primarily for a client-server model and it provides mutual authentication.
- Secure Socket Layer (SSL)
Industry standard protocol for securing network connections.
- Remote Authentication Dial-In User service (RADIUS)
Client/server security protocol that enables remote authentication and access.
- Control database access using tools like Kerberos, Oracle grant security, Oracle wallet security, Oracle virtual private databases.
- For remote database access, only secure key access will be allowed (secure shell (SSH) or VPN).
7. Manage Sensitive Data
Leaking sensitive or confidential data can lead to deteriorative consequences. Thus, personally identifiable information, protected health information, proprietary information and intellectual property should be treated with extra care.
First of all, you need to indicate where is it. There are various solutions designed to search data across multiple platforms. Oracle Database has a built-in Transparent Sensitive Data Protection utility.
DBAs must administer databases but not the data, so as the third-party developers and testers. Data masking solutions can be of a great help in this case.
8. Use Additional Security Tools
The most vulnerable object in a production environment is the database but majority of companies spend most of the money from their security fund for network security. Database protection should be given more attention.
- Database Activity Monitoring
If your company can afford DAM tools, it can be very useful. They provide full visibility of all database activity and system changes in real-time. It will notify DBAs in case any suspicious activity is detected. Integrate it with a SIEM system and you will get real-time analysis of security threats so that you will be able to take immediate actions against incipient attacks.
Oracle Advanced Security Database option includes a DAM tool. Third-party solutions can be used as well.
- Database Firewall
Functioning as a proxy, database firewall proceeds inbound and outbound database traffic and protects from SQL injection and unauthorized access attempts. You can learn how a firewall protects against SQL injection attacks on the example of our product.
- Database Traffic Encryption
Oracle Advanced Security Database option includes a data encryption tool. Third-party solutions can be used as well.
These solutions convert plaintext data into unintelligible ciphertext based on a special key so that only authorized parties can access it. Without knowledge of the encryption algorithm, it is almost impossible to retrieve the original data from the encrypted text.
9. Teach ‘em! Сybersecurity Illiteracy Liquidation
None of the mentioned above measures will work out if your colleagues stick passwords to their monitors and download attachments of malicious emails. According to the latest IBM Security report, 60% of cybersecurity threats come from the inside. It can be a malicious insider or an inadvertent actor.
Organize a security training. Explain regular workers the importance of taking precautions. It is also helpful to apprise them about security legislation and penalties laid by regulatory organs for non-compliance and cybercrimes.
10. Be Paranoid
We monitor news on information security on a regular basis; and it’s surprising how so tremendously huge corporations get hacked. The companies which can afford the best security applications. Why is this happening? Apparently, the answer to this question lies in the approach to the matter. If you think of your work procedures as a boring unnecessary routine, you will leave some of the important issues without attention and somehow get hacked. But if you realize the responsibility of your position and want to do it right, you should become paranoid. Expect attacks any minute from every direction.
Be scrupulous and don’t let anyone neglect protective measures. Go through all security recommendations by Oracle (the link can be found in the References section). It is tough work but worth the effort. People rarely talk about repelled attacks but if your company’s name doesn’t appear in security digests, we know it is you, dear security man, who has done the job the way it should be done.