SEARCH
Disclaimer: Authors have full rights over their works. Reproduction of any part of the content is prohibited without prior authorization.
BOOK PROTECTING ORACLE DATABASE 12C
SUMMARY
-
Items Found: 239
- Part 1: Security Overview and History 1
- Chapter 1: Oracle Security History 3
- Chapter 2: Current State of the Art 7
- Google Hacking tnsnames.ora 7
- Attacking without tnsnames.ora 8
- Attacking the Standby Database 11
- Attacking the Backups 12
- Brute Force Remotely Over the Network 12
- Attacking the SYS Account 15
- TNS Poison Proxy Attack 18
- Privilege Escalation 19
- Database Link Security 20
- Chapter 3: Extrapolating Current Trends 25
- GPU-Supported Password Cracking 25
- Strong Password Philosophy 26
- Raising the Decryption Bar 27
- Moving to the Cloud 28
- Ensuring Replication Security 28
- General Trends 29
- Into the Future 29
- Part 2: Defense Cookbook 31
- Chapter 4: Managing Users in Oracle 33
- User Management Limitations 33
- Controlling System Privilege Usage by Wrapping 33
- Wrapping Alter User 34
- Grant Schema Wide 35
- Time-based Privileges 37
- UM_STATUS 37
- Bypassing User Management Controls 39
- Access to User Password Information 40
- LAST_LOGIN 40
- Chapter 5: Oracle Vulnerability Scanning 43
- Retrospective 43
- Tools of the Trade 43
- Penetration Testing 44
- Reviewing the Results 47
- Additional Protection 50
- Permissions 53
- Chapter 6: Centralized Native Auditing and IPS 55
- The Unified Audit Trail 55
- A Centralized Syslog 56
- Management and Reporting 58
- Searching the Audit Trail 59
- Ongoing Maintenance 60
- Alerting to Syslog Content 61
- Native Intrusion Prevention 61
- Chapter 7: Pluggable Database Primer 65
- Reasons for Pluggable Databases 65
- Simple View of 12c Container Structure 65
- Understanding Users and Roles in 12c 67
- Creating Common Roles 67
- Switching Containers 68
- Cloning the Seed Database 68
- Pluggable DB Commands 68
- Upgrading to 12c Multi-tenancy 69
- Part 3: Security in the 12c Release 71
- Chapter 8: New Security Features in 12C 73
- Data Redaction 73
- Database Auditing 74
- Context of the Changes to Audit Trail in 12c 74
- Actual 12c Release Audit Trail 75
- Privilege Analysis 78
- Transparent Sensitive-Data Protection 79
- Transparent Data Encryption 79
- Database Vault 79
- Database Application Security Architecture 80
- Definer’s Roles 80
- SELECT ANY DICTIONARY Privilege 80
- Breaking Up SYSDBA Privilege 81
- 12c Miscellaneous Security Improvements 81
- Security Features Not in 12c 82
- Chapter 9: Design Flaws, Fixed and Remaining in 12C 83
- Remote SYS Brute-Force Attacks 83
- Default Account Attacks 85
- Privilege Escalation through Public Privileges 85
- Public Privileges 86
- Definer’s Roles 86
- SYSDBA Phishing 89
- Database Link Issues 90
- Passwords 90
- OS Access from the DB 91
- Privilege Escalation to SYSDBA 91
- Privilege Extension 91
- Chapter 10: Security Issues in 12c 93
- Segregated Groups of User Privilege 93
- DBMS_ADVISOR Directory Privileges 94
- GRANT ANY OBJECT PRIVILEGE Control Bypass 102
- Redaction Bypasses 105
- 12c Passwords and Cryptography 107
- DBlink Decryption in 12c 112
- Network Authentication Decryption in 12c 114
- Phishing for SYSDBA 114
- Chapter 11: Advanced Defense and Forensic Response 119
- Controlling the PUBLIC Role 119
- State-Checking Query 119
- OS Checksum Automation 121
- Securing the DB from the OS 123
- Controlling Database Link Permissions 124
- Enterprise Manager and Cloud Control Security 125
- Oracle Forensics 128
- History of Oracle Forensics 129
- Laws Pertaining to Database Forensics and Computer Security 129
- Generic Forensic Response Process 130
- External Sources of Metadata 131
- Audit Trail as a Source of Evidential Metadata 134
- Other Internal Records 136
- Integrity State-Checking of Database Objects 139
- Part 4: Security in Consolidation 143
- Chapter 12: Privileged Access Control Foundations 145
- Privileged Access Control Fundamentals 145
- Multi-Layer Security 145
- MAC and DAC 146
- Trusted Components 146
- Oracle Access Control 146
- Business Drivers for Focus on Privileged Access Control 147
- Social Engineering Attacks 148
- Human Error Vs. Malfeasance 148
- Data-breach Realities 148
- Data Vs Process 148
- Consolidation as PAC Driver 149
- Chapter 13: Privileged Access Control Methods 151
- Surveying Products in the Marketplace 151
- Accounts under Privileged Access Control 151
- SYS Account 152
- Schema-Owning Accounts 152
- Handling Compromised Checksummer 154
- Segregation of Duty (SoD) 154
- Privilege Escalation 155
- Privileged Access Control Structures 157
- Password Hub 157
- Terminal Hub Systems 159
- Generic Security Issues with Hub PAC Servers 159
- External DBA Access 160
- Pros and Cons of Terminal Hub 160
- Four-Eye “Extreme” Database Administration 161
- Non-Human Application Account Management 161
- Resistance to Passing Privilege Power to PAC Servers 161
- OPAM 162
- Break-Glass Access Control Systems 162
- Chapter 14: Securing Privileged Access Control Systems 163
- Privilege Access Control Communications 163
- OCI New Password 164
- Perl Pre-Hash Generation 165
- Oracle Network Encryption 166
- Privileged Access Control’s Achilles’ Heel 168
- Database Vault 170
- Splitting SYS at the OS in 12c 170
- Native Auditing and Security Monitoring 173
- Unix Access to Oracle 175
- Unix Access to SYS in 12c 176
- Chapter 15: Rootkit Checker and Security Monitoring 181
- Detecting First-Generation Rootkits 182
- Root Verification of Checksummer Integrity 187
- Further Work 189
- Detecting Second-Generation Rootkits 190
- Oracle Binary Integrity 190
- Third-Generation In-Memory Rootkits 192
- Pinned Backdoor Packages in the SGA 193
- Deleted User Still in the SGA 195
- Detecting Oradebug Usage 196
- Meterpreter-Style in Memory Backdoor 197
- Unix Privileged Access Control 199
- Capabilities and Root 201
- Self-replicating Rootkits 201
- .bsq Files 201
- The Seed Database 202
- Part 5: Architectural Risk Management 205
- Chapter 16: Oracle Security Architecture Foundations 207
- EM12c Architectural Control 207
- Why Do We Need Architectural Thinking? 207
- Security Architecture Theory 208
- TOGAF Architecture Development Process 208
- SABSA Security Architecture Framework 209
- Organizational Risk Reduction 211
- Organizational Risk Incentive 212
- Compliance and Audit 212
- Chapter 17: Enterprise Manager 12C as a Security Tool 215
- EM12c Introduction and General Usage 215
- Comparisons 217
- Using EM12c to Secure Your DB Estate 221
- Certified Templates 222
- Oracle-Provided Templates 223
- OS Administration in EM12c 225
- Running Host OS Commands from EM 227
- Directly Edit the Password File? 229
- Named Credentials Listed 231
- Detail of a DB-Named Credential 232
- Detail of an OS-Named Credential 233
- EXECMD Numbers 234
- Immutable EXECMD Log 235
- Historic Command Listing 236
- Immutable Log of Command 237
- Incidents 238
- Security Configurations on the Target 240
- Option-Pack Listing in EM 241
- Compliance Library 242
- Facets—State-checking within EM CC 246
- State-checking glogin.sql Using a Facet 247
- EM12c Reports 251
- Create a Job in EM 253
- Using EM to Patch the DB Estate 254
- Message from Oracle Regarding Patching 255
- Instructions for Offline Patching 256
- Chapter 18: Defending Enterprise Manager 12C 261
- Securing Availability 261
- Securing Network Communications 262
- Confirming EM Network Encryption 263
- Enterprise Manager Users, Roles, and Privileges 264
- Administrators in Cloud Control 264
- EM User Roles 265
- Super Administrators 267
- Security Issues Exposed 272
- Hacking the Repository 272
- Defending the Repository 274
- PUBLIC for EM reports 275
- Adaptive Delay Triggered by Failed Logins 278
- Applying a Corrective Action 284
- Chapter 19: “The Cloud” and Privileged Access 287
- Historical Context to the Cloud 287
- What Is the Cloud? 287
- Benefits of Cloud Computing 288
- Issues Agreeing and Implementing Cloud 288
- Latency Testing 289
- Moving to Oracle Cloud with EM12c 291
- EM12c Consolidation Planner 291
- Privileged Access Control in the Cloud with EM12c and PowerBroker 292
- Identity Management in the Cloud 295
- Chapter 20: Management and Conclusions 297
- Topics Not Covered–Future Work 297
- Cloud Identity Management 297
- Enterprise User Security (EUS) 297
- Engineered Systems 298
- Big Data 298
- BTRFS 298
- Future Learning Sources 299
- Managing Change 299
- Multi-tenant Future? 299
- Conclusions 300
- Index 303
