SlideShare uma empresa Scribd logo

It symposium 2008 fcf-security_is_everyones_responsibility

Greg Turmel
Greg Turmel

Presentation in 2008 on IT security

Tecnologia
1 de 15
Baixar para ler offline
Tennessee Board of Regents DBA Collaborative Security: It’s everyone's responsibility Presented by: Jeff Hinds, DBA Greg Turmel, DBA
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access UNIX Level: User Accounts Source Database Level: User accounts Mid-Tier Level: Application accounts Operational Data Store: ETL Enterprise Data Warehouse: Application Accounts Reporting Application Level: Argos reporting
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Hardware sharing – Multiple databases on single server : reduced security on one, exposes others : 3 Tier Model for separation of Hardware Listener sharing – Multiple databases on a single listener : if taken down, affects all services : password protecting INB / SSB sharing – Multiple services supporting many User interfaces : if hacked, gains access to all apps on box : resource limitation causing DOS (denial of service) : network / application time outs
Tennessee Board of Regents DBA Collaborative Database Security using PROFILES: – When to use, How to use, Why should you use. Example: CREATE PROFILE TBR_DBA LIMIT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT CONNECT_TIME DEFAULT IDLE_TIME DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT COMPOSITE_LIMIT DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX 5 PASSWORD_LOCK_TIME .0415 PASSWORD_GRACE_TIME 7 PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
Tennessee Board of Regents DBA Collaborative Database Security using ROLES: – What are roles, what can I do with them, Why? Example: CREATE ROLE TBR_DEV NOT IDENTIFIED; GRANT ALTER ANY INDEX TO TBR_DEV; GRANT ALTER ANY TABLE TO TBR_DEV; GRANT DELETE ANY TABLE TO TBR_DEV; GRANT INSERT ANY TABLE TO TBR_DEV; GRANT SELECT ANY TABLE TO TBR_DEV; GRANT UPDATE ANY TABLE TO TBR_DEV; GRANT ALTER ANY TRIGGER TO TBR_DEV; GRANT CREATE ANY SYNONYM TO TBR_DEV; GRANT SELECT ANY SEQUENCE TO TBR_DEV; GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Network Devices Applications Databases Servers Desktops / Laptops Printers: Yes, but why? Backups: Yes, but why?
Tennessee Board of Regents DBA Collaborative Securing user access with password complexity Password Verify function: ALTER PROFILE TBR_DBA LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION / BEGIN digitarray:= '0123456789'; chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Alternatives: – Refrain from using PW verify function in your user profiles when another authentication process is defined outside of the Oracle database profile Examples: LUMINIS authentication LDAP authentication Active Directory authentication
Tennessee Board of Regents DBA Collaborative DATA SECURITY BREACHES (REPORTED IN THE PRESS SINCE MARCH 2005) SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED December 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+ Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown Sept. 15, 2005 Miami Univ. Exposed online 21,762 Sept. 22, 2005 City University of New York Exposed online 350 Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200 http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
Tennessee Board of Regents DBA Collaborative Securing Access: both physical as well as virtual TOTALS 95 Incidents: Types of Incidents: 53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider Total Number of Individuals Notified: 3,024,217 (including unknowns…maybe as high as 3.2 - 3.5 million)
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Security Classes: Job Role classes (BANSECR) Finance (FOMPROF) BAN_DEFAULT_ROLES Oracle Default Roles: DBA RESOURCE Oracle Grants: SELECT ANY (table, dictionary) EXECUTE ANY (procedure) Third Party: Evisions, Argos, Appworx, etc.
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Passwords: Business Rules / Procedures Oracle Passwords: “ “ UNIX Passwords: “ “ Third Party Apps: “ “ Firewall access: Ports, IP, SSL, services
Tennessee Board of Regents DBA Collaborative Security: Application Information Access Oracle DBA Access: Establish Business Rules / Procedures UNIX Admin Access: “ “ BANSECR Security Admin: “ “ Argos Reporting Admin Access: “ “ Finance / Payroll Access: “ “ Developer / Programmer Access: “ “ TNSNAMES netconfig information: “ “ Source System Access: “ “ Target System Access: “ “ ETL / data feed Access: “ “ Federal / State Legislature (law), HIPPA, SOX404, etc…
Tennessee Board of Regents DBA Collaborative Contact Information: http://idba.tbr.edu iDBA WEB Site: idba.tbr.edu Jeff D. Hinds, ocp Database Administrator Tennessee Board of Regents 1415 Murfreesboro Road, Suite 358 Nashville, TN 37217 Email: jeff.hinds@tbr.edu (Office) 615.366.4488 Greg Turmel Database Administrator Tennessee Board of Regents 1415 Murfreesboro Rd. Suite 358 Nashville, TN. 37217 Email: greg.turmel@tbr.edu (Office) 615.366.4467

Recomendados

Vp Bresume2011rev
Vp Bresume2011revVp Bresume2011rev
Vp Bresume2011revvpbecks
 
Motivation in sports
Motivation in sportsMotivation in sports
Motivation in sportsHira Chaudhary
 
Trường đại học sân khấu điện ảnh hà [autosaved]
Trường đại học sân khấu điện ảnh hà [autosaved]Trường đại học sân khấu điện ảnh hà [autosaved]
Trường đại học sân khấu điện ảnh hà [autosaved]Vâng Nghèo
 
FCF 2012 Coming Technical Changes to Banner ERP
FCF 2012 Coming Technical Changes to Banner ERPFCF 2012 Coming Technical Changes to Banner ERP
FCF 2012 Coming Technical Changes to Banner ERPGreg Turmel
 
Summit 2008 business_continuity
Summit 2008 business_continuitySummit 2008 business_continuity
Summit 2008 business_continuityGreg Turmel
 
Bài báo khiến 1 tỷ người rơi lệ
Bài báo khiến 1 tỷ người rơi lệBài báo khiến 1 tỷ người rơi lệ
Bài báo khiến 1 tỷ người rơi lệVâng Nghèo
 
Edinn M2: The best tool for energy and productive improvement
Edinn M2: The best tool for energy and productive improvementEdinn M2: The best tool for energy and productive improvement
Edinn M2: The best tool for energy and productive improvementedinn_global
 
Chuyển động máy quay
Chuyển động máy quayChuyển động máy quay
Chuyển động máy quayVâng Nghèo
 

Recomendados

Vp Bresume2011rev
Vp Bresume2011revVp Bresume2011rev
Vp Bresume2011revvpbecks
 
Motivation in sports
Motivation in sportsMotivation in sports
Motivation in sportsHira Chaudhary
 
Trường đại học sân khấu điện ảnh hà [autosaved]
Trường đại học sân khấu điện ảnh hà [autosaved]Trường đại học sân khấu điện ảnh hà [autosaved]
Trường đại học sân khấu điện ảnh hà [autosaved]Vâng Nghèo
 
FCF 2012 Coming Technical Changes to Banner ERP
FCF 2012 Coming Technical Changes to Banner ERPFCF 2012 Coming Technical Changes to Banner ERP
FCF 2012 Coming Technical Changes to Banner ERPGreg Turmel
 
Summit 2008 business_continuity
Summit 2008 business_continuitySummit 2008 business_continuity
Summit 2008 business_continuityGreg Turmel
 
Bài báo khiến 1 tỷ người rơi lệ
Bài báo khiến 1 tỷ người rơi lệBài báo khiến 1 tỷ người rơi lệ
Bài báo khiến 1 tỷ người rơi lệVâng Nghèo
 
Edinn M2: The best tool for energy and productive improvement
Edinn M2: The best tool for energy and productive improvementEdinn M2: The best tool for energy and productive improvement
Edinn M2: The best tool for energy and productive improvementedinn_global
 
Chuyển động máy quay
Chuyển động máy quayChuyển động máy quay
Chuyển động máy quayVâng Nghèo
 
Basic of Fundraising
Basic of FundraisingBasic of Fundraising
Basic of FundraisingLydie Raszková
 
It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011Greg Turmel
 
Summit 2009 performance-tuning_banner
Summit 2009 performance-tuning_bannerSummit 2009 performance-tuning_banner
Summit 2009 performance-tuning_bannerGreg Turmel
 
Social media uitbesteden_artikel
Social media uitbesteden_artikelSocial media uitbesteden_artikel
Social media uitbesteden_artikelIntervenia Social Media Specialisten
 
Ky thuat quay phim
Ky thuat quay phimKy thuat quay phim
Ky thuat quay phimVâng Nghèo
 
Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02Vâng Nghèo
 
Theits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focusTheits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focusGreg Turmel
 
Replication using golden gate 11g
Replication using golden gate 11gReplication using golden gate 11g
Replication using golden gate 11gGreg Turmel
 
Chuyển động máy quay
Chuyển động máy quayChuyển động máy quay
Chuyển động máy quayVâng Nghèo
 
Information Management
Information ManagementInformation Management
Information ManagementJo Balucanag - Bitonio
 
CSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database ManagementCSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database ManagementYhal Htet Aung
 
Passwords are everywhere these days
Passwords are everywhere these daysPasswords are everywhere these days
Passwords are everywhere these daysEssaysREasy
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Mis05
Mis05Mis05
Mis05Lee Gomez
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Eventintellectsecurity
 
Db for rdbms
Db for rdbmsDb for rdbms
Db for rdbmsTech_MX
 
Lect 30 dbms_fundamentals
Lect 30 dbms_fundamentalsLect 30 dbms_fundamentals
Lect 30 dbms_fundamentalsProtik Roy
 
1 security goals
1 security goals1 security goals
1 security goalsdrewz lin
 
5db-security.pdf
5db-security.pdf5db-security.pdf
5db-security.pdfHODCA1
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
Network security
Network security Network security
Network security MD. IFTEKARUL ALAM
 

Mais conteúdo relacionado

Destaque

It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011Greg Turmel
 
Summit 2009 performance-tuning_banner
Summit 2009 performance-tuning_bannerSummit 2009 performance-tuning_banner
Summit 2009 performance-tuning_bannerGreg Turmel
 
Ky thuat quay phim
Ky thuat quay phimKy thuat quay phim
Ky thuat quay phimVâng Nghèo
 
Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02Vâng Nghèo
 
Theits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focusTheits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focusGreg Turmel
 
Replication using golden gate 11g
Replication using golden gate 11gReplication using golden gate 11g
Replication using golden gate 11gGreg Turmel
 
Chuyển động máy quay
Chuyển động máy quayChuyển động máy quay
Chuyển động máy quayVâng Nghèo
 

Destaque (9)

Basic of Fundraising
Basic of FundraisingBasic of Fundraising
Basic of Fundraising
 
It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011It symposium 2011-ods821_data_replication_04-11-2011
It symposium 2011-ods821_data_replication_04-11-2011
 
Summit 2009 performance-tuning_banner
Summit 2009 performance-tuning_bannerSummit 2009 performance-tuning_banner
Summit 2009 performance-tuning_banner
 
Social media uitbesteden_artikel
Social media uitbesteden_artikelSocial media uitbesteden_artikel
Social media uitbesteden_artikel
 
Ky thuat quay phim
Ky thuat quay phimKy thuat quay phim
Ky thuat quay phim
 
Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02Videoky thuat-quay-phim-131106032328-phpapp02
Videoky thuat-quay-phim-131106032328-phpapp02
 
Theits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focusTheits 2014 iaa s saas strategic focus
Theits 2014 iaa s saas strategic focus
 
Replication using golden gate 11g
Replication using golden gate 11gReplication using golden gate 11g
Replication using golden gate 11g
 
Chuyển động máy quay
Chuyển động máy quayChuyển động máy quay
Chuyển động máy quay
 

Semelhante a It symposium 2008 fcf-security_is_everyones_responsibility

CSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database ManagementCSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database ManagementYhal Htet Aung
 
Passwords are everywhere these days
Passwords are everywhere these daysPasswords are everywhere these days
Passwords are everywhere these daysEssaysREasy
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Db for rdbms
Db for rdbmsDb for rdbms
Db for rdbmsTech_MX
 
Lect 30 dbms_fundamentals
Lect 30 dbms_fundamentalsLect 30 dbms_fundamentals
Lect 30 dbms_fundamentalsProtik Roy
 
1 security goals
1 security goals1 security goals
1 security goalsdrewz lin
 
5db-security.pdf
5db-security.pdf5db-security.pdf
5db-security.pdfHODCA1
 
Creating Secure Social Applications
Creating Secure Social ApplicationsCreating Secure Social Applications
Creating Secure Social ApplicationsTyler Browning
 
IAPP PSR 2022: How do you engineer DSAR for Complexity?
IAPP PSR 2022: How do you engineer DSAR for Complexity?IAPP PSR 2022: How do you engineer DSAR for Complexity?
IAPP PSR 2022: How do you engineer DSAR for Complexity?Cillian Kieran
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
 
Bit Level Preservation
Bit Level PreservationBit Level Preservation
Bit Level PreservationMicah Altman
 

Semelhante a It symposium 2008 fcf-security_is_everyones_responsibility (20)

Information Management
Information ManagementInformation Management
Information Management
 
CSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database ManagementCSC1100 - Chapter08 - Database Management
CSC1100 - Chapter08 - Database Management
 
Passwords are everywhere these days
Passwords are everywhere these daysPasswords are everywhere these days
Passwords are everywhere these days
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Os
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Mis05
Mis05Mis05
Mis05
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Event
 
Db for rdbms
Db for rdbmsDb for rdbms
Db for rdbms
 
Lect 30 dbms_fundamentals
Lect 30 dbms_fundamentalsLect 30 dbms_fundamentals
Lect 30 dbms_fundamentals
 
1 security goals
1 security goals1 security goals
1 security goals
 
5db-security.pdf
5db-security.pdf5db-security.pdf
5db-security.pdf
 
DB security
DB security DB security
DB security
 
Network security
Network security Network security
Network security
 
Creating Secure Social Applications
Creating Secure Social ApplicationsCreating Secure Social Applications
Creating Secure Social Applications
 
2ndlec.database
2ndlec.database2ndlec.database
2ndlec.database
 
IAPP PSR 2022: How do you engineer DSAR for Complexity?
IAPP PSR 2022: How do you engineer DSAR for Complexity?IAPP PSR 2022: How do you engineer DSAR for Complexity?
IAPP PSR 2022: How do you engineer DSAR for Complexity?
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
 
Bit Level Preservation
Bit Level PreservationBit Level Preservation
Bit Level Preservation
 
Electronic Records
Electronic RecordsElectronic Records
Electronic Records
 

Último

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

It symposium 2008 fcf-security_is_everyones_responsibility

  • 1. Tennessee Board of Regents DBA Collaborative Security: It’s everyone's responsibility Presented by: Jeff Hinds, DBA Greg Turmel, DBA
  • 2. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access UNIX Level: User Accounts Source Database Level: User accounts Mid-Tier Level: Application accounts Operational Data Store: ETL Enterprise Data Warehouse: Application Accounts Reporting Application Level: Argos reporting
  • 3. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Hardware sharing – Multiple databases on single server : reduced security on one, exposes others : 3 Tier Model for separation of Hardware Listener sharing – Multiple databases on a single listener : if taken down, affects all services : password protecting INB / SSB sharing – Multiple services supporting many User interfaces : if hacked, gains access to all apps on box : resource limitation causing DOS (denial of service) : network / application time outs
  • 4. Tennessee Board of Regents DBA Collaborative Database Security using PROFILES: – When to use, How to use, Why should you use. Example: CREATE PROFILE TBR_DBA LIMIT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT CONNECT_TIME DEFAULT IDLE_TIME DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT COMPOSITE_LIMIT DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX 5 PASSWORD_LOCK_TIME .0415 PASSWORD_GRACE_TIME 7 PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
  • 5. Tennessee Board of Regents DBA Collaborative Database Security using ROLES: – What are roles, what can I do with them, Why? Example: CREATE ROLE TBR_DEV NOT IDENTIFIED; GRANT ALTER ANY INDEX TO TBR_DEV; GRANT ALTER ANY TABLE TO TBR_DEV; GRANT DELETE ANY TABLE TO TBR_DEV; GRANT INSERT ANY TABLE TO TBR_DEV; GRANT SELECT ANY TABLE TO TBR_DEV; GRANT UPDATE ANY TABLE TO TBR_DEV; GRANT ALTER ANY TRIGGER TO TBR_DEV; GRANT CREATE ANY SYNONYM TO TBR_DEV; GRANT SELECT ANY SEQUENCE TO TBR_DEV; GRANT EXECUTE ANY PROCEDURE TO TBR_DEV;
  • 6. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
  • 7. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access
  • 8. Tennessee Board of Regents DBA Collaborative Securing all levels of Information Access Network Devices Applications Databases Servers Desktops / Laptops Printers: Yes, but why? Backups: Yes, but why?
  • 9. Tennessee Board of Regents DBA Collaborative Securing user access with password complexity Password Verify function: ALTER PROFILE TBR_DBA LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION / BEGIN digitarray:= '0123456789'; chararray:='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Alternatives: – Refrain from using PW verify function in your user profiles when another authentication process is defined outside of the Oracle database profile Examples: LUMINIS authentication LDAP authentication Active Directory authentication
  • 10. Tennessee Board of Regents DBA Collaborative DATA SECURITY BREACHES (REPORTED IN THE PRESS SINCE MARCH 2005) SOURCE: Privacy Rights Clearinghouse DATE NAME (Location) TYPE OF BREACH INDIVIDUALS NOTIFIED December 2007 Voter Registration Office – Nashville TN. Laptops stolen: 100,000+ Sept. 22, 2006 Purdue University College of Science A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown March 28, 2005 U Chicago Hospital (Chicago, IL) Dishonest insider Unknown Sept. 15, 2005 Miami Univ. Exposed online 21,762 Sept. 22, 2005 City University of New York Exposed online 350 Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules. 1,200 http://www.washington.edu/president/tacs/utac/meetings/2006-07/materials/10.03.data.security.breaches.report.pdf
  • 11. Tennessee Board of Regents DBA Collaborative Securing Access: both physical as well as virtual TOTALS 95 Incidents: Types of Incidents: 53 external hacks 20 stolen//lost (2) computers 11 handling errors 8 exposed online 1 armed robbery 1 stolen storage device 1 malicious insider Total Number of Individuals Notified: 3,024,217 (including unknowns…maybe as high as 3.2 - 3.5 million)
  • 12. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Security Classes: Job Role classes (BANSECR) Finance (FOMPROF) BAN_DEFAULT_ROLES Oracle Default Roles: DBA RESOURCE Oracle Grants: SELECT ANY (table, dictionary) EXECUTE ANY (procedure) Third Party: Evisions, Argos, Appworx, etc.
  • 13. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Banner Passwords: Business Rules / Procedures Oracle Passwords: “ “ UNIX Passwords: “ “ Third Party Apps: “ “ Firewall access: Ports, IP, SSL, services
  • 14. Tennessee Board of Regents DBA Collaborative Security: Application Information Access Oracle DBA Access: Establish Business Rules / Procedures UNIX Admin Access: “ “ BANSECR Security Admin: “ “ Argos Reporting Admin Access: “ “ Finance / Payroll Access: “ “ Developer / Programmer Access: “ “ TNSNAMES netconfig information: “ “ Source System Access: “ “ Target System Access: “ “ ETL / data feed Access: “ “ Federal / State Legislature (law), HIPPA, SOX404, etc…
  • 15. Tennessee Board of Regents DBA Collaborative Contact Information: http://idba.tbr.edu iDBA WEB Site: idba.tbr.edu Jeff D. Hinds, ocp Database Administrator Tennessee Board of Regents 1415 Murfreesboro Road, Suite 358 Nashville, TN 37217 Email: jeff.hinds@tbr.edu (Office) 615.366.4488 Greg Turmel Database Administrator Tennessee Board of Regents 1415 Murfreesboro Rd. Suite 358 Nashville, TN. 37217 Email: greg.turmel@tbr.edu (Office) 615.366.4467