It symposium 2008 fcf-security_is_everyones_responsibility

Tennessee Board of RegentsDBA Collaborative

Security:

It’s everyone's responsibility

Presented by:

Jeff Hinds, DBAGreg Turmel, DBA


UNIX Level: User Accounts

Source Database Level: User accounts

Mid-Tier Level: Application accounts

Operational Data Store: ETL

Enterprise Data Warehouse: Application Accounts

Reporting Application Level: Argos reporting

Securing all levels of Information Access


Hardware sharing – Multiple databases on single server: reduced security on one, exposes others: 3 Tier Model for separation of Hardware

Listener sharing – Multiple databases on a single listener: if taken down, affects all services: password protecting

INB / SSB sharing – Multiple services supporting many User interfaces: if hacked, gains access to all apps on box: resource limitation causing DOS

(denial of service): network / application time outs



Database Security using PROFILES:

– When to use, How to use, Why should you use.

Example: CREATE PROFILE TBR_DBA LIMITSESSIONS_PER_USER DEFAULTCPU_PER_SESSION DEFAULTCPU_PER_CALL DEFAULTCONNECT_TIME DEFAULTIDLE_TIME DEFAULTLOGICAL_READS_PER_SESSION DEFAULTLOGICAL_READS_PER_CALL DEFAULTCOMPOSITE_LIMIT DEFAULTPRIVATE_SGA DEFAULTFAILED_LOGIN_ATTEMPTS 3PASSWORD_LIFE_TIME 90PASSWORD_REUSE_TIME UNLIMITEDPASSWORD_REUSE_MAX 5PASSWORD_LOCK_TIME .0415PASSWORD_GRACE_TIME 7PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;


Database Security using ROLES:

– What are roles, what can I do with them, Why?

Example:CREATE ROLE TBR_DEV NOT IDENTIFIED;

GRANT ALTER ANY INDEX TO TBR_DEV;GRANT ALTER ANY TABLE TO TBR_DEV;

GRANT DELETE ANY TABLE TO TBR_DEV;GRANT INSERT ANY TABLE TO TBR_DEV;GRANT SELECT ANY TABLE TO TBR_DEV;GRANT UPDATE ANY TABLE TO TBR_DEV;

GRANT ALTER ANY TRIGGER TO TBR_DEV;GRANT CREATE ANY SYNONYM TO TBR_DEV;GRANT SELECT ANY SEQUENCE TO TBR_DEV;GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;






Network DevicesApplicationsDatabasesServersDesktops / LaptopsPrinters: Yes, but why?Backups: Yes, but why?



Password Verify function:ALTER PROFILE TBR_DBA LIMITPASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION/

BEGINdigitarray:= '0123456789';chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';punctarray:='!"#$%&()``*+,-/:;<=>?_';

Alternatives:– Refrain from using PW verify function in your user profiles when another

authentication process is defined outside of the Oracle database profileExamples:

LUMINIS authenticationLDAP authentication Active Directory authentication

Securing user access with password complexity


DATA SECURITY BREACHES(REPORTED IN THE PRESS SINCE MARCH 2005)

SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED

December 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+

Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000.

2,482

Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown

March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown

Sept. 15, 2005 Miami Univ. Exposed online 21,762

Sept. 22, 2005 City University of New York Exposed online 350

Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200

http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf


TOTALS 95 Incidents: Types of Incidents:53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider

Total Number of Individuals Notified: 3,024,217 (including unknowns…maybe as high as 3.2 - 3.5 million)

Securing Access: both physical as well as virtual


Banner Security Classes: Job Role classes (BANSECR)

Finance (FOMPROF)

BAN_DEFAULT_ROLES

Oracle Default Roles: DBA

RESOURCE

Oracle Grants: SELECT ANY (table, dictionary)

EXECUTE ANY (procedure)

Third Party: Evisions, Argos, Appworx, etc.

Security: Application Information Access


Banner Passwords: Business Rules / Procedures

Oracle Passwords: “ “

UNIX Passwords: “ “

Third Party Apps: “ “

Firewall access: Ports, IP, SSL, services



Oracle DBA Access: Establish Business Rules / Procedures

UNIX Admin Access: “ “

BANSECR Security Admin: “ “

Argos Reporting Admin Access: “ “

Finance / Payroll Access: “ “

Developer / Programmer Access: “ “

TNSNAMES netconfig information: “ “

Source System Access: “ “

Target System Access: “ “

ETL / data feed Access: “ “

Federal / State Legislature (law), HIPPA, SOX404, etc…



Contact Information: http://idba.tbr.eduiDBA WEB Site: idba.tbr.edu

Jeff D. Hinds, ocpDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Road, Suite 358Nashville, TN 37217Email: [email protected](Office) 615.366.4488

Greg TurmelDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Rd. Suite 358Nashville, TN. 37217Email: [email protected](Office) 615.366.4467

Technology

It symposium 2008 fcf-security_is_everyones_responsibility