Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

oracle missing security patches

Posted on 2013-01-31
5
Medium Priority
?
432 Views
Last Modified: 2013-02-19
What is your view on the following. We have an internal application that doesnt process sensitive data, based on oracle 11g. A recent security healthcheck identified this server and oracle as woefully out of date and has endless missing security patches. The admins seem to be of the mindset if theres no sensitive data in the database, the motive of an insider to exploit a missing patch would be almost non existent.Aside from unauthorised access to, and theft of sensitive data, are there any other issues benig missed by not applying these security patches? Is there response valid?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 2000 total points
ID: 38840132
The answer to your question is another question:
What are the ramifications if all the data in this database is posted on the Internet?


Just one example:
Even if the data isn't 'sensitive', does your company want it's name in the headlines:
CompanyX's data compromised.

Even if the data was only the office supply database, I'm sure the company does have 'sensitive' data somewhere.  Will your customers/stockholders/??? pay attention to 'what' data was taken or just that you were vulnerable?
0
 
LVL 3

Author Comment

by:pma111
ID: 38840166
I was also thinking along the lines of data corruption and system availability
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38840220
>>I was also thinking along the lines of data corruption and system availability

Also valid concerns.

The question to ask here:
What are the ramifications is all the data is deleted or modified or tables dropped?

Not sensitive data but the fact it is a database makes it important enough to store so it should be protected.

The counter-argument:
You can almost never stop malicious intent.  As an insider, if I wanted to tamper with your data enough to exploit an unpatched vlunerability, I will likey still be able to find a way to access the database even it the exploit is patched.

I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.
0
 
LVL 3

Author Comment

by:pma111
ID: 38843048
>I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.

Can you provide more specifics where youd look for these.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38843822
Most common places:
   App config files.
   Scripts written by people.

On unix systems, once you get to a command prompt you would be surprised how many passwords can be found with a simple: ps -ef

SOOOOOooooo many people use the username and password on the sqlplus command line like: sqlplus system/manager

A simple "ps -ef" will show that...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question