Protecting the Data - A Security Checklist

Protecting the Data - A Security Checklist
At the end of the day, what needs to be protected is the data. While Blue Core Research is in the business of Oracle database security, one must never lose sight of the ultimate goal – protecting the data itself.
This page does not aim to be the ultimate guide to data security, but it should raise many of the important points you should consider in your security strategy
Go to page123All

Find the Weak Links

An important thing to remember is that anyone attempting to breach your security will have a different perspective about it. This perspective will ultimately determine which system will be targeted, and how. The perspective is comprised of:
  • Goal – is the attacker looking for an easy mark to boast about? is he trying to go after a specific type of data (e.g. credit cards)? go after a specific organization? or, perhaps, go after a specific type of data in a specific organization?
  • Skill – does the attacker have expertise in networks, Oracle databases, Unix,… ?
  • Position – does the attacker work for the organization? does he have credentials to certain systems?
  • Chance – did the attacker happen to run across someone’s password? find a bug in an application? read article discussing system vulnerabilities?
An attacker will choose the path of least resistance from his perspective to breach through what he considers to be the weakest link. That means that a network expert and a database expert will look for, and exploit different vulnerabilities. The same applies to an employee vs. an external hacker.
A good exercise is to explore your systems’ vulnerabilities from different perspectives. This can teach you a lot about what links would be considered weak by attackers.
Since you cannot be an expert in every domain or pretend to have skills you do not posses, it is important to consult domain experts in your organization with the appropriate skills. Use an informal personal meeting with such people to gain their perspective about your security.
There are six “tests” that should be evaluated by each expert:
  • Using their current knowledge of the systems and current privileges, what fraud or data theft could they accomplish?
  • What fraud/theft could they accomplish with additional privileges (e.g. a manager, an administrator)?
  • What fraud/theft could the accomplish with additional understanding of the system (e.g. a developer or the architect of the system)?
  • What could they accomplish without privileges or knowledge of the systems (e.g. a regular employee)?
  • What could they accomplish as a non-employee working from the outside?
  • What chance information would help them commit more fraud/theft (e.g. someone’s password, system documentation, application bug list)?
If you ask different experts in the same domain you are likely to get different answers, so the more interviews you conduct, the better understanding you will have of the vulnerabilities in your security strategy.

Final Checklist

Make sure that as part of the evaluation of your security strategy you have:
  • Evaluated the different security domains with the appropriate teams
  • Ensure all users can be properly identified and authenticated, have the right permission on the right systems, have a good process for approval of new privileges, and a good process to ensure those privileges are revoked when needed.
  • A continuous education plan for different teams to reduce the risk of the human element
  • A good perimeter security, and compartmentalization inside the organization
  • Isolation of sensitive information with a tight security barrier around it
  • Employ encryption in the appropriate places
  • Audit the activity of systems that process sensitive information
  • Discuss with appropriate domain experts what are the weak links in your strategy

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question
  • Intelligent Auditing – Read
  • Oracle security – strengths & weaknesses – Read
  • Large security scope in Oracle databases – Read
  • How to prevent a database breach – Read
  • Oracle database security – Read