Oracle Audit Vault Database Firewall 20.7 Adds TLS support

Here we’re just discussing Database Firewall!

Oracle AVDF 20.7 now supports TLS. Here I’m using TLS Conn 1 and TLS Conn 2 to represent two distint TLS connections. For database firewall to use this, the traffic must be decrypted at the database firewall to be analyzed. Then the database firewall acts as a client to the database and creates a new TLS connection.

https://docs.oracle.com/en/database/oracle/audit-vault-database-firewall/20/sigad/secured_targets.html#GUID-1CA268B7-B60E-46E3-A8F2-1B3D87A7480A

NOTE: To keep this simple, I did not add in Audit Vault (required) and associated high availability instances.

Posted in infosec | Tagged , , , , , , | Leave a comment

Connect #sqlcl to your cloud database. #quicktip

Dude, it’s easy!

Download the wallet.

I will rename the zip file to something that makes sense to me. In this case avdf_test_db.zip (that’s because I’m using this database to test Audit Vault Database Firewall. See, it makes sense!

startup sqlcl using the /nolog option. Set cloudconfig, then execute your connection.

C:\work\bin\sqlcl-21.2.2.223.0914\sqlcl\bin\sql /nolog

set cloudconfig C:\work\owi-database-wallets\avdf_test_db.zip

conn admin@avdf0test0db_high

Posted in infosec | Tagged , , , , , | Leave a comment

Data spillage #quicktip

Statistics data is stored in the sysaux tablespace, if you’re not using full database encryption, then you have unencrypted data. In OCI, this is encrypted by default.

Posted in infosec | Tagged , , , , | Leave a comment

Oracle datapump prevent spillage #quiktip

If you use datapump to get an export of your database, then please encrypt your exports. Even if you’re using TDE, this spillage can happen.

To fix this, use the encryption parameter on the command line. This will prevent data from inavertantly spilling.

Posted in infosec | Leave a comment

PL/SQL Granting Roles to Packages #Quicktip

--As a user with create role privileges and the ability to grant 
-- the required privileges to the role. ie: DBA
conn rob_dba@demo
create role <role>;
grant <privilege> on <object owner>.<object name> to <role>;
grant <role> to <package owner> with delegate option;
conn <package owner>@<instance>
grant <role> to package <package name>;

GRANTING THE ROLE TO THE PACKAGE OWNER WITH DELEGATE OPTION: This is the preferred method to grant a role to a package. It appears the same as #1; however we are granting the package owner the role with delegate option. Using this method, we can grant the package the required role, but the package owner can not grant the role outside of it’s schema. This is the least amount of privileges needed to execute the task.

Posted in infosec | Leave a comment

After your migration to OCI, #quicktip

After migrating your database to OCI; if you don’t need the data anymore on your local system(s), you should do a secure delete on all your local datafiles. If you are going to need the data again, then move the data to encrypted devices.

Posted in infosec | Leave a comment

Password problems.

Do you see the problem with the following code fragment?
c##sec_admin > administer key management set keystore open identified by SecretPassword;

If your network is not encrypted, your password will be sent in the clear. This is part of the huge advantage of moving to OCI, network is encrypted by default.

Posted in infosec | Leave a comment

Oracle Database Baseline Security Standards

Ya’ know, it’d be really nice if someone put together some baseline security standards for the Oracle database. Well, you can find those is a couple of places. These tools checklist are free to use. Now, I’m partial to the DISA STIGs; however, the CIS Benchmarks are really just as good.

Here are the DISA (Defence Information Systems Agency) STIGs. You can get these from a couple different sources: Here is NIST: https://ncp.nist.gov/checklist/667 and here is from cyber.mil https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security then enter Oracle in the search box.

Here is the CIS (Center for Internet Security) checklist: https://www.cisecurity.org/benchmark/oracle_database

Now, there’s a reason I say “baseline,” ya’ see, even though this is a good place to start, there are things that are not covered or not covered very well. Once you’ve gone through the checklist, and secured your database, you’ll need to do testing to make sure you did not break anything, and you’ll should also look at enhancing these check list by using other tools and techniques. Some of the tools and techniquest you can look to include are: Code Based Access Control, AVDF (Audit Vault Database Firewall), Database Vault, Fine Grained Auditing, Real Application Security, and so much more.

Posted in infosec | Leave a comment

Oracle Audit Vault / Database Firewall (AVDF) 20.7 and Sensitive data discovery.

Oracle AFDF can track the usage of sensitive data in your database, this includes, who can access, who has made changes, and access by privileged users. Improving your ability to keep an eye on what is happening with sensitive data.

How to Discover sensitive data for loading into AVDF.

  • Download the dbsat utility from Oracle support. Doc ID: 2138254.1
  • https://docs.oracle.com/en/database/oracle/oracle-database/21/satug/index.html#UGSAT-GUID-5FBC2744-18E9-49C5-BB1E-8E76A1900537
  • Gather the sensitive data. The dbsat utility has several preconfigured sensitive data types such as PII located in <your db utilities directory>/dbsat/discover/conf directory. The file sensitive_en.ini contains regular expressions for common sensitive data elements, PII, etc. make a copy of this file and edit it with regular expressions describing the sensitive data in your database system(s).
  • Running dbsat for sensitive data discovery. dbsat for sensitive data discover, will save the file as a html and csv file. Use the csv file to upload sensitive data locations into AVDF.
    • [oracle@localhost dbsat]$ ./dbsat discover -c ./Discover/conf/demo_dbsat.config test1
    • Unzip the encrypted file.

Upload sensitive data metadata into Audit Vault

Sensitive data reports

Advantages:

  • Locate sensitive information in your Oracle database systems. Sensitive data can easily propagate in your database to places that were not originally intended. This can happen for several reasons such as a new materialized view was defined to address a performance issue. By keeping track of the sensitive data, and where it resides, you are better able to keep control of the data.
  • Learn about what activity has been happening with your sensitive data by users and privileged users.
  • With the sensitive data access rights report in conjunction with database privilege analysis (dbms_privilege_capture), you can adjust privileges to help enforce least privilege.
Posted in infosec | Leave a comment

Oracle database security quick tip.

We’re going to be discussing database parameters that if not set correctly, it will allow hackers full access to the database.

Posted in infosec | Tagged , , , , , | Leave a comment

Oracle Privilege Analysis for testing, before moving to production. #LeastPrivilege #Infosec #Oracle #Privileged

In the testing phase, we normally test functionality and break the application. There is something that’s missing. Now, most developers are not experts in how privileges work in Oracle, this is not a bad thing because privileges can be complex to implement. Because of this, applications frequently are moved into production over privileged. Addressing over privileged applications is really not all that difficult to accomplish, it just takes some time.

The basics: 

  • To run dbms_privilege_capture you’ll need to grant the CAPTURE_ADMIN role to the user running dbms_privilege_capture.
  • dbms_privilege_capture can capture in four modes:
    • G_DATABASE mode: will capture all privileges used in the database. I use this one a lot to get a broad picture of what privileges are being used in the database.
    • G_ROLE mode: will capture all access to specific roles. Will capture the usage of a role.
    • G_CONTEXT: will capture the privileges used when a context test is true .
    • G_ROLE_AND_CONTEXT: will capture privileges used when a context test is true and a role is used.
  • The create_capture procedure creates a capture policy that defines the conditions when the privilege is captured, along with giving a name for the capture.
sys.dbms_privilege_capture.create_capture(
	name		in 	varchar2,
	description	in 	varchar2,
	type		in 	varchar2,
	roles		in 	varchar2,
	condition	in 	varchar2);
  • The enable_capture procedure  After you’ve created the capture policy, you’ll need to enable it to start the capture. For the first run, I normally create the capture policy, then enable the capture in the same PL/SQL block.
sys.dbms_privilege_capture.enable_capture(
name       in varchar2,
run_name   in varchar2           default null
);
  • disable_capture: After you’re done capturing privileges, you’ll need to disable the capture, so you can generate the results. The only parameter is the name parameter.
sys.dbms_privilege_capture.disable_capture(
    name     => 'check_beckys_use_of_processor_and_cashier'
);
  • generate_results: Once you’re done capturing the privileges for a run, we need to generate the results. The overhead of running privilege capture is pretty low; however, generating the results will take some CPU and may take a few seconds to finish, depending on how long the privilege capture ran.
sys.dbms_privilege_capture.generate_result(
name               in            varchar2       
run_name           in            varchar2       default null
dependency         in            pl/sql boolean default false
);
  • drop_capture: After a while, just like anything else, you’ll want to clean up old captures. To do that, you’ll need to drop them. It’s quite simple, just execute the following.
begin
  sys.dbms_privilege_capture.drop_capture(name => ‘<capture name>’);
end;
/

Oracle provides the rdms_privilege_capture package and views so you can access what privileges are actually being used by an application. I use cytoscape (open source) to visualize complex role highicarcies and see just where I can prune excess roles and privileges.

Now that we got that out of the way, let’s look at the output. Because we’re using this in testing the software, the focus is on finding out where you can adjust your privileges to achieve least privilege.

SYS.DBA_UNUSED_PRIVS to view any privileges that are unused. You’ll want to put some focus here to trim out privileges that are not being used in your testing.

DBA_USED_PRIVS to view the privileges that were used during your testing. You may find that some of the roles can be broken down to fine grained roles and use role hierarchies, or go the opposite direction and consolidate roles.

DBA_USED_SYSPRIVS to find system privileges that were used during your testing. 

DBA_USED_OBJPRIVS to find object privileges that were used during your testing.

DBA_USED_USERPRIVS to find user privileges that were used during your testing.

DBA_USED_PUBPRIVS to find user privileges that were used during your testing. Now, my practice has been to revoke public privileges whenever possible, grant those privileges to named roles, then grant those roles to users.

There are quite a few other views that you can look at to remove unused privileges these include: DBA_UNUSED_PRIVS, DBA_UNUSED_SYSPRIVS_PATH, DBA_UNUSED_SYSPRIVS, DBA_UNUSED_OBJPRIVS_PATH, DBA_UNUSED_OBJPRIVS, DBA_UNUSED_USERPRIVS_PATH, and DBA_UNUSED_USERPRIVS.

I’ll dig deeper into these in a later post.

Posted in infosec | Leave a comment

Data is the king, what to expect in 2022

More of this in 2022 🙂

May 6, 2017 the Economist published an article that data is more valuable than oil. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

Every year I “try” to figure out what tools I need to sharpen, what tools I need to pick up, and what tools can be put away. I’ll stay focused on database security, pick up some new tools, work on improving my writing, videos, and get consistnat with the interviews . Hey, if you can’t communicate, then you can’t help the customer.

The database is not going away anytime, so we need to get serious about protecting the crown jewels we store in our databases. With my work, I still see encryption implementations that are wrong, where data will spill out unencrypted. Y’all, you need to understand how the technology you’re working with operates and configure it securely. That said, the safest place for data seems to be in the Oracle Cloud where if you’re using autonomous databases, they will be configured securely. If you’re using Infrastructure as a Service, you’ll still need to do the secure configuration and patching.

Ransomware is here to stay. We’ve seen that the most common way to access systems is through an initial phishing attack. It’s critical that users are trained and tested on phishing attacks. I hate to say it but make the users paranoid about clicking links and opening pdf documents. Frequently if I receive a link from someone, I’ll contact them out of band to check to see if they actually sent me that link. Other times a link comes from an entity that I have some business relationship with. Here I’m careful not to click a link unless I know it’s safe. Hover you mouse of the link and see where it’s directing you to. Organizations need to get serious about their backups and testing their recovery. Oracle has a couple of products that’ll give you immutable backups and air gaped backups. I’ll be writing about them later once I’ve had a chance to test them.

I have a daily habit of figuring out what’s not working and adjusting. Seems like sometime things just slowly creep up on you and you don’t notice it. Well, I took the last two weeks off for the holidays and put my mind to what is not working, because to be honest, my focus does not seem to be as good as it’s been in the past. I’ve also noticed, that although I love working from home and enjoy the solitude, I’m craving being around people more and more. Now, working from home as cut out my commute time, saving me over three hours a day that I can use for more productive things, however; I’ve also cut way back on my travel and have not been able to spend time with friends and work associates. This isolation has impacted my ability to focus on writing and getting my thoughts down on paper. Now, every morning, I spend about thirty minutes to an hour writing. This process allows me to clear my head, get my ideas straight, and identify gaps in my knowledge. What is missing are those long conversations with people smarter than me that triggers ideas. So, in 2022, I’m going to spend a lot more time traveling to see friends. And sense I’m telecommuting, that will not be a problem. Just give me a room, fast internet, and coffee, I’ll get the work done. So, if you see me popping up in your city, don’t be surprised. That’s just me stopping my isolation.

Tech to watch in 2022:

VR Fitness Apps. Face it, gym burnout is a real thing. My exercise of choice has always been to hit the weights, and every few months I get burnt out and must force myself to exercise. Always telling myself that the hormones released are not only good for my body; however, they are also good for my brain health. For the last couple months, I’ve been using www.supernatural.com, a VR aerobic workout that places you in some of the most beautiful places in the world. This makes it more fun to exercise, and considering that my work puts me at my desk for up to ten hours a day, using my brain; that exercise is important to my ability to produce, and my health. Note: my resting heart rate using just weights was always around 75bpm, after two months using supernatural, my resting heart rate averages around 61bpm and frequently drops down to 50bpm. Now, considering I’m 61 years old, and my family has a history of stokes in their 60’s (my younger brother had a stroke the week before Christmas 2021!) This is another good reason for aerobic and weight training. Now, one thing I like about supernatural is the mix up in exercises, one of the things I don’t like is not having the ability to fine tune the intensity of the workouts. When exercising, I like being at about 104%, this way I’m always pushing. But from what I’ve found, you don’t have the ability to fine tune, what you get is what you get.

Electric flying taxis. I’m not too sure about this one, but I’m seeing more startups moving into this space. The problem is the weight and capacity of the batteries. So, if we do see these start to fly in cities around the world, they’ll likely be for very short hops.

Quantum computing. I’ve always had an interest in quantum mechanics, mostly because it’s so mind bending. IBM https://www.ibm.com/quantum-computing/ now has the 127 qubit processor. We’re making some big leaps but I’m thinking, what will be the killer app. Will it be Quantum AI? That’s where my money is.

Posted in infosec | Leave a comment

Database Security with Oracle ACE Director Jim Czuprynski

Posted in infosec | Leave a comment

Liron Amitzi – A conversation on database security

Posted in infosec | Leave a comment

My views on in person conferences, safety in the time of COVID-19

Posted in infosec | Leave a comment

Cybersecurity, culture, travel, and keeping your IT infrastructure safe.

I get to chat with Liron Amitzi and Jim (The Why Guy) Czuprynski about what interest me the most. Keeping your IT infrastructure safe and culture.

https://beyondtechskills.com/episodes/if-you-aint-paranoid-you-aint-payin-attention-rob-lockard-on-cybersecurity-culture#T

Posted in infosec | Leave a comment

Transparant Data Encryption and Oracle Key Vault with Peter Wahl.

I had the pleasure of chatting with Peter Wahl, Oracle Principle Product Manager for Encryption and Secrets. He gives a great talk on Transparent Data Encryption and Oracle Key Vault.

Posted in encryption, infosec, Security | Leave a comment

Unified Audit and Virtual Private Database

It seems not a day goes by where I’m not humbled in some way or another. Frequently this happens due to limits of my knowledge or something I’d forgotten. There is a wrinkle when you combine Unified Auditing and Virtual Private Databases (VPD).

Here’s the setup.

create or replace package HR.hr_vpd_policy as
function hr_emp_vpd_policy (p_schema varchar2,
                            p_table  varchar2)
return varchar2;
end;
/
-- keep it real simple. just return 
-- department_id = 10.
create or replace package body HR.hr_vpd_policy as 
function hr_emp_vpd_policy (p_schema varchar2,
                            p_table  varchar2)
return varchar2 is
p_ret_val varchar2(255);
    begin 
      p_ret_val := 'department_id = 10';
      return p_ret_val;
    end;
end;
/
begin 
  sys.dbms_rls.add_policy (
    object_schema   => 'HR',
	object_name     => 'EMPLOYEES_VIEW',
	policy_name     => 'HR_EMP_SEL_POL',
	function_schema => 'HR',
	policy_function => 'hr_vpd_policy.hr_emp_vpd_policy',
	statement_types	=> 'SELECT'
  );
end;
/

Here’s the question. How do I know the where clause VPD placed on a sql statement? Well it’s not in the sql_text column (like I thought is was), it is in the rls_info column. Remember, VPD was called “Row Level Security.” Oracle changed it’s name sometime back, I think 10g, but don’t quote me on the version Oracle changed the name.

Posted in Uncategorized | Leave a comment

Do you want to know where I’ll be speaking this fall?

Where am I speaking this fall? Poland and Croatia conferences have been confirmed. Waiting for Spain, and ECOUG. Let’s get back to normal and be safe about it. Looks like I’ll be busy for the next several months. Life is good.

Warsaw Poland September 10 – 11. https://poug.org/en/

Rovinj Croatia October 12 – 16 https://2021.hroug.hr/eng

Madrid Spain November 11 https://spoug.es/spoug21/

ECOUG November 1-3 https://www.eastcoastoracle.org/

Posted in Uncategorized | Leave a comment

There has been some changes. #Accenture #DatabaseSecurity #InfoSec

Life is busy and good; new Some of y’all may already know, after almost thirty years of working for myself, I accepted a position with Accenture Enkitec Group as Technology Innovation Principal Director and the Global Lead for Database Security. There are a lot of reasons I accepted this position. Primarily, I’ve known the folks from Enkitec for a number of years; they have always impressed me with their knowledge, willingness to share that knowledge, and they get s&*t done. Being part of a global team that is focused to delivering the best for the customer. The opportunity to learn new things; now that’s a big plus for me.

Now, being an employee it’s really new to me, they have these things called HR, People Leads, and policies. Who knew? My People Lead was always my bathroom mirror where I would have long discussions with myself about my future and where I needed to put my focus. Now, I have someone else who I can discuss direction, where my focus should be, and also promote me within and outside of Accenture. This is great! Yea’ even I need to get pointed in the right direction every now and then.

New talks are coming up in Poland, Croatia, North Carolina, Spain, East Coast Oracle Users Group (ECOUG). I’m waiting for acceptance from Croatia, ECOUG, and need to get my abstracts in for Spain. Stay tuned for more details on what talks I have coming up.

Posted in infosec | Tagged , , | Leave a comment

Upcoming talks UTOUG, INSYNC, and Uzbekistan INHA University.

March and April are booking up fast. Getting real busy and loving life.

Utah Oracle Users Group (UTOUG) March 17 – 18 Keynote: “Curves ahead: Emerging technology threats.”, “Holistic Database Security in the cloud.”, and “PL/SQL Secure Coding in the cloud.”

INSYNC Tuesday March 30 and April 1 “Holistic Database Security in the Cloud.”

Uzbekistan INHA University April 6. “Staying Current in a Constantly Changing IT Environment.”

Posted in infosec | Leave a comment

The Future of #AI with Sandesh Rao

In our series on the future of AI, here is the interview with Sandesh Rao, VP Autonomous Health and Machine Learning at Oracle