RE: db unsolicited access

From: Newman, Christopher <cjnewman_at_uillinois.edu>
Date: Tue, 26 Jan 2016 16:47:03 +0000
Message-ID: <7C5A0D167BEADF4C984A9167609E8E0FB27F7AB1_at_chimbx3.ad.uillinois.edu>

I believe you could use logminer for this, although it can be quite onerous depending on the time frame you need to look at.

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Seth Miller Sent: Tuesday, January 26, 2016 10:44 AM To: Niall Litchfield <niall.litchfield_at_gmail.com> Cc: emjay.mody_at_gmail.com; ORACLE-L <oracle-l_at_freelists.org> Subject: Re: db unsolicited access

MJ,

Database auditing is your friend. You can audit almost anything in the database, including queries but it won't do you any good unless you have it turned on and correctly configured before the threat happens.

Database Firewall and Database Vault can also help with diagnosis and even prevention in these situations but again, they have to be in place and running before the event occurs.

Seth Miller

On Tue, Jan 26, 2016 at 3:30 AM, Niall Litchfield <niall.litchfield_at_gmail.com<mailto:niall.litchfield_at_gmail.com>> wrote: Hypotheticals don't work here. You'd need to understand the specific threat and timeframes involved and investigate accordingly. If you are concerned about object definition changes you'd look for evidence of that, for data changes a different set of specific steps would be required.

I'd expect the in-house info sec team to lead on this, potentially with external consultancy as well.

On Tue, Jan 26, 2016 at 2:42 AM, MJ Mody <emjay.mody_at_gmail.com<mailto:emjay.mody_at_gmail.com>> wrote: Oracle Experts
I have a hypothetical scenario and apologize for open-ended questions. I will not confirm or deny the following statements. Say your management just got word that some clients' pcs had malware that compromised external facing applications and database objects supporting these applications. While there are v$ and dba_ views that DBA can use to investigate the severity. Any recommendations or sql that DBA can run to do 'damage assessment' or 'damage control'. Your insight is greatly appreciated.

Best
MJ--
http://www.freelists.org/webpage/oracle-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freelists.org_webpage_oracle-2Dl&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=nuksxWpfCowpBg4Cp5kXjpZaU1tTDw8lEWmpll_GZcQ&m=u74OPYIxJ5X1qKMo37JHbjjmeHeSD5_LJnttjH3YdI8&s=6G7JM00lvSphHF3q0tGN5GcrbTxr8LIjV7LLBku8Tvg&e=>

--

Niall Litchfield
Oracle DBA
http://www.orawin.info<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.orawin.info&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=nuksxWpfCowpBg4Cp5kXjpZaU1tTDw8lEWmpll_GZcQ&m=u74OPYIxJ5X1qKMo37JHbjjmeHeSD5_LJnttjH3YdI8&s=aJAqPLZ3jVBj_7xyisuacocewUkAq07PJPqEuQnaBZ8&e=>

--

http://www.freelists.org/webpage/oracle-l Received on Tue Jan 26 2016 - 17:47:03 CET

This message: [ Message body ]
Next message: Dennis Williams: "Re: db unsolicited access"
Previous message: Seth Miller: "Re: db unsolicited access"
In reply to: Seth Miller: "Re: db unsolicited access"
Next in thread: Dennis Williams: "Re: db unsolicited access"
Reply: Dennis Williams: "Re: db unsolicited access"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message