|
|
Oracle Security Auditing Horror Stories
Don Burleson
|
Burleson is the co-author of the bestselling
book "Oracle
Privacy Security Auditing: Includes Federal Law Compliance with
HIPAA, Sarbanes-Oxley & The Gramm-Leach-Bliley Act GLB", by Rampant
TechPress.
We need not look far to see the public cases of
computer security violations and the liability suffered by the
custodian of the data. With millions of dollars at stake, there are
many resourceful people waiting for you to make a mistake and expose
your confidential information. These attacks on your information
take many forms, from malicious hackers, dishonest employees and
honest mistakes. Let's look at some specific ways that companies
lose control of their information.
Security breaches, hacks (outside-in)
Threats from hacker's remain a major concern,
especially threats from overseas countries in Eastern Europe and
Asia. Some companies report access attempts by automated hacker
"bots" every few minutes as these rogue programs constantly sweep
the Internet looking for ports with access vulnerabilities.
These automated bots contain very sophisticated
logic and are designed by criminals to identify and exploit
weaknesses in online computer systems. Some of the common exploits
include:
·
Tipping the user ID - This is where a telnet or
FTP access attempt tells you that you have entered a valid ID, but
provided an improper password.
·
No password disabling - Hacker routines love
systems that do not disable a user ID after repeated password
attempts and run bots to try hundreds of thousands of password until
they gain entry.
·
Man-in-the middle attacks - Hackers can gain
access to computer systems by guessing the IP address of a connected
user and sending a TCP/IP packet with that users IP information.
·
Injection threats - Many database system have
vulnerabilities where access to confidential data can be gained via
a SQL injection, a technique where a "1=1" string is added to a
sign-on string. For example, this query might return the "real"
password for a user named Jane:
select
userid, password
from
dba_users
where
userid = 'jane'
and
password = 'xxx'
OR
1=1;"
·
Buffer Overflow attacks - In these attacks, the
web cache buffer is deliberately overloaded to gain unauthorized
entry to the system.
Hacker attempts for web-enabled systems are
constant and many companies report thousands of attempts every day.
A comprehensive auditing system will record all illegal access
attempts and include the time, referrer IP address and all other
relevant information. Let's take a look at a real-world case.
Internal fraud (inside jobs)
IT managers report that internal fraud is the
most common type of threat and special auditing mechanisms must be
used to audit all access by authorized employees. Inside job
threats include the following:
·
Root kit attacks - In a root kit attack, the
operating system is compromised. I once fixed a client site with a
rootkit that had installed a daemon process that was constantly
accessing confidential information and e-mailing it to a
competitor. This attack went undiscovered for more than a year and
virtually all of the company's proprietary information was lost.
·
Fire-me attacks - Internal IT personnel have
been know to write routines that trigger a data extraction on the
day when their user ID is removed from the computer system. Because
most IT procedures required pulling the user ID before notifying the
employee, these hackers will return home to find all of the
confidential information waiting for them in their in-box.
·
Trojan Horse - Once an employee gets the
internal IP address of another employee, they can map-out phony
sign-on screens to their boss and get a privileged password. These
attacks are usually easy using tools such as X-Windows that allow
screen images to be redirected onto other screens.
·
PC Privacy Tools - Common tools such as PC
Anywhere can be used to look-over the shoulder of a co-employee,
snooping into their activities and passwords.
Here are many documented cases of data
disclosure by disgruntled employees, especially "privileged users"
who were given unaudited access privileges. Let's look at some
specific real-world horror stories. These are not fictional
stories. They actually happened, and they serve to show what happens
when a slack IT manager entrusts their access and auditing controls
to a Systems Administrator or Database Administrator.
Get the
Oracle auditing book, click here
For an
excellent Oracle auditing product, click here
|