Upload
greg-turmel
View
237
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Presentation in 2008 on IT security
Citation preview
Tennessee Board of RegentsDBA Collaborative
Security:
It’s everyone's responsibility
Presented by:
Jeff Hinds, DBAGreg Turmel, DBA
Tennessee Board of RegentsDBA Collaborative
UNIX Level: User Accounts
Source Database Level: User accounts
Mid-Tier Level: Application accounts
Operational Data Store: ETL
Enterprise Data Warehouse: Application Accounts
Reporting Application Level: Argos reporting
Securing all levels of Information Access
Tennessee Board of RegentsDBA Collaborative
Hardware sharing – Multiple databases on single server: reduced security on one, exposes others: 3 Tier Model for separation of Hardware
Listener sharing – Multiple databases on a single listener: if taken down, affects all services: password protecting
INB / SSB sharing – Multiple services supporting many User interfaces: if hacked, gains access to all apps on box: resource limitation causing DOS
(denial of service): network / application time outs
Securing all levels of Information Access
Tennessee Board of RegentsDBA Collaborative
Database Security using PROFILES:
– When to use, How to use, Why should you use.
Example: CREATE PROFILE TBR_DBA LIMITSESSIONS_PER_USER DEFAULTCPU_PER_SESSION DEFAULTCPU_PER_CALL DEFAULTCONNECT_TIME DEFAULTIDLE_TIME DEFAULTLOGICAL_READS_PER_SESSION DEFAULTLOGICAL_READS_PER_CALL DEFAULTCOMPOSITE_LIMIT DEFAULTPRIVATE_SGA DEFAULTFAILED_LOGIN_ATTEMPTS 3PASSWORD_LIFE_TIME 90PASSWORD_REUSE_TIME UNLIMITEDPASSWORD_REUSE_MAX 5PASSWORD_LOCK_TIME .0415PASSWORD_GRACE_TIME 7PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
Tennessee Board of RegentsDBA Collaborative
Database Security using ROLES:
– What are roles, what can I do with them, Why?
Example:CREATE ROLE TBR_DEV NOT IDENTIFIED;
GRANT ALTER ANY INDEX TO TBR_DEV;GRANT ALTER ANY TABLE TO TBR_DEV;
GRANT DELETE ANY TABLE TO TBR_DEV;GRANT INSERT ANY TABLE TO TBR_DEV;GRANT SELECT ANY TABLE TO TBR_DEV;GRANT UPDATE ANY TABLE TO TBR_DEV;
GRANT ALTER ANY TRIGGER TO TBR_DEV;GRANT CREATE ANY SYNONYM TO TBR_DEV;GRANT SELECT ANY SEQUENCE TO TBR_DEV;GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
Tennessee Board of RegentsDBA Collaborative
Securing all levels of Information Access
Tennessee Board of RegentsDBA Collaborative
Securing all levels of Information Access
Tennessee Board of RegentsDBA Collaborative
Network DevicesApplicationsDatabasesServersDesktops / LaptopsPrinters: Yes, but why?Backups: Yes, but why?
Securing all levels of Information Access
Tennessee Board of RegentsDBA Collaborative
Password Verify function:ALTER PROFILE TBR_DBA LIMITPASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION/
BEGINdigitarray:= '0123456789';chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';punctarray:='!"#$%&()``*+,-/:;<=>?_';
Alternatives:– Refrain from using PW verify function in your user profiles when another
authentication process is defined outside of the Oracle database profileExamples:
LUMINIS authenticationLDAP authentication Active Directory authentication
Securing user access with password complexity
Tennessee Board of RegentsDBA Collaborative
DATA SECURITY BREACHES(REPORTED IN THE PRESS SINCE MARCH 2005)
SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED
December 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+
Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000.
2,482
Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown
March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown
Sept. 15, 2005 Miami Univ. Exposed online 21,762
Sept. 22, 2005 City University of New York Exposed online 350
Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200
http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
Tennessee Board of RegentsDBA Collaborative
TOTALS 95 Incidents: Types of Incidents:53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider
Total Number of Individuals Notified: 3,024,217 (including unknowns…maybe as high as 3.2 - 3.5 million)
Securing Access: both physical as well as virtual
Tennessee Board of RegentsDBA Collaborative
Banner Security Classes: Job Role classes (BANSECR)
Finance (FOMPROF)
BAN_DEFAULT_ROLES
Oracle Default Roles: DBA
RESOURCE
Oracle Grants: SELECT ANY (table, dictionary)
EXECUTE ANY (procedure)
Third Party: Evisions, Argos, Appworx, etc.
Security: Application Information Access
Tennessee Board of RegentsDBA Collaborative
Banner Passwords: Business Rules / Procedures
Oracle Passwords: “ “
UNIX Passwords: “ “
Third Party Apps: “ “
Firewall access: Ports, IP, SSL, services
Security: Application Information Access
Tennessee Board of RegentsDBA Collaborative
Oracle DBA Access: Establish Business Rules / Procedures
UNIX Admin Access: “ “
BANSECR Security Admin: “ “
Argos Reporting Admin Access: “ “
Finance / Payroll Access: “ “
Developer / Programmer Access: “ “
TNSNAMES netconfig information: “ “
Source System Access: “ “
Target System Access: “ “
ETL / data feed Access: “ “
Federal / State Legislature (law), HIPPA, SOX404, etc…
Security: Application Information Access
Tennessee Board of RegentsDBA Collaborative
Contact Information: http://idba.tbr.eduiDBA WEB Site: idba.tbr.edu
Jeff D. Hinds, ocpDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Road, Suite 358Nashville, TN 37217Email: [email protected](Office) 615.366.4488
Greg TurmelDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Rd. Suite 358Nashville, TN. 37217Email: [email protected](Office) 615.366.4467