Presentation in 2008 on IT security

1. Tennessee Board of Regents
DBA Collaborative
Security:
It’s everyone's responsibility
Presented by:
Jeff Hinds, DBA
Greg Turmel, DBA

2. Tennessee Board of Regents
DBA Collaborative
Securing all levels of Information Access
UNIX Level: User Accounts
Source Database Level: User accounts
Mid-Tier Level: Application accounts
Operational Data Store: ETL
Enterprise Data Warehouse: Application Accounts
Reporting Application Level: Argos reporting

3. Tennessee Board of Regents
DBA Collaborative
Securing all levels of Information Access
Hardware sharing – Multiple databases on single server
: reduced security on one, exposes others
: 3 Tier Model for separation of Hardware
Listener sharing – Multiple databases on a single listener
: if taken down, affects all services
: password protecting
INB / SSB sharing – Multiple services supporting many User
interfaces
: if hacked, gains access to all apps on box
: resource limitation causing DOS
(denial of service)
: network / application time outs

4. Tennessee Board of Regents
DBA Collaborative
Database Security using PROFILES:
– When to use, How to use, Why should you use.
Example: CREATE PROFILE TBR_DBA LIMIT
SESSIONS_PER_USER DEFAULT
CPU_PER_SESSION DEFAULT
CPU_PER_CALL DEFAULT
CONNECT_TIME DEFAULT
IDLE_TIME DEFAULT
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL DEFAULT
COMPOSITE_LIMIT DEFAULT
PRIVATE_SGA DEFAULT
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 90
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX 5
PASSWORD_LOCK_TIME .0415
PASSWORD_GRACE_TIME 7
PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

5. Tennessee Board of Regents
DBA Collaborative
Database Security using ROLES:
– What are roles, what can I do with them, Why?
Example:
CREATE ROLE TBR_DEV NOT IDENTIFIED;
GRANT ALTER ANY INDEX TO TBR_DEV;
GRANT ALTER ANY TABLE TO TBR_DEV;
GRANT DELETE ANY TABLE TO TBR_DEV;
GRANT INSERT ANY TABLE TO TBR_DEV;
GRANT SELECT ANY TABLE TO TBR_DEV;
GRANT UPDATE ANY TABLE TO TBR_DEV;
GRANT ALTER ANY TRIGGER TO TBR_DEV;
GRANT CREATE ANY SYNONYM TO TBR_DEV;
GRANT SELECT ANY SEQUENCE TO TBR_DEV;
GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;

6. Tennessee Board of Regents
DBA Collaborative
Securing all levels of Information Access

7. Tennessee Board of Regents
DBA Collaborative
Securing all levels of Information Access

8. Tennessee Board of Regents
DBA Collaborative
Securing all levels of Information Access
Network Devices
Applications
Databases
Servers
Desktops / Laptops
Printers: Yes, but why?
Backups: Yes, but why?

9. Tennessee Board of Regents
DBA Collaborative
Securing user access with password complexity
Password Verify function:
ALTER PROFILE TBR_DBA LIMIT
PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION
/
BEGIN
digitarray:= '0123456789';
chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
punctarray:='!"#$%&()``*+,-/:;<=>?_';
Alternatives:
– Refrain from using PW verify function in your user profiles when another
authentication process is defined outside of the Oracle database profile
Examples:
LUMINIS authentication
LDAP authentication
Active Directory authentication

10. Tennessee Board of Regents
DBA Collaborative
DATA SECURITY BREACHES
(REPORTED IN THE PRESS SINCE MARCH 2005)
SOURCE: Privacy Rights Clearinghouse
DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED
December 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+
Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the
Chemistry Department may have been
accessed illegitimately. The file contained
names, SSNs, school, major, and e-mail
addresses of people who were students in 2000.
2,482
Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security
numbers, credit card information and check
images of school donors. Unknown
March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown
Sept. 15, 2005 Miami Univ. Exposed online 21,762
Sept. 22, 2005 City University of New York Exposed online 350
Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names,
phone numbers, email addresses, Social
Security numbers and class schedules. 1,200
http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf

11. Tennessee Board of Regents
DBA Collaborative
Securing Access: both physical as well as virtual
TOTALS 95 Incidents: Types of Incidents:
53 external hacks
20 stolen//lost (2) computers
11 handling errors
8 exposed online
1 armed robbery
1 stolen storage device
1 malicious insider
Total Number of Individuals Notified: 3,024,217
(including unknowns…maybe as high as 3.2 - 3.5 million)

12. Tennessee Board of Regents
DBA Collaborative
Security: Application Information Access
Banner Security Classes: Job Role classes (BANSECR)
Finance (FOMPROF)
BAN_DEFAULT_ROLES
Oracle Default Roles: DBA
RESOURCE
Oracle Grants: SELECT ANY (table, dictionary)
EXECUTE ANY (procedure)
Third Party: Evisions, Argos, Appworx, etc.

13. Tennessee Board of Regents
DBA Collaborative
Security: Application Information Access
Banner Passwords: Business Rules / Procedures
Oracle Passwords: “ “
UNIX Passwords: “ “
Third Party Apps: “ “
Firewall access: Ports, IP, SSL, services

14. Tennessee Board of Regents
DBA Collaborative
Security: Application Information Access
Oracle DBA Access: Establish Business Rules / Procedures
UNIX Admin Access: “ “
BANSECR Security Admin: “ “
Argos Reporting Admin Access: “ “
Finance / Payroll Access: “ “
Developer / Programmer Access: “ “
TNSNAMES netconfig information: “ “
Source System Access: “ “
Target System Access: “ “
ETL / data feed Access: “ “
Federal / State Legislature (law), HIPPA, SOX404, etc…

15. Tennessee Board of Regents
DBA Collaborative
Contact Information: http://idba.tbr.edu
iDBA WEB Site: idba.tbr.edu
Jeff D. Hinds, ocp
Database Administrator
Tennessee Board of Regents
1415 Murfreesboro Road, Suite 358
Nashville, TN 37217
Email: jeff.hinds@tbr.edu
(Office) 615.366.4488
Greg Turmel
Database Administrator
Tennessee Board of Regents
1415 Murfreesboro Rd. Suite 358
Nashville, TN. 37217
Email: greg.turmel@tbr.edu
(Office) 615.366.4467