?
Solved

oracle missing security patches

Posted on 2013-01-31
5
Medium Priority
?
429 Views
Last Modified: 2013-02-19
What is your view on the following. We have an internal application that doesnt process sensitive data, based on oracle 11g. A recent security healthcheck identified this server and oracle as woefully out of date and has endless missing security patches. The admins seem to be of the mindset if theres no sensitive data in the database, the motive of an insider to exploit a missing patch would be almost non existent.Aside from unauthorised access to, and theft of sensitive data, are there any other issues benig missed by not applying these security patches? Is there response valid?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 2000 total points
ID: 38840132
The answer to your question is another question:
What are the ramifications if all the data in this database is posted on the Internet?


Just one example:
Even if the data isn't 'sensitive', does your company want it's name in the headlines:
CompanyX's data compromised.

Even if the data was only the office supply database, I'm sure the company does have 'sensitive' data somewhere.  Will your customers/stockholders/??? pay attention to 'what' data was taken or just that you were vulnerable?
0
 
LVL 3

Author Comment

by:pma111
ID: 38840166
I was also thinking along the lines of data corruption and system availability
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38840220
>>I was also thinking along the lines of data corruption and system availability

Also valid concerns.

The question to ask here:
What are the ramifications is all the data is deleted or modified or tables dropped?

Not sensitive data but the fact it is a database makes it important enough to store so it should be protected.

The counter-argument:
You can almost never stop malicious intent.  As an insider, if I wanted to tamper with your data enough to exploit an unpatched vlunerability, I will likey still be able to find a way to access the database even it the exploit is patched.

I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.
0
 
LVL 3

Author Comment

by:pma111
ID: 38843048
>I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.

Can you provide more specifics where youd look for these.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38843822
Most common places:
   App config files.
   Scripts written by people.

On unix systems, once you get to a command prompt you would be surprised how many passwords can be found with a simple: ps -ef

SOOOOOooooo many people use the username and password on the sqlplus command line like: sqlplus system/manager

A simple "ps -ef" will show that...
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. This article shows how to create one of these functions to write directly to Azure Table Storage.
Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
This video shows information on the Oracle Data Dictionary, starting with the Oracle documentation, explaining the different types of Data Dictionary views available by group and permissions as well as giving examples on how to retrieve data from th…
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question