Re: Security audit of Oracle databases

On Apr 12, 2005 6:35 PM, MacGregor, Ian A. <ian_at_slac.stanford.edu> wrote:
> Oracle's willingness to allow potential customers to download the =
> product and take it for a test spin is great. Suppose however, someone =
> installs Oracle on his desktop. The installation will not be maintained, =
> it will not be patched. The possibiliy for compromise is signifiicant. =
> The person who only wanted to learn Oracle and discovers someone has =
> taken over his machine.

Or the person who installs Visio and finds that you get a free M$-SQL server install so being vulnerable to a number of worms. Or the person who buys a PC with M$ Windows XP pre-installed and turns on the firewall so thinks they're safe, but doesn't know that it exposes RPC services to the internet (if you install a firewall that blocks them then FTP will fail intermittantly, it can't use the secondary FTP server for some reason). Maybe they install any one of a number of personal firewall products, not realising that most of them are decidedly pourous (Zone Alarm seems to be the best). Perhaps they let their antivirus software get out of date. Or click on email attachments with filenames like funnybunny.jpg.exe. Or the person who turns on Telnet and tFTP on their Linux/Unix/FreeBSD box so they can access it from other boxes on their home wireless network not realising that they've just opened it up to anyone within 100m.

Any software setup/maintained (or even just used) by someone who doesn't know what they're doing has the chance of being a security risk. What's important is how easy it is for someone who does know what they are doing to turn off those services that aren't needed and to secure those that are.

Stephen

-- 
It's better to ask a silly question than to make a silly assumption.
--
http://www.freelists.org/webpage/oracle-l