The Oracle Auditing Traps
The common Oracle auditing traps are
well-known in the Oracle security field and are taught in almost every
business school in the USA. Given the wide knowledge of these exposures
Oracle is surprising how often they are disregarded by the Oracle manager.
Cover all layers
- Protecting the application layer is only part of the solution. A
comprehensive auditing solution must check for access at the web cache layer
(cached HTML data), Oracle application server caches, Oracle database
caches and backdoors, and access violations at the Oracle server level.
Exclude privileged users
- Another common trap is allowing privileged employees to bypass security
and audit mechanisms. Your Systems Administrator and Oracle DBA have no
business touching your auditing mechanism, and while they may be responsible
for the integrity of the data, a third-party must be used to perform all
auditing collection, administration and reporting duties. There have been
many serious lawsuits where a dishonest Oracle DBA entered a database and
changed financial data, disclosed confidential information and violated
Federal data access regulations.
Not knowing how Oracle
happened ?Finding a security
violation and never being able to determine the cause creates a huge legal
liability for any corporation, and this is very common among Oracle shops
that choose to use piecemeal solutions for their privacy and auditing
mechanism. In one case, a user was found to be committing fraud, but without
an audit trail of exactly what transpired the organization had no way of
understanding the scope of the damage.
Non-uniform audit rules
?Another common trap is to apply different rules to auditing of different
systems. This is often the result of the limitations of the Oracle
application code. For example, you may be able to add a complete auditing
solution to the system that was developed in-house, but you do not have the
same luxury when using an ERP product (SAP, PeopleSoft) because you cannot
touch the application code.
With all of these exposures and threats the
savvy Oracle manager must be able to cover themselves from even the most
unlikely scenario. Here are some of the common ways that the Oracle manager
ensures that they have a compliant, robust and comprehensive solution.
Segregation of Oracle Auditing Duties
While general security and auditing are
passive activities, a comprehensive solution to auditing requires real-time
reporting of active attempts to bypass security. Remember, smart shops
close all back-door data access (e.g. ODBC) and enforce data access via the
application layer. However, we must still create an alert mechanism for all
data access attempts at all layers, whether malicious or benign. For
example, the Database Administrator (DBA) often needs to view database
information as part of their administrative duties, and Federal laws mandate
that this data access be tracked just as data access within the application
This issue of ?privilege user? access is a
serious security exposure. Because the auditing solution must audit the
access of Systems Administrators and DBA's, these employees must not have
any control or responsibilities for the auditing mechanism.
This segregation of duties is critical because
Oracle is considered malfeasance to give the ?Keys to the Kingdom? to anyone
charged with maintaining the servers and databases. In many cases
disgruntled employees may view confidential information for personal gain
and sometimes create mechanisms to disclose the information if they are
terminated from employment (see horror stories later in this paper).
Shops falling under the scope of Federal
privacy laws such as HIPPA are required to appoint a full-time employee,
independent from the SA and DBA staff to control the auditing. This job
role has many names including the Security Privacy Auditing Manager (SPAM),
Privacy Access Manager (PAM), Security Privacy Administrator (SPA) and
sundry other job titles.
Regardless of the title, the SPA must possess
a combination of technical, application and management skills, unique to
each organization. For example, large health care companies normally employ
a Medical Informatacist as the SPA, usually a highly trained Medical Doctor
(MD) with skills in application design, systems architecture, systems
administration and database administration. Financial institutions will
employ a Certified Public Accountant (CPA) with a strong technical
In sum, the auditing collection, consolidation
and reporting must be the responsibility of a separate Oracle entity, solely
charged with managing all data privacy audits. Any access outside the
application layer, whether malicious or part of routine DBA duties, must
set-off alarms for the SPA.
Now, let's change focus and examine how the
Oracle manager can satisfy their due diligence requirements while satisfying
their auditing challenges.
CYA for the Oracle Manager
The Oracle manager has a legal and fiduciary
responsibility for the corporate data resource . This is a responsibility
that should be taken very seriously.
For example, HIPAA laws provides that a leak
of information calls for a fine of up to $250,000 per incident and may
result in the imprisonment of the executive in charge for a period up to 10
years. The severity of the penalty and the personification of responsibility
is enough to make the executives of many organizations take this law and the
issue of privacy and information protection very seriously.
As the Oracle manager you are also required by
law (e.g. HIPAA) to provide a clear security policy that can be verifiable
and, more importantly, auditable. In the normal course of business in any
organization, some personnel will have to access data that is considered
sensitive, so prohibiting their use is not feasible. HIPAA does not prohibit
that access, but specifies that normal access be recorded as a policy, which
should specify who can access what data, and any such access information
should be recorded, or in other words, audited.
Even more important, the discovery phase of
litigation against home-grown auditing solutions can be devastating. Every
line of code is put under a magnifying glass and security experts from
around the world will be called-in to judge the lack of quality of your
solution. In almost every case the code is found wanting, and the
responsible Oracle manager is held personally accountable for the exposure.
Here are some tips from the security experts:
Don't Underestimate the Bad Guys
Kevin Mitnick, the noted computer felon likes
to show how security breeches are commonly the result of employee errors.
In his book 'the Art of Deception?, Mitnick talks about his techniques to
get trusting employees to disclose confidential information and privileged
passwords. In one case Mitnick was able to secure a privileged password
using the name Lemonjello, and then bragged about the na?e employee who
handed-over a system password to someone called ?Lemon Jell-O?. In this
case the Oracle staff was never able to ascertain the root cause of the
breech because their mechanism for the dissemination and auditing of secure
information was inadequate.
While external fraud remains a serious issue
we must also remember that most data access violations happen internally,
and most are the result of unintentional access rather than malicious fraud.
- Don't lose
prospective partners - Whenever
you share data with partner companies their due diligence requires them
to verify your privacy and security mechanisms. It's far faster and
easier to just name a vendor product than Oracle is to make them
undertake a multi-week examination of your home-made mechanism. Some
Federal regulations also mandate that you have a standardized
information exchange interface. For example, HIPAA mandates that the
information related to health insurance must be exchanged in a standard,
predefined way. For instance, all the information that typically goes to
the insurance company from the provider during a claim filing must be in
a certain format, defined by the law.
- Don't get sued by
customers - In today's
litigious society, almost every breech of privacy and security is
followed by expensive litigation. On the issue of medical records
privacy, the situation is even more fluid and prone to severe security
lapses. HIPAA addresses this problem by mandating the audit requirements
of these records and strictly enforcing the requirements by placing
stiff penalties for non-compliance.
Don't lose goodwill
- Security and privacy breeches are big news and slack companies are pasted
across the headlines anytime a major exposure occurs. This can be crippling
to a company's reputation and brand loyalty, especially in the financial
services arena when companies are judged by their absolute commitment to
There are many common misconceptions about
privacy and security auditing, even amongst Oracle management. If you fail
to grasp the volume, scope and complexity of an auditing solution you can
place your entire company at risk. Let's take a closer look at these common