Sensitive data? Bad protection can get pricy!

12 svibnja, 2022

The theft or loss of critical data costs companies millions of euro worldwide. The longer it takes to uncover and fix an IT security incident, the more expensive it gets for everyone involved. The average damage per leak is an estimate of EUR 6,32 million – not to mention the irreversible damages (for victims, the brand and the company).

Generally, databases should be configured in a way so that they exclusively permit functions necessary for the operation of the applications or procedures. For every database system processing personal data, basic protection needs to be implemented. Especially the European data protection regulations (GDPR) that’s been effective since May 2018 places high demands on the secure processing of personal data.

Quite frequently, attackers operate in creative ways and spend a lot of time getting to understand the target, some using illegal information acquisition tools, entirely disregarding any laws or rules. These tools, among other things, take advantage of security gaps and misconfigurations of their targets to obtain the best attack vectors. Once having gathered enough information, the attackers – usually very discreetly – proceed with the actual attack, and – in too many cases – get access to sensitive data. Being data owners, officers or processors, it is useful to adopt a similar way of thinking, but with the objective to optimize the security situation in a way so that attackers won’t get to achieve their ends.

The solution: The tool to recognize security and data protection risks

Oracle helps with the implementation of necessary data protection security measures and offers a tool for the detection of potential security risks for Oracle databases. The Oracle Database Security Assessment Tool (DBSAT) checks up to 71 database configurations and security recommendations in accordance with Oracle Database Security Best Practices. The potential security risks shown here are documented and can, if desired or necessary, be fixed by the database administrator.

This way, the DBSAT primarily serves for the short-term detection and repair of general risks, and provides support for the implementation of a comprehensive safety strategy. For a permanently secure business, however, an according process and an automated monitoring should be established to control the database in terms of configuration, patching and usage, made possible e.g. with the Oracle Enterprise Manager Lifecycle Management Pack.

The tool consists of three essential components:

  • NEU: DBSAT Discoverer (detection of sensitive data)
  • DBSAT Collector (collection of configuration information)
  • DBSAT Reporter (creation of the DBSAT report)

The DBSAT Collector performs tests in the form of SQL queries (only against the Oracle Database Dictionary) and operating system commands (for listener configuration, SQLNET.ORA, etc.) in order to collect the necessary information from the system. This data is written into a password encrypted JSON file and is then used by the DBSAT Reporter during the analysis phase.

With the Oracle Database Security Assessment Tool, tests are performed in the following categories:

  • User accounts, privileges and roles
  • Authorization control
  • Data encryption
  • Access control
  • Password guidelines
  • Database configuration
  • Listener configuration
  • Operating system file permissions

We at PROMATIS put the DBSAT to the acid test and set it up with the help of a test database. The installation and configuration of the tool components was carried out successfully within a few hours. The overall process is shown in Fig.1. Only after DBSAT has carried out its analyses, the real excitement lies in the identification and implementation of necessary measures.

Fig. 1.: Application of DBSAT

My conclusion of the Oracle Database Security Assessment Tool:

  • Rapidly analyzes the current security status of a database
  • Identifies sensitive data to detect risks and adequate security controls
  • Reduces risk exposure by using proven best practices
  • Accelerates the compliance with the EU-DSGVO and other requirements
  • Supports Oracle Database 10g, 11g, 12c and 18c
  • Free for Oracle customers
  • Fast provision and use

Author: Michael Pergande

Image: © Vertigo3d/