Top Oracle Database Security Threats Come from the InsideSep 20, 2014 / Posted By:Robert Buda
Your Oracle databases contain some of your company’s most valuable assets: financial data, customer data, intellectual property, corporate secrets and so on. That means they’ll be among the top targets of cybercriminals—both outside and inside the firewall.
The fact that they sit behind your network doesn’t mean your Oracle databases aren’t vulnerable. And with the increase in the number and usage of databases, the frequency of attacks is also on the rise.
While threats to corporate data are diverse, database security experts put one threat at the top: your own Oracle DBAs and system administrators. These employees can gain access to sensitive data as well as configure systems, modify databases and grant or alter access controls. Sometimes software developers can also see and manipulate sensitive data as it moves through development and test environments.
Insider threats come in two primary forms:
- Excessive privilege abuse—when database users are granted privileges that exceed what they need to do their jobs, and they abuse them deliberately.
- Legitimate privilege abuse—when database users use privileges they legitimately need for unauthorized reasons.
The classic example of excessive privilege abuse is the whole chain of unnecessary access permissions that enabled Edward Snowden, a sysadmin, to blow the whistle on the NSA. Another example would be a software developer who takes advantage of vulnerabilities in the code she’s working with to give herself administrative privilege and access data or even financial accounts.
An all-to-common example of legitimate privilege abuse is a harried employee who takes paper records containing personally identifiable information (PII) home in her briefcase, in flagrant violation of company policy that nobody seems to care much about, so she can get caught up. She pops into a coffee shop, the briefcase is stolen from her car, and her organization must deal with public embarrassment and fines from regulators.
To deal with both malicious and “innocent” insider threats to your Oracle data, you need to know that your Oracle DBAs and others have only the privileges they require. You also need strong security policies and reliable means to monitor, enforce and educate employees about them.
To ensure Oracle database security from the inside out, it’s highly recommended to seek support from a trusted, unbiased expert outside the organization. A database security assessment is notoriously difficult to perform with in-house resources, for a variety of reasons. For example, employees are often “too close” to how things work now to spot vulnerabilities or make the best recommendations. Employees also can sometimes be resistant to recommending and supporting effective change. Office politics can also play a negative role in “gap assessment” and enforcing security controls.
Finally and most importantly, database security assessment requires expertise and a holistic perspective, as well as automated tools. There are important steps you need to take, both inside and outside Oracle, to secure your data and the systems and processes that operate on it. Database security is critical to the health and welfare of your organization—don’t leave it to chance.
Contact Buda Consulting to start a conversation on how to cost-effectively ensure and verify your Oracle database security.