Solved

oracle missing security patches

Posted on 2013-01-31
5
383 Views
Last Modified: 2013-02-19
What is your view on the following. We have an internal application that doesnt process sensitive data, based on oracle 11g. A recent security healthcheck identified this server and oracle as woefully out of date and has endless missing security patches. The admins seem to be of the mindset if theres no sensitive data in the database, the motive of an insider to exploit a missing patch would be almost non existent.Aside from unauthorised access to, and theft of sensitive data, are there any other issues benig missed by not applying these security patches? Is there response valid?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 500 total points
Comment Utility
The answer to your question is another question:
What are the ramifications if all the data in this database is posted on the Internet?


Just one example:
Even if the data isn't 'sensitive', does your company want it's name in the headlines:
CompanyX's data compromised.

Even if the data was only the office supply database, I'm sure the company does have 'sensitive' data somewhere.  Will your customers/stockholders/??? pay attention to 'what' data was taken or just that you were vulnerable?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I was also thinking along the lines of data corruption and system availability
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
Comment Utility
>>I was also thinking along the lines of data corruption and system availability

Also valid concerns.

The question to ask here:
What are the ramifications is all the data is deleted or modified or tables dropped?

Not sensitive data but the fact it is a database makes it important enough to store so it should be protected.

The counter-argument:
You can almost never stop malicious intent.  As an insider, if I wanted to tamper with your data enough to exploit an unpatched vlunerability, I will likey still be able to find a way to access the database even it the exploit is patched.

I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
>I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.

Can you provide more specifics where youd look for these.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
Comment Utility
Most common places:
   App config files.
   Scripts written by people.

On unix systems, once you get to a command prompt you would be surprised how many passwords can be found with a simple: ps -ef

SOOOOOooooo many people use the username and password on the sqlplus command line like: sqlplus system/manager

A simple "ps -ef" will show that...
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This video shows how to copy a database user from one database to another user DBMS_METADATA.  It also shows how to copy a user's permissions and discusses password hash differences between Oracle 10g and 11g.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now