Database Reference
In-Depth Information
Chapter 11
Advanced Defense and Forensic
Response
In order to succeed in defending your organization against a cyber attack, the key skill to have is the ability to control
complexity. Protecting assets is often described as “asymmetric” in that the effort of controlling all the internal
complexity is much larger than the effort needed to find one issue by an external attacker. If you have worked with
Oracle for some time you will have noted that the software is complex, and some administrators do tend to increase
the complexity—especially when they are the only ones who know how to work it! This does not bode well for a
controlled
baseline that is provably and measurably secure to an organization's standard.
Additionally, organizational incentives are weighted so that individual departments' interests are better
served by concentrating on making money rather than by spending it on security. The real loss of a breach is
the whole organization's reputation, but the gain of not spending on security is local profit—thus local profit is
more immediately realized by the decision maker. This incentive balance is the reason why security is normally
driven through external force from compliance programs aimed to satisfy auditors external to the department or
organization. External audits can suffer from a lack of hands on involvement with the actual systems involved, and
there is a perception that passing audits can be achieved without necessarily fully implementing the appropriate
security measures.
For those of us who have succeeded in achieving ground-level risk reductions, in addition to passing audits,
you will be acutely aware that technical tools that enable the defender to work more quickly and efficiently than the
attacker, thus enabling efficient complexity reduction, are the main defense against becoming front-page news for the
wrong reasons.
An example of controlling complexity in order to defend security is the PUBLIC role. We will now learn to
state-check that role on 12c, and then how to state-check more holistically from the OS, and then we will cover some
advanced security items before moving into a summary of Oracle forensics.
Controlling the PUBLIC Role
At the end of the previous chapter we wanted to state-check public, but were concerned with the numerous additional
INHERIT privileges granted to public. Let's work on reducing that complexity.
State-Checking Query
To meet our requirement of controlling the complexity of public privileges, we can amend our previous state-checking
query. The following version omits the varying and less critical INHERIT privileges that are silently granted to public
by Oracle over time:
select DBMS_SQLHASH.gethash('select * from dba_obj_privs where privilege
!="INHERIT"',
2) from dual;
