Solved

oracle missing security patches

Posted on 2013-01-31
5
415 Views
Last Modified: 2013-02-19
What is your view on the following. We have an internal application that doesnt process sensitive data, based on oracle 11g. A recent security healthcheck identified this server and oracle as woefully out of date and has endless missing security patches. The admins seem to be of the mindset if theres no sensitive data in the database, the motive of an insider to exploit a missing patch would be almost non existent.Aside from unauthorised access to, and theft of sensitive data, are there any other issues benig missed by not applying these security patches? Is there response valid?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 500 total points
ID: 38840132
The answer to your question is another question:
What are the ramifications if all the data in this database is posted on the Internet?


Just one example:
Even if the data isn't 'sensitive', does your company want it's name in the headlines:
CompanyX's data compromised.

Even if the data was only the office supply database, I'm sure the company does have 'sensitive' data somewhere.  Will your customers/stockholders/??? pay attention to 'what' data was taken or just that you were vulnerable?
0
 
LVL 3

Author Comment

by:pma111
ID: 38840166
I was also thinking along the lines of data corruption and system availability
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38840220
>>I was also thinking along the lines of data corruption and system availability

Also valid concerns.

The question to ask here:
What are the ramifications is all the data is deleted or modified or tables dropped?

Not sensitive data but the fact it is a database makes it important enough to store so it should be protected.

The counter-argument:
You can almost never stop malicious intent.  As an insider, if I wanted to tamper with your data enough to exploit an unpatched vlunerability, I will likey still be able to find a way to access the database even it the exploit is patched.

I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.
0
 
LVL 3

Author Comment

by:pma111
ID: 38843048
>I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.

Can you provide more specifics where youd look for these.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38843822
Most common places:
   App config files.
   Scripts written by people.

On unix systems, once you get to a command prompt you would be surprised how many passwords can be found with a simple: ps -ef

SOOOOOooooo many people use the username and password on the sqlplus command line like: sqlplus system/manager

A simple "ps -ef" will show that...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question