It symposium 2008 fcf-security_is_everyones_responsibility

  • 221 views
Uploaded on

Presentation in 2008 on IT security

Presentation in 2008 on IT security

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
221
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Tennessee Board of Regents DBA Collaborative Security:It’s everyones responsibility Presented by: Jeff Hinds, DBA Greg Turmel, DBA
  • 2. Tennessee Board of Regents DBA Collaborative Securing all levels of Information AccessUNIX Level: User AccountsSource Database Level: User accountsMid-Tier Level: Application accountsOperational Data Store: ETLEnterprise Data Warehouse: Application AccountsReporting Application Level: Argos reporting
  • 3. Tennessee Board of Regents DBA Collaborative Securing all levels of Information AccessHardware sharing – Multiple databases on single server : reduced security on one, exposes others : 3 Tier Model for separation of HardwareListener sharing – Multiple databases on a single listener : if taken down, affects all services : password protectingINB / SSB sharing – Multiple services supporting many User interfaces : if hacked, gains access to all apps on box : resource limitation causing DOS (denial of service) : network / application time outs
  • 4. Tennessee Board of Regents DBA CollaborativeDatabase Security using PROFILES: – When to use, How to use, Why should you use.Example: CREATE PROFILE TBR_DBA LIMIT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT CONNECT_TIME DEFAULT IDLE_TIME DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT COMPOSITE_LIMIT DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX 5 PASSWORD_LOCK_TIME .0415 PASSWORD_GRACE_TIME 7 PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
  • 5. Tennessee Board of Regents DBA CollaborativeDatabase Security using ROLES: – What are roles, what can I do with them, Why?Example: CREATE ROLE TBR_DEV NOT IDENTIFIED; GRANT ALTER ANY INDEX TO TBR_DEV; GRANT ALTER ANY TABLE TO TBR_DEV; GRANT DELETE ANY TABLE TO TBR_DEV; GRANT INSERT ANY TABLE TO TBR_DEV; GRANT SELECT ANY TABLE TO TBR_DEV; GRANT UPDATE ANY TABLE TO TBR_DEV; GRANT ALTER ANY TRIGGER TO TBR_DEV; GRANT CREATE ANY SYNONYM TO TBR_DEV; GRANT SELECT ANY SEQUENCE TO TBR_DEV; GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
  • 6. Tennessee Board of Regents DBA CollaborativeSecuring all levels of Information Access
  • 7. Tennessee Board of Regents DBA CollaborativeSecuring all levels of Information Access
  • 8. Tennessee Board of Regents DBA CollaborativeSecuring all levels of Information Access Network Devices Applications Databases Servers Desktops / Laptops Printers: Yes, but why? Backups: Yes, but why?
  • 9. Tennessee Board of Regents DBA Collaborative Securing user access with password complexityPassword Verify function: ALTER PROFILE TBR_DBA LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION /BEGIN digitarray:= 0123456789; chararray:=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ; punctarray:=!"#$%&()``*+,-/:;<=>?_;Alternatives: – Refrain from using PW verify function in your user profiles when another authentication process is defined outside of the Oracle database profile Examples: LUMINIS authentication LDAP authentication Active Directory authentication
  • 10. Tennessee Board of Regents DBA Collaborative DATA SECURITY BREACHES (REPORTED IN THE PRESS SINCE MARCH 2005) SOURCE: Privacy Rights ClearinghouseDATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIEDDecember 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. UnknownMarch 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider UnknownSept. 15, 2005 Miami Univ. Exposed online 21,762Sept. 22, 2005 City University of New York Exposed online 350Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
  • 11. Tennessee Board of Regents DBA Collaborative Securing Access: both physical as well as virtualTOTALS 95 Incidents: Types of Incidents: 53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insiderTotal Number of Individuals Notified: 3,024,217 (including unknowns…maybe as high as 3.2 - 3.5 million)
  • 12. Tennessee Board of Regents DBA Collaborative Security: Application Information AccessBanner Security Classes: Job Role classes (BANSECR) Finance (FOMPROF) BAN_DEFAULT_ROLESOracle Default Roles: DBA RESOURCEOracle Grants: SELECT ANY (table, dictionary) EXECUTE ANY (procedure)Third Party: Evisions, Argos, Appworx, etc.
  • 13. Tennessee Board of Regents DBA Collaborative Security: Application Information AccessBanner Passwords: Business Rules / ProceduresOracle Passwords: “ “UNIX Passwords: “ “Third Party Apps: “ “Firewall access: Ports, IP, SSL, services
  • 14. Tennessee Board of Regents DBA Collaborative Security: Application Information AccessOracle DBA Access: Establish Business Rules / ProceduresUNIX Admin Access: “ “BANSECR Security Admin: “ “Argos Reporting Admin Access: “ “Finance / Payroll Access: “ “Developer / Programmer Access: “ “TNSNAMES netconfig information: “ “Source System Access: “ “Target System Access: “ “ETL / data feed Access: “ “ Federal / State Legislature (law), HIPPA, SOX404, etc…
  • 15. Tennessee Board of Regents DBA Collaborative Contact Information: http://idba.tbr.edu iDBA WEB Site: idba.tbr.eduJeff D. Hinds, ocpDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Road, Suite 358Nashville, TN 37217Email: jeff.hinds@tbr.edu(Office) 615.366.4488Greg TurmelDatabase AdministratorTennessee Board of Regents1415 Murfreesboro Rd. Suite 358Nashville, TN. 37217Email: greg.turmel@tbr.edu(Office) 615.366.4467