Solved

oracle missing security patches

Posted on 2013-01-31
5
396 Views
Last Modified: 2013-02-19
What is your view on the following. We have an internal application that doesnt process sensitive data, based on oracle 11g. A recent security healthcheck identified this server and oracle as woefully out of date and has endless missing security patches. The admins seem to be of the mindset if theres no sensitive data in the database, the motive of an insider to exploit a missing patch would be almost non existent.Aside from unauthorised access to, and theft of sensitive data, are there any other issues benig missed by not applying these security patches? Is there response valid?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 500 total points
ID: 38840132
The answer to your question is another question:
What are the ramifications if all the data in this database is posted on the Internet?


Just one example:
Even if the data isn't 'sensitive', does your company want it's name in the headlines:
CompanyX's data compromised.

Even if the data was only the office supply database, I'm sure the company does have 'sensitive' data somewhere.  Will your customers/stockholders/??? pay attention to 'what' data was taken or just that you were vulnerable?
0
 
LVL 3

Author Comment

by:pma111
ID: 38840166
I was also thinking along the lines of data corruption and system availability
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38840220
>>I was also thinking along the lines of data corruption and system availability

Also valid concerns.

The question to ask here:
What are the ramifications is all the data is deleted or modified or tables dropped?

Not sensitive data but the fact it is a database makes it important enough to store so it should be protected.

The counter-argument:
You can almost never stop malicious intent.  As an insider, if I wanted to tamper with your data enough to exploit an unpatched vlunerability, I will likey still be able to find a way to access the database even it the exploit is patched.

I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.
0
 
LVL 3

Author Comment

by:pma111
ID: 38843048
>I bet I can walk into your shop and find some database password stored somewhere that would allow me to access the database directly.

Can you provide more specifics where youd look for these.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38843822
Most common places:
   App config files.
   Scripts written by people.

On unix systems, once you get to a command prompt you would be surprised how many passwords can be found with a simple: ps -ef

SOOOOOooooo many people use the username and password on the sqlplus command line like: sqlplus system/manager

A simple "ps -ef" will show that...
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
Creating and Managing Databases with phpMyAdmin in cPanel.
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now