Oracle Release 11i Security - 2 Days
Case Study
Lessons Lesson #1:
· The security of many important web servers can be easily subverted.
· The TRUTEK attack team was able to gain Oracle access on the eBusiness Suite web server in less than 45 minutes.
· The techniques and technologies used to subvert the security of the system are widely known.
· The technical knowledge needed to stage such an attack is minimal.
Lesson #2:
· Don't assume a specific web infrastructure is secure.
· The CEO of ABC assumed the CIO had taken appropriate measures to ensure the eBusiness Suite was properly secured.
· The CIO assumed the Unix Administrators had secured the infrastructure.
· The administrators had secured the production system, but the test system was exposed to the internet and contained a copy of production.
Lesson #3:
· Simple security measures can be very effective.
· The successful attack against ABC.com could have been slowed if the system administrators had used strong passwords.
· A seemingly trivial security control such as strong passwords can be enough to deter many hackers.
Lesson #4:
· Internet security has a return on investment-maintenance and enhancement of customer trust.
· An Internet security weakness could destroy an entire business.
· What if the ABC web site was hacked by a malicious party?
· What if the hacker abused customer information and the attack was broadcast in the popular media?
· What if suddenly, one or all of your competitors had you entire client list and all their orders?
The following issues are explored in detail:
· User Security.
· Security Changes through Forms.
· Unauthorized Code through Forms.
· Unsecured Portal Pages.
· Code run in Oracle.
· Context Decompilation of Security Code.
· Workflow Notification Emails.
· Interception of APPS password Access through Test Systems Network Security
· Securing the Infrastructure.
The primary focus will be on the infrastructure and secondarily on issues related to internal controls.
- Item #: tc1-009
