ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

It symposium 2008 fcf-security_is_everyones_responsibility

?
?
Greg Turmel
Greg Turmel

The document discusses securing information access at multiple levels including the UNIX level, source database level, mid-tier level, operational data store, and reporting application level. It provides examples of using profiles and roles in an Oracle database to manage security and restrict access. It also discusses securing physical and virtual access and the importance of establishing business rules and procedures for managing access. The document concludes by providing contact information for the presenters.

1 of 15
Download to read offline
Tennessee Board of Regents DBA Collaborative Security: It¡¯s everyone's responsibility Presented by: Jeff Hinds, DBA Greg Turmel, DBA
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access UNIX Level: User Accounts Source Database Level: User accounts Mid-Tier Level: Application accounts Operational Data Store: ETL Enterprise Data Warehouse: Application Accounts Reporting Application Level: Argos reporting
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Hardware sharing ¨C Multiple databases on single server : reduced security on one, exposes others : 3 Tier Model for separation of Hardware Listener sharing ¨C Multiple databases on a single listener : if taken down, affects all services : password protecting INB / SSB sharing ¨C Multiple services supporting many User interfaces : if hacked, gains access to all apps on box : resource limitation causing DOS (denial of service) : network / application time outs
Tennessee Board of Regents DBA Collaborative Database Security using PROFILES: ¨C When to use, How to use, Why should you use. Example: CREATE PROFILE TBR_DBA LIMIT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT CONNECT_TIME DEFAULT IDLE_TIME DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT COMPOSITE_LIMIT DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX 5 PASSWORD_LOCK_TIME .0415 PASSWORD_GRACE_TIME 7 PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
Tennessee Board of Regents DBA Collaborative Database Security using ROLES: ¨C What are roles, what can I do with them, Why? Example: CREATE ROLE TBR_DEV NOT IDENTIFIED; GRANT ALTER ANY INDEX TO TBR_DEV; GRANT ALTER ANY TABLE TO TBR_DEV; GRANT DELETE ANY TABLE TO TBR_DEV; GRANT INSERT ANY TABLE TO TBR_DEV; GRANT SELECT ANY TABLE TO TBR_DEV; GRANT UPDATE ANY TABLE TO TBR_DEV; GRANT ALTER ANY TRIGGER TO TBR_DEV; GRANT CREATE ANY SYNONYM TO TBR_DEV; GRANT SELECT ANY SEQUENCE TO TBR_DEV; GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Network Devices Applications Databases Servers Desktops / Laptops Printers: Yes, but why? Backups: Yes, but why?
Tennessee Board of Regents DBA Collaborative Securing user access with password complexity Password Verify function: ALTER PROFILE TBR_DBA LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION / BEGIN digitarray:= '0123456789'; chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Alternatives: ¨C Refrain from using PW verify function in your user profiles when another authentication process is defined outside of the Oracle database profile Examples: LUMINIS authentication LDAP authentication Active Directory authentication
Tennessee Board of Regents DBA Collaborative DATA SECURITY BREACHES (REPORTED IN THE PRESS SINCE MARCH 2005) SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED December 2007 Voter Registration Office ¨C Nashville TN. Laptops stolen: 100,000+ Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown Sept. 15, 2005 Miami Univ. Exposed online 21,762 Sept. 22, 2005 City University of New York Exposed online 350 Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200 http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
Tennessee Board of Regents DBA Collaborative Securing Access: both physical as well as virtual TOTALS 95 Incidents: Types of Incidents: 53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider Total Number of Individuals Notified: 3,024,217 (including unknowns¡­maybe as high as 3.2 - 3.5 million)
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Security Classes: Job Role classes (BANSECR) Finance (FOMPROF) BAN_DEFAULT_ROLES Oracle Default Roles: DBA RESOURCE Oracle Grants: SELECT ANY (table, dictionary) EXECUTE ANY (procedure) Third Party: Evisions, Argos, Appworx, etc.
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Passwords: Business Rules / Procedures Oracle Passwords: ¡° ¡° UNIX Passwords: ¡° ¡° Third Party Apps: ¡° ¡° Firewall access: Ports, IP, SSL, services
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Oracle DBA Access: Establish Business Rules / Procedures UNIX Admin Access: ¡° ¡° BANSECR Security Admin: ¡° ¡° Argos Reporting Admin Access: ¡° ¡° Finance / Payroll Access: ¡° ¡° Developer / Programmer Access: ¡° ¡° TNSNAMES netconfig information: ¡° ¡° Source System Access: ¡° ¡° Target System Access: ¡° ¡° ETL / data feed Access: ¡° ¡° Federal / State Legislature (law), HIPPA, SOX404, etc¡­
Tennessee Board of Regents DBA Collaborative Contact Information: http://idba.tbr.edu iDBA WEB Site: idba.tbr.edu Jeff D. Hinds, ocp Database Administrator Tennessee Board of Regents 1415 Murfreesboro Road, Suite 358 Nashville, TN 37217 Email: jeff.hinds@tbr.edu (Office) 615.366.4488 Greg Turmel Database Administrator Tennessee Board of Regents 1415 Murfreesboro Rd. Suite 358 Nashville, TN. 37217 Email: greg.turmel@tbr.edu (Office) 615.366.4467

More Related Content

It symposium 2008 fcf-security_is_everyones_responsibility

  • 1. Tennessee Board of Regents DBA Collaborative Security: It¡¯s everyone's responsibility Presented by: Jeff Hinds, DBA Greg Turmel, DBA
  • 2. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access UNIX Level: User Accounts Source Database Level: User accounts Mid-Tier Level: Application accounts Operational Data Store: ETL Enterprise Data Warehouse: Application Accounts Reporting Application Level: Argos reporting
  • 3. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Hardware sharing ¨C Multiple databases on single server : reduced security on one, exposes others : 3 Tier Model for separation of Hardware Listener sharing ¨C Multiple databases on a single listener : if taken down, affects all services : password protecting INB / SSB sharing ¨C Multiple services supporting many User interfaces : if hacked, gains access to all apps on box : resource limitation causing DOS (denial of service) : network / application time outs
  • 4. Tennessee Board of Regents DBA Collaborative Database Security using PROFILES: ¨C When to use, How to use, Why should you use. Example: CREATE PROFILE TBR_DBA LIMIT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT CONNECT_TIME DEFAULT IDLE_TIME DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT COMPOSITE_LIMIT DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX 5 PASSWORD_LOCK_TIME .0415 PASSWORD_GRACE_TIME 7 PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
  • 5. Tennessee Board of Regents DBA Collaborative Database Security using ROLES: ¨C What are roles, what can I do with them, Why? Example: CREATE ROLE TBR_DEV NOT IDENTIFIED; GRANT ALTER ANY INDEX TO TBR_DEV; GRANT ALTER ANY TABLE TO TBR_DEV; GRANT DELETE ANY TABLE TO TBR_DEV; GRANT INSERT ANY TABLE TO TBR_DEV; GRANT SELECT ANY TABLE TO TBR_DEV; GRANT UPDATE ANY TABLE TO TBR_DEV; GRANT ALTER ANY TRIGGER TO TBR_DEV; GRANT CREATE ANY SYNONYM TO TBR_DEV; GRANT SELECT ANY SEQUENCE TO TBR_DEV; GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
  • 6. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
  • 7. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
  • 8. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Network Devices Applications Databases Servers Desktops / Laptops Printers: Yes, but why? Backups: Yes, but why?
  • 9. Tennessee Board of Regents DBA Collaborative Securing user access with password complexity Password Verify function: ALTER PROFILE TBR_DBA LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION / BEGIN digitarray:= '0123456789'; chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Alternatives: ¨C Refrain from using PW verify function in your user profiles when another authentication process is defined outside of the Oracle database profile Examples: LUMINIS authentication LDAP authentication Active Directory authentication
  • 10. Tennessee Board of Regents DBA Collaborative DATA SECURITY BREACHES (REPORTED IN THE PRESS SINCE MARCH 2005) SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED December 2007 Voter Registration Office ¨C Nashville TN. Laptops stolen: 100,000+ Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown Sept. 15, 2005 Miami Univ. Exposed online 21,762 Sept. 22, 2005 City University of New York Exposed online 350 Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200 http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
  • 11. Tennessee Board of Regents DBA Collaborative Securing Access: both physical as well as virtual TOTALS 95 Incidents: Types of Incidents: 53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider Total Number of Individuals Notified: 3,024,217 (including unknowns¡­maybe as high as 3.2 - 3.5 million)
  • 12. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Security Classes: Job Role classes (BANSECR) Finance (FOMPROF) BAN_DEFAULT_ROLES Oracle Default Roles: DBA RESOURCE Oracle Grants: SELECT ANY (table, dictionary) EXECUTE ANY (procedure) Third Party: Evisions, Argos, Appworx, etc.
  • 13. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Passwords: Business Rules / Procedures Oracle Passwords: ¡° ¡° UNIX Passwords: ¡° ¡° Third Party Apps: ¡° ¡° Firewall access: Ports, IP, SSL, services
  • 14. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Oracle DBA Access: Establish Business Rules / Procedures UNIX Admin Access: ¡° ¡° BANSECR Security Admin: ¡° ¡° Argos Reporting Admin Access: ¡° ¡° Finance / Payroll Access: ¡° ¡° Developer / Programmer Access: ¡° ¡° TNSNAMES netconfig information: ¡° ¡° Source System Access: ¡° ¡° Target System Access: ¡° ¡° ETL / data feed Access: ¡° ¡° Federal / State Legislature (law), HIPPA, SOX404, etc¡­
  • 15. Tennessee Board of Regents DBA Collaborative Contact Information: http://idba.tbr.edu iDBA WEB Site: idba.tbr.edu Jeff D. Hinds, ocp Database Administrator Tennessee Board of Regents 1415 Murfreesboro Road, Suite 358 Nashville, TN 37217 Email: jeff.hinds@tbr.edu (Office) 615.366.4488 Greg Turmel Database Administrator Tennessee Board of Regents 1415 Murfreesboro Rd. Suite 358 Nashville, TN. 37217 Email: greg.turmel@tbr.edu (Office) 615.366.4467