Oracle Database Security Best Practices
Developers are constantly trying to make Oracle Database safer. We can see that Oracle Database 12c has made a great contribution to it. None of the database management systems is secure by default, however, most of the security threats can be avoided by configuring the environment properly. In this article, we will summarize our knowledge of Oracle Database security and provide you with the main measures you should consider when starting to use Oracle Database.
1. Get Rid of Default and Weak Passwords
This must be the very first thing to deal with when it comes to database security. If you are using passwords that can be easily hacked or brute-forced, any other security measures will be as useless as a shoe shop in the Shire. It is logical that attackers start with easy ways that can cause the maximum damage. We hope that after recent infamous attacks on misconfigured MongoDB and other databases, the majority of people got the message. Do not leave default or weak passwords and ensure stored passwords are hashed.
Find user accounts that have default passwords using the following script:
sqlpus sys as sysdba Enter password: password SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;
Use the Checkpwd program to identify accounts with weak passwords. It is a dictionary based password checker for Oracle databases.
>checkpwd system/oracle@//127.0.0.1:1521/orcl password_list.txt
The program Checkpwd reads the password hashes from the dba_users view and compares the hashkeys with the hashkeys calculated from a dictionary file. It shows the list of weak passwords so you can change them.
2. Update and Patch
The next step you should do is to install the latest version of the database management system. Once updated, you can work without bugs and other already fixed issues.
Four times a year Oracle releases Critical Patch Update that resolves tons of critical security vulnerabilities in various platforms including Oracle Database. With the update, Oracle trots out the general information about fixed vulnerabilities, which attackers instantaneously start to analyze and prepare exploits for. According to the latest Wallarm report, it takes 2 to 4 hours until hackers start exploiting a newly reported vulnerability. Thus make sure you don’t miss the update so that you don’t become a victim of an attacker who prepared an exploit for the vulnerability existing on unpatched versions.
You can check for the timetable of Critical Patch Updates here.
3. Separation of Duties
Do you know the pipeline architecture where each member of the system does only its job and nothing more? It sounds boring but yet you should consider implementing the likewise architecture to your working environment. Think twice before starting to distribute privileges like fliers.
Generally, the best practice is to remove all privileges and start to grant them on a ‘need-to-know’ basis. Get a fresh start. This will help you avoid the scenarios when a security guy wasn’t careful enough to notice that a John from management department had an access to proprietary information and trade secrets.
4. Password Management
For years administrators stored the account passwords unencrypted in a script or configuration file. Oracle has Secure Password Store to address this problem. The feature allows you to create the wallet file where you can securely store database credentials.
Oracle Database has a set of tools to protect against password attacks. Some of them are disabled by default.
Verification of Password Complexity
Oracle Database has a sample password verification function in the PL/SQL scripts UTLPWDMG.SQL ($ORACLE_HOME/rdbms/ admin). The script is disabled by default. To enable it, log in to SQL*Plus with administrative privileges and run the script.
CONNECT SYS/AS SYSDBA Enter password: password @$ORACLE_HOME/RDBMS/ADMIN/utlpwdmg.sql
The parameters specifying password requirements are set by default but you can change their value at your own discretion. Since the 11g version, case sensitivity for passwords is enabled by default.
Enable locking accounts after 3 invalid attempts for a certain period of time. It will greatly reduce the risk of brute-force attacks. Set the following parameters to specify account lockouts for an Oracle profile:
FAILED_LOGIN_ATEMPTS 3 PASSWORD_LOCK_TIME 10
The argument of the second parameter is set to 10 days.
Use the INACTIVE_ACCOUNT_TIME parameter to set inactivity period after which the account will be locked (the value is also expressed in days).
5. Change Default Audit Settings
Oracle 12c has introduced Unified Audit Data Trail which combines SYS.AUD$ for the database audit trail, SYS.FGA_LOG$ for fine-grained auditing, DVSYS.AUDIT_TRAIL$ for Oracle Database Vault and Oracle Label Security.
In Oracle 12c the default value of audit_sys_operations is TRUE, but if your company uses the older version, you need to enable the parameter so that SQL commands by user sys will be audited.
Change it using the following command and reboot the database:
SQL> alter system set audit_sys_operations=true scope=spfile;
To audit SQL commands enable audit_trail.
SQL> alter system set audit_trail=DB,EXTENDED scope=spfile;
When starting to work with Oracle Database 12c, you can use the mixed mode by creating a policy with the CREATE AUDIT POLICY command then enable it with the AUDIT command. You can also use predefined policies (refer here to learn about default audit policies).
6. Strong Authentication
Authentication of user identity is imperative in distributed environments. Apart from default authentication, Oracle Database supports third-party industry-standard authentication protocols and services. To utilize them, you need to implement some configuration changes.
Authentication protocol designed primarily for a client-server model and it provides mutual authentication.
Secure Socket Layer (SSL)
Industry standard protocol for securing network connections.
Remote Authentication Dial-In User service (RADIUS)
Client/server security protocol that enables remote authentication and access.
Control database access using tools like Kerberos, Oracle grant security, Oracle wallet security, Oracle virtual private databases, Oracle grant execute security.
For remote database access, only secure key access will be allowed (secure shell (SSH) or VPN).
7. Sensitive Data Management
Leaking sensitive or confidential data can lead to deteriorative consequences. Thus personally identifiable information, protected health information, proprietary information and intellectual property should be treated with extra care.
First of all, you need to indicate where is it. There are various solutions designed to search data across multiple platforms. Oracle Database has a built-in Transparent Sensitive Data Protection utility.
DBAs must administer databases but not the data, so as the third-party developers and testers. Data masking solutions can be of a great help in this case.
8. Implement Additional Security Tools
The most vulnerable object in a production environment is the database but majority of companies spend most of the money from their security fund for network security. Database protection should be given more attention.
Database Activity Monitoring
If your company can afford DAM tools, it can be very useful. They provide full visibility of all database activity and system changes in real-time. It will notify DBAs in case any suspicious activity is detected. Integrate it with a SIEM system and you will get real-time analysis of security threats so that you will be able to take immediate actions against incipient attacks.
Oracle Advanced Security Database option includes a DAM tool. Third-party solutions can be used as well.
Functioning as a proxy, database firewall proceeds inbound and outbound database traffic and protects from SQL injection and unauthorized access attempts. You can learn how a firewall protects against SQL injection attacks on the example of our product.
Database Traffic Encryption
Oracle Advanced Security Database option includes a data encryption tool. Third-party solutions can be used as well.
These solutions convert plaintext data into unintelligible ciphertext based on a special key so that only authorized parties can access it. Without knowledge of the encryption algorithm, it is almost impossible to retrieve the original data from the encrypted text.
9. Teach ‘em. Сybersecurity Illiteracy Liquidation
None of the mentioned above measures will work out if your colleagues stick passwords to their monitors and download attachments of malicious emails. According to the latest IBM Security report, 60% of cyber security threats come from the inside. It can be a malicious insider or an inadvertent actor.
Organize a security training. Explain regular workers the importance of taking precautions. It is also helpful to apprise them about information security legislation and provide the amount of penalties laid by regulatory organs for non-compliance and committing cyber crimes.
10. Be Paranoid
On a regular basis, we monitor news on information security and the interesting point here is that so many tremendously huge corporations get hacked. The companies which can afford the best security applications. Why is this happening? Apparently, the answer to this question lies in the approach to the matter. If you think of your work procedures as a boring unnecessary routine, you will leave some of the important issues without attention and somehow get hacked. But if you will realize the responsibility of your position and want to do it right, you should become paranoid. Expect attacks any minute from every direction.
Be scrupulous and don’t let anyone neglect protective measures. Go through all security recommendations by Oracle (the link can be found in the References section). It requires major effort but it’s worth it. People rarely talk about the repelled attacks, but if your company’s name doesn’t appear in security digests, we know it is you, dear security man, who has done the job the way it should be done.