Authored by: Tim Boles
The third in a series of articles that provide an overview of aspects for Oracle database security that are experts believe to be the most efficient, in terms of time, effort and costs to implement. These are called “Quick Wins.”
Perform Security Scans
There are a variety of security scanners on the market — some are free, and others are vendor-provided. Spinnaker Support has membership to CIS SecureSuite, which provides us tools to measure our clients’ systems against the CIS Benchmarks. By combining the results of these tools with our team’s expert knowledge, we can:
- Provide scores showing the system alignment with CIS benchmarks.
- Work with your team to determine if the benchmarks that fail are applicable to your environment.
- Provide a detailed report detailing the benchmarks, risk levels, instructions on aligning your system to the benchmarks, and references that support the findings.
On their support site, Oracle provides a free tool called the Database Security Assessment Tool (DBSAT). The DBSAT can help identify where your database configuration, operation, or implementation has introduced risks to the system. In addition, it will provide a description of the issue and recommendations on changes to mitigate any identified risks. DBSAT supports all versions starting at 10g and is available for clients with an active support contract. DBSAT has the following capabilities:
- A quick low-impact security assessment.
- Recommendations for meeting security benchmarks.
- Support for regulatory compliance.
- The ability to scan for sensitive data.
The security assessment and recommendations on benchmarks can be quickly achieved using two commands:
./dbsat collect <username>@<connectionstring> <filename>
./dbsat report <path to filename.zip>
DBSAT reports the results of its analysis in the form of a series of findings, which give actionable results, including risk levels, a summary of issues, a recommendation, and details of what the findings are about and references (where appropriate).
The process for scanning for sensitive data and regulatory compliance is a great deal more complicated. It requires the administrator to define rules and review the setup to scan for sensitive data. The details of this process go beyond the scope of this blog.
Summary
Performing basic database security scans is an easy, quick way to increase the security posture of your database. As with any database change, there is always some risk involved, so be sure to test the changes in non-production environments before attempting them in production. At Spinnaker Support, we encourage all organizations to take these initial first steps in minimizing the risk of unwanted exposure to your organization’s data.
If you decide to join our client list, you will be provided with a Security Assessment that includes reviewing your system against not only the CIS Benchmarks but also against DISA-STIGs, Oracle Security documentation, and other benchmarks. We will use our findings to guide you through improving your security posture and removing attack vectors that cybercriminals use to attack systems.
For more information, please visit https://www.spinnakersupport.com/third-party-support/security-vulnerability/