Security Methods and How They Are Applied in Oracle...

MARIA KORSAKOVA

Security Methods andHow They Are Applied in

Oracle Products

University of Eastern FinlandDepartment of Computer Science

Contents

1 INTRODUCTION 1

2 INTRODUCTION TO DATABASE SECURITY 42.1 History of Database Security . . . . . . . . . . . . . . 42.2 Relational Database Model . . . . . . . . . . . . . . . 52.3 Database Security . . . . . . . . . . . . . . . . . . . . . 8

3 DESCRIPTION OF ORACLE DATABASE VAULT PROD-UCT 163.1 Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2 Mandatory Realms . . . . . . . . . . . . . . . . . . . . 183.3 Configuration Controls and Separation of Duties . . 183.4 Application Protection Policies . . . . . . . . . . . . . 203.5 Oracle Database Vault Command Rules and Factors . 203.6 Oracle Database Vault Reports . . . . . . . . . . . . . 213.7 Installation . . . . . . . . . . . . . . . . . . . . . . . . . 21

4 PCI-DSS STANDARD 234.1 Build and Maintain a Secure Network . . . . . . . . . 254.2 Protect Cardholder Data . . . . . . . . . . . . . . . . . 274.3 Maintain a Vulnerability Management Program . . . 274.4 Implement Strong Access Control Measures . . . . . 284.5 Regularly Monitor and Test Networks . . . . . . . . . 284.6 Maintain an Information Security Policy . . . . . . . 29

5 PCI-DSS COMPLIANCE CHECK FOR ORACLEDATABASE VAULT 305.1 Requirement 2: Password Management . . . . . . . . 335.2 Requirement 3: Stored Data . . . . . . . . . . . . . . 335.3 Requirement 6: Secure Systems and Applications . . 345.4 Requirement 7: Access Restriction . . . . . . . . . . . 34

5.5 Requirement 8: Unique Identification . . . . . . . . . 375.6 Requirement 10: Monitoring . . . . . . . . . . . . . . 375.7 Requirement A.1: Shared Hosting Providers . . . . . 385.8 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6 CONCLUSION AND FUTURE WORK 41

REFERENCES 43

A ORACLE DATABASE SECURITY CHECKLIST 45

B KEY FEATURES AND BENEFITS OF ORACLEDATABASE VAULT 52

C ORACLE DATABASE VAULT PROVIDES ESSENTIALSAFEGUARDS AGAINST COMMON THREATS 53

D THE PCI-DSS REQUIREMENTS 54

ABSTRACT

The purpose of this work was to show how Oracle Database Vaultproduct implements security methods to protect sensitive data fromunauthorized access by priviledged users and show how thesesecurity methods help to comply with Payment Card Industry DataSecurity Standard (PCI DSS).

This work is meant for enterprise clients from Payment CardIndustry, who have strict requirements to comply with a large setof security standards. This work helps such clients to identify levelof Oracle Database Vault compliance with PCI DSS and plan theirsecurity strategy accordingly.

Amount of threats caused by unauthorized access from priv-iledge accounts have increased lately and became a big securityrisk for organizations who is not yet considered to protect theirdata from internal access. In this Thesis we will check what kindof methods Oracle Database Vault has for protecting organizationfrom internal threats.

Moreover, we will do a reseach to identify how Oracle DatabaseVault complies with widely known Payment Card Industry DataSecurity Standard. Organizations that handle cards from majorcard industry vendors should be compliant with PCI DSS. PCI DSSstandard was created to put more control around cardholder data.

Case Study method was used as a reseach method to investigateOracle Database Vault PCI DSS compliance. Phases approach wasused to achieve desired results. The first phase included researchof Oracle Database Vault product, it’s methods and features. Thesecond phase consisted of PCI DSS standard study and deepunderstanding of each requirement. During the third phase wereidentified and excluded all not relevant to Oracle Database Vaultrequirements of PCI DSS standard. The fourth phase consistedof more deep investigation of relevant requirements and possibleOracle Dabase Vault compliance with them, as well as deeperinvestigation on Oracle Database Vault methods and concept to

support compliance with PCI DSS standard requirements. Allrelevant requirements were supported with security methods andfeatures description of Oracle Database Vault for clear understand-ing compliance of the product with such requirements. Last phaseof the research was done to provide general analysis on OracleDatabase Vault results.

Requirement by requirement will be handled and investigatedto check Oracle Database compliance with each of the requirementspresented in PCI DSS. As a result we will get list of requirementsthat Oracle Database Vault complies with and explanations whatsecurity method helps to comply with each requirement. In aconclusion of this Thesis final results of this work and topics forfuture investigations will be presented.

Reference part of the Thesis is relatively small due to specifictopic of the Thesis. This Thesis is concentrated mainly on enterpriseproduct of one company. Oracle Database Vault is supplied withOracle Database Enterprise Edition, which means it is not publiclyavailable. Thus materails that can be used are very limited, as wellas they all are located on company’s official internet site.

5

Acknowledgements

This Thesis has taken many years of work from 2006 to 2015. It wentthrough different stages and changes, but finally has come to logicalend. During all these years many people have been participating inmoving my reseach further directly or indirectly. I would like tothank everyone who helped me on my long way to the finish.

Special thanks to University of Eastern Finland staff for supportand understanding, together with prompt help in all matters.

I would like to thank my supervisor Dr. Keijo Haataja andexaminator professor Pekka Toivanen for their cooperation, theirrapid help and their valuable comments and suggestions.

I would like to express my dearest thanks to my family forendless support, patience and believe in me. Everytime when Ifelt that I am stuck or I have no energy to proceed they motivatedme and supported. Without my family support I would never beenable to be where I am now. My biggest thanks goes to my husbandAlexey and son Petr. My husband has provided very valuablecomments and he has shown patience and understanding. My sonhas added fun to my life by being so happy.

Helsinki 2015Maria Korsakova

ABBREVIATIONS

ASV Approved Scanning Vendor.

CRSF Cross-site Request Forgery.

DAM Database Activity Monitoring.

DAMP Database Activity Monitoring and Prevention.

DBA Database Administrator.

DB Database.

DBMS Database Management System.

DDL Data Definition Language.

DMZ Demilitarized Zone.

DNS The Domain Name System.

DoS Denial of Service Attack.

GPRS General Packet Radio Service.

IDMS Integrated Database Management System.

IMS IBM Information Management System.

IDS/2 Integrated Data Store.

IP Internet Protocol.

IPS Intrusion Prevention Systems.

IT Information Technology.

LAN A Local Area Network.

LDAP The Lightweight Directory Access Protocol.

NAT Network Address Translation.

OS Operating System.

OTN Oracle Technology Network.

PAN Primary Account Number.

PCI-DSS Payment Card Industry Data Security Standard.

PCI-SSC Payment Card Industry Security Standards Council.

PIN Personal Identification Number.

RADIUS Remote Authentication and Dial-In User Service.

SDP Site Data Protection Program.

SNMP Simple Network Management Protocol.

SSH Secure Shell.

SSL/TLS Secure Sockets Layer / Transport Layer Security.

SYSDBA System Database Administrator.

TACACS Terminal Access Controller Access Control System.

URL Uniform Resource Locator.

WEP Wired Equivalent Privacy.

XSS Cross-Site Scripting.

1 IntroductionUtilization of databases in everyday life has dramatically increasedin recent years which makes database security a very importanttopic. We are using databases in our everyday life, but most ofthe services provided in Internet, in shops, or at work usually relyon databases. The increasing amount and type of data stored indatabases makes the information that they contain more sensitiveto illegal access. As IT market grows, database security will becomemore critical issue. Forms of malicious attacks and many differentways of intercepting sensitive data have changed in the recent years.New methods of security are required to protect sensitive data fromunauthorized access.

It is common to consider viruses, worms and hackers as themajor risk source for the database security. However, nowadays,the most potential threats are considered to be the outside treats likeviruses, worms, and hackers, but potential danger can come frommuch closer and unexpected place. Nowadays privileged databaseaccounts are very common way to access sensitive data stored in thedatabase. Unauthorized access by privileged users has became avery big threat for organizations owning large volumes of sensitivedata.

This Thesis will describe quite unique product in current market,which provides powerful security methods to protect access ofsensitive data by privileged accounts. It helps to implement securitysolution to prevent unauthorized access and helps to comply withdata security regulations [1].

As Oracle Database Vault is a database security product it iscrucial for it to comply with security standards including PCI-DSSstandard to protect sensitive information in database such ascardholder’s data. The purpose of this Thesis is to check if OracleDatabase Vault is compliant with PCI-DSS standard and describehow compliance in Oracle Database Vault product is implemented.

1

Case study research method is used in this Thesis to investigateOracle Database Vault product compliance with Payment CardIndustry Data Security Standard (PCI-DSS).

Case study is a research method widely used in educationstudies nowadays. Originally, it was introduced in social science,but lately it grew in popularity in other areas as well, especially ineducation and in teaching processes. There are many definitions ofCase study. They all complement each other, but the most simpleand clear from my point of view was defined by Robert K. Yin.He actually highlighted the strength of this method and therebypointed out main purpose of the case study: ”Compared to othermethods, the strength of the case study method is its ability toexamine, in-depth, a ”case” within its ”real-life” context” [11].

Case study is looking into details, into depths of the case withouttrying to generalize from it. According to Robert K. Yin there aretwo general situation when you can easily detect that case studywill help you in your research. First one is when such questionslike ”what?”,”why?”, ”how?” arise, and ”what happened, why andhow?”.

Second situation is when you want to highlight some certainsituation and understand it more deeply. Examples for thesesituations can be investigation of a person who lived especially longlife, because you would like to know how could this person live forso long. Another one can be a study about colleague who became adirector of the company and you would like to know how and why.In all these situations case study can help you.

When you do research using case study method it will not bemuch difference if you would use other methods. All researchmethods would require collecting and reviewing information dataanalysis, and final reports, but there is one thing that makes itdifferent in case study research. In some cases, it might be requiredto do data collection and data analysis together for adjustment incase of inconsistency found in research.

Good example of such situation would be if you have collected

2

some data earlier from one source and then later on another sourceprovides you a contradictory information. In this case you wouldneed to analyze data and check first source again to get correctinformation and resolve conflict.

This Thesis consists of the following sections. Section 2 describesdatabase security history, relational model, and makes an introduc-tion to database security. Section 3 describes Oracle Database Vaultproduct, its unique features, and benefits of applying such productin organizations. Throughout this Thesis focus will be on OracleDatabase Vault version 12c. Section 4 introduces the PCI-DSS stan-dard and explains in details each standard’s requirement. Section5 shows how Oracle Database Vault helps to comply with PCI-DSSstandard. Section 6 concludes the Thesis and sketches future work.

3

2 Introduction to Databasesecurity

Section 2.1 will introduce to database security history. Section 2.2.will describe briefly a relational model, that is used as a basis forall relational databases. Section 2.3 will tell about database securityand most common threats against database security.

2.1 HISTORY OF DATABASE SECURITY

IT technologies have improved in the area of the computer’sperformance, this led to a fast growth in the performance andthe abilities of databases. Several database technologies can behighlighted as most commonly used. They are based on differentdata models. Three technologies can be presented: navigational,SQL/relational, post-relational.

An example of navigational models can be taken hierarchicalmodel, which was developed by IBM and used in IBM InformationManagement System (IMS), Windows Registry by Microsoft, theCodasyl model and so on [2].

The relational model was introduced by Edgar Codd during thetime when he was working in IBM. He proposed the idea that datashould be searched by content. The relational model started tospread widely in 90s, as computer’s hardware became powerfulenough to run relational systems. SQL language is commonlyused for relational databases. Most of the modern databasesuse relational model as a database foundation including Oracledatabase [2].

The third approach is post-relational. This category had differentstages of development starting from object-relational databases,NoSQL databases, and continue with NewSQL databases. They

4

are based on relational model, but trying to achieve as highperformance as NoSQL databases [2].

In this Thesis we are going to work only with relationaldatabases, as they are taking a leading position at current marketsituation.

2.2 RELATIONAL DATABASE MODEL

Relational Database Model is a foundation for all relationaldatabases. As we are going to look at relational database, it is worthto be briefly mentioned in this Thesis.

Relational Database Model is widely used in databases, in-cluding Oracle Database. Databases implementing such modelare called relational databases. First time it was formulated andpresented by Edgar F. Codd in 1969-1970. Among others whomaintained and developed relational model were Chris Date andHugh Darwen. They wrote big amount of books and gave a lot oflectures related to relational theory.

The SQL data definition and query language is used in mostrelational databases. SQL database’s implementation can be consid-ered as an approximation to relational model. Even though SQL isinitially positioned as a standard language for relational databases,it has several deviations from classical relational model, such asDuplicate rows, NULL, Duplicate column names, Columnless tablesunrecognized and etc.

Relational model has been implemented by using mathematicaldiscipline. Main components of the original model are structure,integrity and manipulation.

The structural feature of relational model is a relation. Thisrelation is commonly represented as a table. Relations are definedover types. Types can be defined as a pool of values from whereattributes of a relation take their values. Table representing a n-aryrelation, where n is any non-negative integer value, columns refersto an attributes and rows to tuples. [3]

5

Every relationship should have at least one candidate key. Itis a unique identifier consisting of one attribute or combination ofattributes and uniquely identifying tuples in a relation. Primarykey is a candidate key, which has been selected for some specialreasons and defined for some special treatment. It doesn’t differfrom candidate key, especially when relation has only one candidatekey. In case of many candidate keys existence, usually primary keyis chosen from one of them to make candidate key to be preferred.Foreign key is a set of attributes in one relation, which should matchvalues of candidate key in other relation. [3]

The integrity feature (integrity constrain) is a boolean expressionthat must evaluate to TRUE. In relational model exists by defaulttwo generic integrity constraints. [3]

One constraint related to primary key and it says that primarykey attributes don’t permit nulls. It means that primary key can’thave unknown value, because otherwise it is impossible to identifythis tuple in relation.

Another constraint related to foreign key and it says that theremust not be any unmatched foreign key values. It means that itshould always exist an equal value of corresponding candidate keysfor every foreign key value.

The manipulative feature consist of two parts: relational algebraand a relational assignment operator. Relation algebra is a set ofoperators, which can be applied to relation. Relational assignmentoperator permits the values of some relational expression to beassigned to some relation. [3]

Relational algebra has a set of operators, which allows to takeone or more relations as an input and produce another relation asan output. Figure 4.1 is a visual representation of such operators: [3]

• Restrict returns a relation with all tuples which match specifiedcondition.

• Project returns a relation with all tuples that remains afterspecified attributes has been removed.

6

• Product returns a relation containing all possible combinationof two tuples, one from each of two specified relations.

• Intersect returns a relation with all tuples that exist in both oftwo specified relations.

• Union returns a relation with all tuples that exist in both of twospecified relations.

• Difference returns a relation with all tuples that exist in firstrelation and doesn’t exist in second specified relation.

• Join returns a relations containing all possible tuples that are acombination of two tuples, one from first relation and secondfrom second relation. These two tuples has to have a commonattributes with a common values of the two relations.

Figure 2.1: Visual representation of operators.

One should always remember that data model is a foundation.Implementation is a physical realization on machine componentsof that abstract model and it can have distinctions with this datamodel.

7

Relational Database Systems are very complex. Process man-agement, disk management, file management, multi-threading, anduser administration are common features resembling operationalsystem’s features that can be performed on current RelationalDatabase Systems. Managing of database instance, metadata, users,profiles, and schemas are features needed for relational databaseengine. Relational database vendors policy before 90s were provid-ing very strong security at core level of database and its modules.Around late 1990s vendors have changed their policy and providedmore security features at operating system level. Nowadays it isa combination of two ways and it is following multi-level securitystrategies. [4]

2.3 DATABASE SECURITY

Amount of information available through different resources areincreasing and protection of such information becomes very impor-tant topic to people, responsible for administering this data. Poten-tial threats to database security include data integrity, availability,and secrecy.

Data integrity requires that data inside database will be pro-tected against any kind of unplanned modifications. The integrityviolation happens through unauthorized changes done to data withintentional or accidental operations. Those kind of operations canbe either data modification, insertion, or deletion. [5]

Data availability refers to the requirement that data are availableto users and applications that have the legitimate right and autho-rization to access or modify the data. Loss of data availability canresult in the unavailability of services and applications that operateon the database. [5]

Data secrecy stands for sensitive data protection from beingdisclosed by unauthorized access. An inappropriate actions cancause reputation and revenue losses, in some cases even legalactions to company due to business intervention. [5]

8

Security risks may vary and depends on different conditions.Most common threats can be different at different times. Securityrisk information always needs to be up to date. Here are listed latestfound vulnerabilities.

Top 10 Database Vulnerabilities and Misconfigurations: [6]

• Default, Blank & Weak Username Password: Common practice onproduct market is to have some default users and passwordsfor different software. Product can create default passwordin a background for easy start with a software, which createspotential risk on security. Basic security steps should betaken to prevent stealing sensitive data like customization ofcredentials and creating strong password.

• SQL Injections in the DBMS: Usually happens through SQLcommands. It can be a parameter of a function in SQL com-mand or it can be a stored procedure parameter. Usually, SQLinjection is done with system or administrational priviledges.SQL injection vulnerability can be avoided by applying latestpatches to database.

• Excessive User & Group Privilege: This vulnerability refers toconcept of assignment excessive privileges to users or usergroups. Following the concept of assigning to one task morethan one user and not giving excessive privileges to users canhelp to ensure that users will not misuse their privileges.

• Unnecessary Enabled Database Features: Database ManagementSystems have grown and became quite complex softwaresystem. These systems have a big variety of analyzing andreporting features, they support many languages and differentOperating Systems access levels. As in many cases powerinstrument have two sides, one of them a good one, thatapplication developers have more features and possibilities,but there is a down side, that there are more weak points,which can potentially be used by hackers. There are various

9

features, which should be checked. Disabling of these featurescan make DBMS more secure, except the cases when there is agood business reason to have them available.

• Broken Configuration Management: At earlier days, DatabaseManagement Systems haven’t had many configurations. Theoptions available to DBA were pretty simple. Today’s picturehas changed. Database Management Systems have plentyof different options, which might have direct or indirectimpact on security. Configuration settings need to be correctlyconfigured. This makes your critical business informationprotected and secure.

• Buffer Overflows: It happens when function’s input is notchecked during the copy and it exceeds the volume that buffercan hold. This leads to cases when memory, meant for otheruses, can possibly be overwritten. In such cases behaviorcan be unpredictable and can lead to server crash. It is veryimportant to apply latest patches from database vendors andmonitor your system for known attack signs to prevent thesetypes of attacks.

• Privilege Escalation: Such attack happens when person whoattacks uses known Database Management System vulnera-bilities to execute instructions or query data using user ac-count with low privileges, when in typical cases this kindof executions would require higher privileges. Differentcommon vulnerabilities exist that makes privilege escalationattack possible. Sometimes, vulnerability is used to allowaccount with low level privileges to grant additional rightsto itself. In some cases vulnerability is used by misusing afunction that runs under system administrator (sysdba). As inmany previous attack cases, the best practice is to apply latestvendor’s patches and monitor your system for known signs ofattack.

10

• Unpatched Databases: Most big vendors of databases providepatch updates on regular basis. Usually, it happens every quar-ter. Sometimes third-party companies disclose vulnerabilitiesof databases whether vendor itself have patch to fix them ornot. If patch is released, it should be used, otherwise hackerswill find a way to use weaknesses to attack the database.Database will become more vulnerable after patch is releasedthan before. Many companies delay in applying patches withcommon excuses like difficulty in testing new patches anddowntime involved in patching process, but whatever excuseis used company should trace database activity more carefullybetween patches.

• Denial of Service Attack (DoS): Denial of Service Attack knownas DoS is when Internet traffic on site or server gets over-whelmed, so site or server cannot function properly anymoreand shuts down. Usually the main cases, when this attackis possible, are when database is left unpatched. The latestpatches from database vendors should always be applied toavoid potential security risks.

• Unencrypted sensitive data at rest and in motion: Very importantpart in security is encryption, if you want to keep yoursensitive data safe and unrevealed. Network traffic mustalways be encrypted to assure any information goes throughsecurely and cannot be seen by eavesdroppers. Some databasemanagement systems may permit for some sensitive data to betransmitted as a clear text. As a preventive method you have todownload latest software version and switch off text indexing.

Database security includes big variety of information securitycontrols to protect database from potential risks. These informa-tion security controls might protect database application, databaseserver, database data, and stored functions. The informationsecurity controls could be technical, procedural and physical.

11

Databases can have many information security layers, whichare appropriate for database control, such as: Access control,Encryption, Auditing, Integrity controls, Authentication, Backups,Application security, and Database Security applying StatisticalMethod.

Usually, each vendor has recommendations and standards tofollow to put control over their databases and increase securityprotection. These standards and guidances can provide securityrequirements, security policies, best practices, and security recom-mendations to follow. Guidelines normally specify other securityrelated activities, such as design, configuration, development, use,maintenance of databases and management.

As many other vendors, Oracle also has own general guidelinesand best practices documents to increase database security and toavoid common misconfigurations. One of such guidance documentis called Oracle Database Security Checklist. It includes recom-mendations for protecting database environment. In this Thesis,Oracle checklist will be briefly presented. Please refer for a checklistto appendix A.(Full and more accurate checklist can be found onOracle website). [7]

Hardening database is usually based on three main principles.The first principle involves locking access to important resources toprevent their misusage purposely or by mistake. Second principleinvolves disabling all unnecessary functions, which can be misused.And the third principle is a least privileges: Users, task andprocesses should be assigned with minimal required privileges fortheir normal functioning. [8] It is also good to remember that forprotection of your critical data, strengthening of database alone isnot enough. Security should be applied on all levels of your system.

Creating security layers helps to protect your critical data fromunplanned modifications and potential disclosures. There areseveral techniques to follow for preventing different kind of attacksto succeed and to strengthen database.

Security layers strategy makes it harder for attacker to perform

12

an attack on environment, because it requires to make many thingsright at the same time. Attacker should find holes in all securitylayers at once, which should match each other to be able to succeed.Each security layer protects environment from different threats.Security layers could consist of such layers like authentication,administration, firewalls, authorization, VPNs, vulnerability assess-ment and patch management, intrusion detection and prevention,security management, application security, antivirus, database se-curity, and encryption, which in fact includes aspects that belong toeach layer. [8] Authentication, authorization, administration are alsoknown as 3A. They are responsible for identifying who is trying toattempt access to the resource and ensures this person is authorizedto access such resource. Administration software is centralizingmanagement and administration of privilege and permissions.

Firewalls main principles are to keep unauthorized users off cor-porate network. They are hardening corporate network perimeterand protecting connection to Internet and extranets.

Virtual Private Networks (VPN) allow secure remote and mobileaccess to internal corporate network. VPN is nowadays presented inmost of the organizations and it allows workers to work from home,work in remote offices, and when they travel. Intrusion detectionand prevention refer to threats that happens inside internal net-work. They are based on communication stream’s deep inspectionand on patterns of attack. They trace any deviation from normalbehavior, which looks like a malicious event. One of the techniqueto evaluate database vulnerabilities is to perform vulnerabilitiesassessments against the database. Mainly it is done by testersgroup, who tries to find weak points of database by attempting tobreak into database, bypass security, and check common systemvulnerabilities. Database administrators can perform automatedvulnerability scan to find out misconfigurations, possible weak-nesses in network’s security, common system vulnerabilities and soon. The result of vulnerability scans can be used to increase ecurityof the database and get rid of found vulnerabilities.

13

Security is a complex and mandatory issue. There are manysoftware products that can help to manage the process and central-ize relevant information. They help to manage security systems,incident response systems, and reporting. Antivirus is a securitylayer that serves a protection of users from malicious code such asTrojans, viruses, and worms. Many types of antivirus software existlike antivirus in email, network antivirus, desktop antivirus, andso on. Application security in fact goes very tight with databasesecurity. Almost all application data is stored in relation databasesand protecting application data in most cases mean protectingdatabase data. Encryption is helping to create additional securitylayer to guarantee confidentiality and low risk in case when all ofyour other layers were overcome by hacker. [8]

Often, despite the need to create security layers, willingness toinvest into security is not always high because of limited budgets.For those people who couldn’t realize importance of securityinvestments, regulators created a set of regulations. The aim ofthese regulations is to enforce protection of information. Anotherimportant part of database security is database auditing. There aremany auditing categories from which you can select and implementauditing trails according to your needs. Auditing categories optionscan be a audit of logon/logoff, audit source of database usage, auditdatabase usage outside normal operating hours, audit DDL activity,audit database errors, audit changes to source of stored proceduresand triggers, audit changes to privileges, user/login definitions,other security attributes, audit creations, changes, usage of databaselinks and replication, audit changes to sensitive data, audit SELECTstatements for privacy sets, and audit any changes made to thedefinition of what to audit. [8]

Implementation of these audit categories can be done usingexisting database audit capabilities or using independent databasesecurity technology, such as DAM(Database Activity Monitoring)that does not rely on native database auditing.

Database activity monitoring (DAM) is a database security tech-

14

nology for monitoring and analyzing database activity that operatesindependently of the database management system (DBMS) anddoes not rely on any form of native (DBMS-resident) auditing ornative logs such as trace or transaction logs. DAM is typically per-formed continuously and in real-time. Database activity monitoringand prevention (DAMP) is an extension to DAM that goes beyondmonitoring and alerting to also block unauthorized activities [2].

Another important security layer is database activity monitoring,which is usually done in real-time and continuously [2].

15

3 Description of OracleDatabase Vault product

Section 3.1 will intoduce the concept of Realm and how it helps tosecure Database. Section 3.2 will introduce concept of MandatoryRealms and how they help to protect Database during maintainancetasks. Section 3.3 will describe Configuration Controls feature ofOracle Databse Vault. Additionally Section 3.3 will explain howseparation of duties concept is implemented in Oracle DatabaseVault. Section 3.4 will describe Application Protection Policiesfeature of Oracle Database Vault. Section 3.5 will introduceCommand Rules and Factors concept of Oracle Databse Vault.Section 3.6 will describe Report possibilities in Oracle DatabaseVault. Section 3.7 will describe installation process of OracleDatabase Vault.

Most of the existing database monitoring systems provide DBAability to trace database’s activity. It provides ability to follow whodid what, when, and what kind of data were accessed. Also, it ispossible to create reports and alerts, if an attempt is made to accesssensitive data or perform a prohibited action on database.

However, monitoring systems do not always allow to trace andblock prohibited activity on the fly, including activity of privilegeaccounts like DBA, even though privilege accounts are the mostcommon path to access wide area of sensitive data in database.Prohibited activity does not always mean malicious attempt, it canalso be a DBA curiosity or mistakes of junior DBA, which can createvulnerabilities in database.

Whatever reason for this activity Oracle Database Vault helps tocreate secure environment by restricting access of privilege users tosensitive data (such as financial information, credit card informationand etc.) By using Oracle DB Vault you can harder you Oracle

16

DB instance, protect your data from privilege users while stillallow them to perform their everyday duties and help to applybest practices as well as comply with regulations from multiplecountries.

ODV has a lot of features to increase database security. It canhelp to prevent priveleged users that are trying to access sensitivedata from accessing it. It has a feature that can ”freeze” databaseconfigurations. ODV can protect sensitive objects by blocking accessto them during threats or maintainance. ODV has a feature to helpidentify unused priveleges and prevent their misusage. Please, referto appendix B for more accurate list of Key Features and Benefits ofOracle Database Vault. [9]

Oracle DB Vault together with Oracle DB provides protectionagainst many common threats, such as: threats of lost credentials,inside threats, that are based on privelges misusage, threats that canhappen during database maintanance and much more. Please, referto appendix C for more accurate list of common threats that OracleDatabase Vault provides essential safeguards against. [9]

3.1 REALMS

Most common audit element is a control for unauthorized changesto database grants and creations like grants of DBA role, creationof database objects, and new accounts. Unauthorized changescan weaken database and create easy path for hacker to make amalicious attempt and they are also violating privacy and compli-ance regulations. To increase control on privilege accounts, OracleDatabase Vault is able to create inside Oracle DB very restrictedapplication environment Realm. A realm can include databaseschemas, objects, and roles that must be secured. By functionalgrouping of these schemas and roles, Realm gives you a control ofuse of system privileges to access these functional groups. OracleDatabase Vault is able to block unauthorized DBA access to ap-plication data, which helps to protect from insider’s unauthorized

17

access as well as outsider’s threats. Oracle Database Vault enablessecure consolidation. It allows to consolidate applications into onedatabase and it ensures that privileged applications can’t accesseach other’s data. Oracle Database Vault can also control who canmanage Virtual Private Database policies to achieve even higherapplication security. [9]

3.2 MANDATORY REALMS

Mandatory realms were created for the need to block access tohighly sensitive data during maintenance task performed by DBAor IT support. Production environment usually requires accessfor the patching, diagnostics, and other activities reasons. Duringsuch access, all tables and views with highly sensitive data can beblocked with Mandatory realms and even people who has directobject grants or application owners can’t access sensitive data, onlyin case if access has been granted specifically. Mandatory realmsare configured before maintenance tasks and can be enabled duringperformance of such maintenance. Mandatory realms are able tokeep unchangeable rights granted to database role and none of theprivileged users will be able to modify them, except authorizedusers. In case of violation Mandatory realm can protect data byblocking access to data to anyone even for owner and for users withdirect grants. [9]

3.3 CONFIGURATION CONTROLS AND SEPARATION OFDUTIES

One of the important Oracle Database Vault’s feature is to control ofcommands usage such as ALTER SYSTEM, ALTER USER, CREATEUSER, DROP USER, and so on. It allows customers to have astrong operational controls inside their database. It helps to preventundesirable changes to database configuration that could lead toconfiguration inconsistency, insecurity, and compliance violation.

18

[9]Additionally, Oracle Database Vault can control SQL commands

to increase availability and security of the database and applica-tions. It is achieved by applying additional checks and rules beforeexecution of any SQL command. SQL command controls providebig variation of restrictions and limitation to achieve desired resultsin security beginning from access restriction to database for somecertain subnets, programs, and application servers ending withusing some functions and factors such as session user name, OracleLabel Security factors, host name, Oracle APEX applications’ nativefunctions and factors, and IP address. [9]

Oracle Database Vault adds possibility to separate AccountManagement role from DBA account and assign it to a new role,and thereby implement separation of duties. This implementationgives more possibility to control account management operationssuch as create user and change password. If used together withadditional factors like IP address, time and etc. increases securityto even higher level. [9]

Mandatory realm can prevent drift in database roles and config-urations by freezing database roles settings. It prevents any grantsor revokes possible inside database. Realm can protect databaserole from misuse and prevent privilege grant by unauthorizedusers. Oracle Database Vault has a new feature called PrivilegeAnalysis. It serves the purpose to trace use of roles and privilegesbased on actual usage and identify privileges and roles that arenot in use. As well it helps to identify roles and privileges ofactual usage. Knowledge of roles and privileges usage helps tounderstand the minimum number of privileges application requireto perform. Implementing the least privilege strategy helps toincrease application security and reduce risks. Privilege Analysisfeature can be also used on development stage to identify privilegeduse for the new application. Later on application and user privilegescould be corrected according to the least strategy approach. [9]

Cloud environments can provide many benefits such as effi-

19

ciency, flexibility, cost reduction, and faster results, but at the sametime they bring a security risk due to bigger amount of applications,data, and users accessing the same database. Oracle DatabaseVault helps to benefit from having cloud environments while pro-tecting such environment’s sensitive data. Oracle Database Vaultimplements Separation of Duty for different administrative groups.It can prevent privileged users and applications from accessingother’s applications data. It protects database’s configuration frommodifications and restricts account management. All these incomplex are secure database, protect from internal treats, hardendatabase to prevent vulnerabilities. Oracle Database Vault can alsobe deployed to Oracle Exadata machine together with other Oracleproducts to achieve even more secure environment. Also it can beused with pluggable databases to prevent access to sensitive databy privileged users. [9]

3.4 APPLICATION PROTECTION POLICIES

Application Protection Policies are meant to protect application’ssensitive data. It is done by creating realms around application’ssensitive tables or around full schema. Oracle has a predefinedpolicies for some Oracle applications as well as for a partnersapplications. Oracle continue to work on application policies foranother applications. Policies for application can be always checkedfrom Oracle resources such as Oracle Support and OTN (OracleTechnology Network). [9]

3.5 ORACLE DATABASE VAULT COMMAND RULES ANDFACTORS

ODV command rules can be used to implement restriction of whocan execute ’ALTER SYSTEM ’, ’SELECT’, and data manipulationlanguage statements. The command rule protects its SQL statementfrom anyone who is trying to execute protected SQL statement, even

20

if object is located in different realm. For the command rule to takeeffect, you need to associate it with the rule set. A rule set is acollection of rules (could be just one or more). The rule set is aPL/SQL expressions that can take the value either true or false andfinal value of the whole rule set will be true or false based on eachsuch PL/SQL expression and evaluation type ’all true’ or ’any true’.

Oracle Database Vault has also factors, which are attributes ornamed variable. Factors can be attributes such as database IPaddress, hostname, and domain, as well as user’s session, location,and so on. Factors can be used as an additional authorizationparameter for database account connecting to database. Also,factors can be used as a filters for data access restrictions.

Oracle Database Vault Reports can be run on command rules,factors, rule set for realm violation recognition, auditing results,and for finding configuration problems [10].

3.6 ORACLE DATABASE VAULT REPORTS

ODV Reports is able to present incidents related to attempt ofgetting access to protected application tables, blocked SQL state-ments, and configuration changes made by administrator includingchanges to Oracle Database Vault itself. Oracle Database Vault willprevent access to application’s protected tables and will add auditrecord about this incident. Such audit reports can be viewed by RealAudit Report. Oracle also provides possibilities to view ready-madeviews of runtime analysis available in Oracle Audit Vault, OracleEnterprise Manager Cloud Control 12c, and Database Firewall. [9]

3.7 INSTALLATION

Oracle Database Vault doesn’t require any additional installation orreconfigurations. It is delivered together with Oracle DB 12c andcan be switched on simply from command line. After enabling itrequires only database restart, then ODV becomes active. It can be

21

used in highly available architectural solutions. Oracle DatabaseVault is providing low performance overhead and according tocustomer reports, major production applications have no changesin application’s response time [9]. Everyday DBA operations canbe done in normal way until DBA needs to do something withsensitive data. In this case DBA will need an authorization beforeany operation can be done with protected data. For additionalinformation and best practices please refer to Oracle white papers.Oracle Database Vault controls will still remain active even ifdatabase files are exported or restored to another Oracle homeenvironment [9].

ODV is a security product for protection database sensitive datafrom internal and external threats. Oracle DB controls can be usedfor high security requirements implementation. Additionally, Or-acle Database Vault supports cloud computing and consolidation.Oracle Database controls can be preconfigured and enabled whenneeded.

22

4 PCI-DSS StandardSections 4.1 to 4.13 will introduce the 12 Requirements of PCI-DSSstandard.

The Payment Card Industry Data Security Standard (PCI-DSS)is well known information security standard. It is developed andadministered by the Payment Card Industry Security StandardsCouncil (PCI-SSC) for the organizations that need to work withcredit cards and store, process, and transmit card information.

Due to the wide spread of credit payment systems, PCI-DSSstandard has become one of the most important standard in theworld. It was created to increase safety of cardholder’s data andprotect this data from threats.

Originally, it is started to form in 5 different shapes: Visa,MasterCard, American Express, Discover and JCB began each theirown security programs to create minimum amount of securityrequirements for merchants who store, process and transmit cardholder data. These 5 programs called Visa’s Cardholder InformationSecurity Program, MasterCard’s Site Data Protection, AmericanExpress’ Data Security Operating Policy, Discover’s InformationSecurity and Compliance, and the JCB’s Data Security Program.

Visa’s Cardholder Information Security Program mandated sinceJune 2001. This program intended to protect Visa cardholder’sdata and to maintain high security standards [12]. Same yearMaster Card launched its Site Data Protection program [13]. TheSDP Program provides data security requirements and compliancerequirements to protect MasterCard stored, processed and trans-mitted cardholder’s data. Soon other vendors developed their ownsecurity programs with same intention to implement and maintainefficient data security requirements to protect card holder’s datafrom exposure.

Multiple security programs have created big difficulties for themerchants and other organizations that process card data, as they

23

all would need to go through multiple validation of differentvendor’s compliance. As well all payment card brands wouldsuffer from need to validate multiple organization to check theircompliance with security programs, when in fact many of securityprogram requirements were quite similar. Arisen situation hasled to the need to create a single unified security standard andsingle way of compliance assessment and validation. In 2004,The PCI-SSC (Payment Card Industry Security Standards Council)was created and as a result of cooperative effort of Visa, MasterCard, American Express, Discoverer, and JCB the unified securitystandard, known as PCI-DSS, was published in order to createcommon industry security requirements. First version of PCI-DSSconsisted of 12 requirements forming 6 logically related groupscalled control objectives. In this Thesis we will provide informationabout requirements of version 2.0.

The PCI-DSS Requirements are the Following: [12]

• Build and Maintain a Secure Network group contains 2 re-quirements:

1. Install and maintain firewall configuration to protectcard-holder data.

2. Do not use vendor-supplied defaults for system passwordsand other security parameters

• Protect Cardholder Data group:

3. Protect stored data

4. Encrypt transmission of cardholder data and sensitiveinformation across public networks

• Maintain a Vulnerability Management Program group:

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

• Implement Strong Access Control Measures group:

24

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

• Regularly Monitor and Test Networks group:

10. Track and monitor all access to network resources andcardholder data

11. Regularly test security systems and processes

• Maintain an Information Security Policy group:

12. Maintain a policy that addresses information security.

4.1 BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: The first requirement, describes different require-ments of network security that organization need to comply withPCI-DSS. Network is a very first gateway of the organizationfor the outside world to get connection to internal organizationresources and at the same time very first protection wall to protectorganization’s information. Network security can’t be compromisedwhen we talk about privacy and protection of the cardholder’sinformation. Network security softening or compromises can leadto serious consequences both in financial losses and in loss oforganization’s reputation. Nowadays a lot of tools and methodsexist to help organization secure their enterprise network, suchas firewalls, anti-virus software, intrusion detection systems, andaccess control systems. Network security is just a part of layeredsecurity architecture approach where each layer is supporting otherlayer to achieve higher security protection and decrease possibilityfor an attack to succeed. Layered security approach is also calledDefense In Depth. Below there is a picture with example of layeredsecurity approach. [14]

Requirement 2: Default application and component passwordscan be a big threat and vulnerability for organization. Applications,

25

Figure 4.1: Defense in Depth: Layers.

devices, and other components are always supplied with defaultpasswords and default configurations. These default passwordsand configurations are available in vendors’ documentation, whichmeans they are publicly available for everyone who wants to knowthem. If these default passwords, configurations and settings arenot changed during configuration process attackers can use thisweak point in the organization and get access to cardholders’data. So this PCI-DSS requirement is created to prohibit the useof such default passwords in the PCI environment and consists ofrecommendations how default settings should be changed. [14]

26

4.2 PROTECT CARDHOLDER DATA

Requirement 3: This requirement is considered as a key requirementin PCI-DSS standard. It is related to stored cardholders’ dataprotection, which is the key goal of this standard. Requirement3 is trying to highlight the need for each organization that storescardholder data to reduce cardholder sensitive data storage placesand make sure that such sensitive data are stored only if it is reallynecessary. Also it provides guidance and requirements how tohandle encryption keys that are used to encrypt stored cardholderdata. [14]

Requirement 4: Previous requirement provides guidance on howto protect data that are static, means it is just stored somewhere.This requirement describes requirements for protection of movingdata that transfers through network including public networks byusing encryption. [14]

4.3 MAINTAIN A VULNERABILITY MANAGEMENT PRO-GRAM

Requirement 5: Antivirus software is very important part ofenvironment protection. Not in time antivirus software update canprovide a wholes in security for the attackers. Especially it is veryimportant, because nowadays malware threats are very commonand can lead to fails and compromises of applications and system.This requirement describes how to handle antivirus software. [14]

Requirement 6: Applications are the necessary part of anyorganization in payment card industry. Applications are used ine-commerce, in service providers’ organizations and in many othersthat are part of the payment card industry. This requirement detailsa secure management processes for secure software developmentlifecycle and secure practices for applications. [14]

27

4.4 IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Information restrictions should be taken veryseriously and implemented with deep understanding of compliancescope. Individual’s access to PCI-environment should be controlledand maintained carefully with good understanding of best securitypractices and their implementation. This requirement describessuch access control best practices for organization environment. [14]

Requirement 8: This requirement continues to guide throughaccess control topic we started in previous requirement, but inthis requirement emphasis on more specific implementation re-quirements for authentication, user management and passwordsrequirements. [14]

Requirement 9: This requirement is addressing physical securitythat are also important part of any security program. The require-ment specify physical security media management requirementssuch as tapes, cd, hard drives etc. and, physical security such asmonitoring systems, video cameras, visitor badges, access cards andso on. Security media management also includes secure procedurefor destruction procedures. Improper destruction procedures canlead to attacker get access to data that has not been properlydestroyed. [14]

4.5 REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: This requirement related to auditing of accessto resources of PCI environment. Audit information provideimportant information of system usage. It can help to understandhow system is used or identify unusual behavior of the system. Thisrequirement specifies log management rules, logging practices andlogging data protection. [14]

Requirement 11: This requirement mandates to perform securityassessment for of PCI environment to be made by internal andexternal resources. External vulnerability assessments should

28

be performed quarterly by Approved Scanning Vendor (ASV).It also dictates the penetration testing annually by internal andexternal resources, usage of network intrusion detection and/orintrusion prevention techniques to detect and prevent intrusionsinto network. One of the primary methods to measure theeffectiveness of security controls in an environment is to performsecurity testing against the infrastructure. [14]

4.6 MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: All previous requirements had technical context.This requirement shows the need to have operational securityprocedure to ensure that all technical requirements are takeninto account, implemented security practices are efficient and riskassessments are performed on regular basis. [14]

The last requirement is the following: Shared hosting providersmust protect the cardholder data environment

Requirement A.1, Protect each entity’s (that is merchant, serviceprovider, or other entity) hosted environment and data, per A.1.1through A.1.4. A hosting provider must fulfill these requirementsas well as all other relevant sections of the PCI DSS. [14]

29

5 PCI-DSS ComplianceCheck for Oracle DatabaseVault

Section 5.1 to 5.7 will describe Requirements that are related toOracle Database Vault compliance with PCI-DSS standard andinformation how Oracle Database Vault comply with these Require-ments.

PCI-DSS is the most commonly known security standard and isthe most important in our everyday life. I believe almost everyonehas deal with credit cards and use them on daily basic. We cometo supermarkets and pay for our food and goods with our creditcards. We are more and more visiting websites and are orderinggoods from internet. Privacy of our sensitive information andprotection of this information directly concerns all of us. We all canbecome victim of data breach in the organization that maintainsand stores our sensitive data. That means that we all would likeorganization that handles, transfer or stores our data is takingPCI-DSS compliance very seriously.

Oracle is a huge IT company, that provides market with inno-vative and efficient software products for many years, includingproducts delivering stronger security to the organizations that areready to implement serious security programs. One of such productis an Oracle Database Vault. In previous chapter we already gotintroduced to this product and now we came to the main part of thisTheis. In this chapter we will go through PCI-DSS requirements andwill check Oracle Database Vault compliance with this standard.

First of all Oracle Database Vault is not concerned about allPCI-DSS requirements and it will be more logical, from my pointof view, if we exclude requirements that are not related to Oracle

30

Database Vault and then consider in details requirements that aredirectly related to our product.

Due to similarity validation issues all requirements descriptionwere moved to appendix. Please, refer to appendix D for require-ments specification.

Requirement 1: First requirement is related to different require-ments of network security that organization need to comply withPCI-DSS. Oracle Database Vault product is not related and does notcover such security area.

Requirement 2: Related.Requirement 3: Related.Requirement 4: This requirement is related to encryption of

transmitted data, which is not an Oracle Database Vault securityarea. It is not related to our product.

Requirement 5: This requirement is related to anti-virus softwaremaintenance. It is not related to Oracle Database Vault.

Requirement 6: Related.Applications are the necessary part of any organization in

payment card industry. Applications are used in e-commerce, inservice providers’ organizations and many others that are part ofthe payment card industry. This requirement detailing a securemanagement processes for secure software development lifecycleand secure practices for applications.

Requirement 7: Related.Information restrictions should be taken very seriously and

implemented with deep understanding of compliance scope. In-dividual’s access to PCI-environment should be controlled andmaintained carefully with good understanding of best securitypractices and their implementation. This requirements describessuch access control best practices for organization environment.

Requirement 8: Related.This requirement continue to guide through access control topic

we started in previous requirement, but in this requirement empha-sis on more specific implementation requirements for authentica-

31

Requirement Relevant or notRequirement 1 NoRequirement 2 YesRequirement 3 YesRequirement 4 NoRequirement 5 NoRequirement 6 YesRequirement 7 YesRequirement 8 YesRequirement 9 NoRequirement 10 YesRequirement 11 NoRequirement 12 NoRequirement A.1 Yes

Table 5.1: Table of PCI-DSS Requirements relevant to Oracle Database Vault

tion, user management and passwords requirements.Requirement 9: This requirement is related to physical security

and not related to Oracle Database Vault.Requirement 10: Related.This requirement related to auditing of access to resources of PCI

environment. Audit information provide important informationof system usage. It can help to understand how system is usedor identify unusual behavior of the system. This requirementspecify log management rules, logging practices and logging dataprotection.

Requirement 11: This requirement is related mandatory ofsecurity assessment for of PCI environment. It is not an OracleDatabase Vault area.

Requirement 12: This requirement is related to operationalsecurity procedures and not related to Oracle Database Vaultproduct.

Requirement A.1: Related.

32

We went through all requirements and found out that require-ments 1, 4, 5, 9, 11, 12 are not related to our product compliancearea, while requirements 2, 3, 6, 7, 8 and Appendix are related toOracle Database Vault compliance area. Let’s go through each re-quirement one by one and check Oracle Database Vault compliancewith these requirements.

5.1 REQUIREMENT 2: PASSWORD MANAGEMENT

Requirement 2.1,Oracle Database Vault: Passwords for Oracle Database Vault

administration accounts are prompted for during installation. Also,Oracle guidelines to use secure password based on Oracle DatabaseSecurity Guide. Oracle Database Vault has additional passwordrequirements that will be displayed during password creationprocess if password does not comply with these requirements.

Requirement 2.2.3,Oracle Database Vault: Oracle Database Vault implements sepa-

ration of duties concept. This concept helps to prevent unauthorizedadministrative actions in the Oracle Database. (For the separationof duties concept, please refer to chapter Description of OracleDatabase Vault product)

Requirement 2.6,Oracle Database Vault: See Appendix A.

5.2 REQUIREMENT 3: STORED DATA

Requirement 3.3,Oracle Database Vault: Oracle Database Vault has security

component called realms. It create possibility to prevent privilegedusers from accessing application data. (For the realms componentdescription, please refer to chapter Description of Oracle DatabaseVault product)

Requirement 3.5,

33

Requirement 3.5.1,Oracle Database Vault: For the encryption of data Oracle uses

Oracle Wallet. It is encrypted using the wallet password. Tobe able to open wallet from within the database requires the”alter system” privilege. Oracle Database Vault command rulescan be used to implement restriction of who can execute ”altersystem”’ command. Additionally time execution restriction andplace restriction can be implemented. (For the command rulescomponent description, please refer to chapter Description of OracleDatabase Vault product)

5.3 REQUIREMENT 6: SECURE SYSTEMS AND APPLICA-TIONS

Requirement 6.4.1,Oracle Database Vault: Oracle Database Vault can help to protect

DBA access to production data in Oracle Databases.

5.4 REQUIREMENT 7: ACCESS RESTRICTION

Oracle Database Vault: This is key feature of the Oracle DatabaseVault. It is meant to support requirement 7. Only requirement part7.1.3, 7.1.4 and 7.3 are not related to Oracle Database Vault.

Requirement 7.1.1,Oracle Database Vault:

• Oracle Database Vault has security component called realms.It creates possibility to prevent privileged users from accessingapplication data.

• Oracle Database Vault command rules and factors can beused to implement restriction on access to data, database andapplications.

34

• Oracle Database Vault implements separation of duties con-cept. This concept helps to prevents unauthorized administra-tive actions in the Oracle Database.

• Oracle Database Vault Variables can be used for dynamicaccess right determination.

• Oracle Database Vault Mandatory Realm can protect data byblocking access to data to anyone even for owner and for userswith direct grants.


• Oracle Database Vault has security component called realms.It create possibility to prevent privileged users from accessingapplication data.





Requirement 7.2.1,Oracle Database Vault:Oracle Database Vault covers only its component area.

35












36

Requirement 7.2.3,Oracle Database Vault: Oracle Database Vault will deny all

requests that are not following specific rules.






5.5 REQUIREMENT 8: UNIQUE IDENTIFICATION

Requirement 8.5.6,Oracle Database Vault: Oracle Database Vault command rules

and factors can be used to implement restriction on access to data,database and applications. Time period limitations can be alsoimplemented. Oracle Database Vault does not disable accounts, ithelps to configure access rules for such accounts.

5.6 REQUIREMENT 10: MONITORING

Requirement 10.1,

37

Oracle Database Vault: Oracle Database Vault has an audit trailsimplementation that helps to identify violation occur on protectedby Oracle Database Vault realm objects in Database.




• Oracle Database Vault Realm reports.

5.7 REQUIREMENT A.1: SHARED HOSTING PROVIDERS

Requirement A.1,Requirement A.1.1,Oracle Database Vault:




Requirement A.1.2,Oracle Database Vault:

38




5.8 ANALYSIS

Requirement 2 is supported partly by Oracle Database Vault and itis not a most significant part of product compliance. Some parts ofthe Requirement 2 is not relevant to the product. Oracle DatabaseVault has mechanisms to ensure secure password creation andseparation of duties concept to prevent misuse of administrativeactions, but other system’s users password management is out ofthis product scope.

Requirement 3 is also supported only partly due to the fact thatsome parts again are not relevant to the product. Oracle DatabaseVault puts additional control on who, when and from where canaccess stored data and cryptographic keys to support Requirement3.

Requirement 6 is mostly not relevant to Oracle Database Vault.Product only supports part that requires separation of environ-ments and it’s protection. Oracle Database Vault can help to protectmost importand production environment from priveleged user’saccess.

Requirement 7 is the most supported by Oracle Database Vault.This requirement is the main focus of the product. Only severalparts of this requirement are not relevant to Oracle Database Vault.Access restriction is the biggest feature of Oracle Database Vault.

39

It has a lot of methods and concepts to support access control forpriveleged users. Oracle Database Vault can help to define who,when and from where can access sensitive data. It can even blockaccess to data to anyone in case of violation.

Requirement 8 is supported only partly by Oracle DatabaseVault, as most of the parts are not relevant to the product. Itsupports only time access restriction for data access part of therequirement.

Requirement 10 is supported only partly by Oracle DatabaseVault, as most of the parts are not relevant to the product. OracleDatabase Vault has a focus on monitoring privileged users activityand blocking unauthorized activity.

Requirement A.1 is another requirement that is mostly sup-ported by Oracle Database Vault. This requirement states accessseparation restrictions and Oracle Database Valt has a lot of featuresto support such restrictions.

After going through PCI-DSS security standard and checkingOracle Database Vault compliance with this security standard, itbecame more obvious, that Oracle Database Vault is compliantwith PCI-DSS security standard in its sphere of influence. It ismeant to support only part of such standard with focus area onprivilege users access controls. As we saw earlier, it is Requirement7 and Appendix 1. Those are the main area of interest forOracle Database Vault product. Oracle Database Vault has a lotof instruments, concepts, and methods for privileged users accesscontrol, monitoring, and reports. All these help Oracle DatabaseVault to support very important part of any security area - internalsecurity. Additionally, it helps organization to comply with PCI-DSSstandard.

40

6 Conclusion and FutureWork

In this work the main subject was an Oracle Database Vault, it’ssecurity features and research on compliance check with PCI DSSstandard.

First, I introduced the history of database security, it’s evolutionthrough the years with current trends in database development.Then, I described foundation for the most popular and useddatabase technology - relational databases. I referenced to the mostcurrent trends in threats against databases. This part gave a goodpicture of what database security should address in current marketsituation.

Next, I listed what kind of general recommendation Oracle hasfor protecting databases and sensitive data against most commonthreats. Analysis of threats and protection techniques helped torealize that database has a gap in security layer, which addressinternal security threats.

Oracle Database Vault product was introduced to fill the gapin internal security. Oracle Database Vault security methods andfeatures were described to understand, how this product protectsdatabases from internal threats and puts control on priviledge usersaccess.

Next, was a PCI DSS description part, that gave a clear pictureon purpose of the standard and requirements that organizationshould meet to comply with PCI DSS standard. Each requirementwas describe in enough details to help in future understanding ofcompliance check research.

Section 5, demonstrates the results of the compliance checkresearch. This section lists all the requirements that Oracle DatabaseVault supports and provides details on what kind of security

41

methods and features support each requirement. The results havea significant value for the organizations that are planning theirsecurity program and need to comply with PCI DSS standard.Organization should have a good understanding on what level eachproduct supports certain security standard to plan their securitystack. The results of this work will help organizations to identifyrequirements that Oracle Database Vault supports and not leastimportand part of the PCI DSS standard that needs to be coveredby other security products.

Consider such fact that Oracle Database Vault is quite uniqueproduct on the market and address organization internal threatsprotection, it is definitely deserve a consideration, but it wouldbe more suitable for a bigger organization, as it requires biggerresources for implementation and support.

Implementation of Oracle Database Vault is another topic andit will not be considered here. However, this is a good topic forfuture research. Future work can include development of detailedimplementation plan of Oracle Database Vault product. It shouldinclude plan of resources required to do basic implementation andit could have most recommended implementation. Also, it mightinclude recommended configuration of Oracle Database Vault andstep-by-step implementation plan.

Oracle Database Vault has been created as an enhancement toOracle Database to add separation of duties. The idea behind OracleDatabase Vault is to let DBAs perform their everyday duties withoutbeing able to read or write data to database tables, but as all existingproducts Oracle Database Vault has its own vulnerabilities. Reseachof existing product vulnerabilities and possible solutions for themcould be a good topic for another research.

42

References

[1] K. Tbeileh, P. Needham, Oracle Database Vault with OracleDatabase 11g Release 2 (An Oracle White Paper, USA, 2009).

[2] Open resource, Database (Wikipedia.org).

[3] C.J. Date, An Introduction to Database Systems (Edition:8, 2003).

[4] J. Ramachandran, Designing Security Architecture Solutions (JohnWiley&Sons Inc, New York, 2002).

[5] H. Bidgoli, Handbook of Information Security: Threats, Vulner-abilities, Prevention, Detection, and Management, Volume 3 (JohnWiley & Sons, NewYork, 2006).

[6] A. Rothacker, Top 10 Database Vulnerabilities and Misconfigura-tions (www.teamshatter.com, 2010).

[7] Oracle, Oracle Database Security Checklist (An Oracle WhitePaper, USA, 2008).

[8] R. Ben-Natan, Implementing Database Security and Auditing (Edi-tion:5, Digital Press, 2005).

[9] K. Tbeileh, P. Needham, Oracle Database Vault with OracleDatabase 12c (Oracle Corporation, USA, 2013).

[10] Oracle Database Vault Administrator’s Guide, http://www.

oracle.com

[11] K. Yin Robert, CASE STUDY METHODS (COSMOS Corpora-tion, 2004).

[12] VISA, official site, http://usa.visa.com

[13] MasterCard, official site, http://www.mastercard.com/

43

[14] PCI Council, official site, https://www.pcisecuritystandards.

org

44

A Oracle Database SecurityChecklist

• INSTALL ONLY WHAT IS REQUIRED: Oracle recommendsto install minimum set of features for production systemsand in case if additional features or options needed, Oracleinstaller can be simply re-ran and features or options can beadded. Oracle recommends not to install sample schemas toproduction systems and if you have them, then lock or removeit.

• LOCK AND EXPIRE DEFAULT USER ACCOUNTS: The Oracledatabase installs with some default user accounts. Databaseconfiguration assistant automatically locks and expires most ofthe users accounts, but in case of manual database installationsthese accounts are not locked. You need to lock and expirethese user accounts. The list of all default accounts and theirstatuses can be found in original checklist paper on Oraclewebsite.

• CHANGING DEFAULT USER PASSWORDS: Creating securepassword and performing good password policies are veryimportant part in protecting you database against securitythreats. The most important password criteria is length andcomplexity. Oracle recommendations for creating secure andcomplex password’s are: [7]

– At least 10 values in length.

– A mixture of letters and numbers.

– Contain mixed case (Supported in Oracle Database 11g).

– Include symbols (Supported in Oracle Database 11g).

– Little or no relation to an actual word.

45

– Create passwords from the 1st letters of the words of aneasy-to-remember sentence.

– Combine 2 weaker passwords.

– Repeat a character at the beginning or end of the pass-word.

– Add or append a string of some sort.

– Append part of the same password.

– Double some or all of the letters.

These recommendations make it harder for the attacker tocrack the password.

• CHANGE PASSWORDS FOR ADMINISTRATIVE ACCOUNTS:Oracle recommends to use different and strong passwords foradministrative accounts such as SYSTEM, SYSMAN, DBSNMP,whenever it is production or test environment.

• CHANGE DEFAULT PASSWORDS FOR ALL USERS: If thereare unlocked accounts after installation, they have a defaultpassword which is the same as the user account. New strongpassword should be assign to such accounts.

• ENFORCE PASSWORD MANAGEMENT: Oracle recommendsenforce failed login, password expiration, password complex-ity and reuse policies using Oracle profiles, and follow bestpractices defined by Oracle Applications. Oracle recommendsthat all user’s password should be changed periodically andbasic password management rules applied to all user pass-words.

• SECURE BATCH JOBS: Oracle Database has a new feature -the Secure External Password Store, starting from databaseversion 10 g release 2. This feature helps to secure batch jobsand tasks performed without user interaction, and which usescredential identification to connect to database. The passwords

46

and user names are stored in Oracle Wallet and used forrunning batch jobs and other tasks. This technic removes theneed to hard code credentials in batch jobs, but location andpermissions to wallet should be carefully considered in favorof least-privileges.

• MANAGE ACCESS TO SYSDBA AND SYSOPER ROLES: Ora-cle recommends to avoid connecting with SYSDBA role, unlessit is absolutely necessary in such cases like patching and calledfor by an existing Oracle feature. Attention should be paidto managing access and monitoring for unsuccessful SYSDBAand SYSOPER connections. Oracle recommends for large andsmall organizations to create their own separate administrativeaccount, instead of using SYSDBA.

• ENABLE ORACLE DATA DICTIONARY PROTECTION: Ora-cle recommends that data dictionary protection should beimplemented to prevent misusing and harming data dic-tionary by users, who has ”ANY” system privileges. SetO7 DICTIONARY ACCESSIBILITY parameter to FALSE to en-able data dictionary protection. In version Oracle 9i and laterthis parameter default settings is set to FALSE. If some appli-cations need to use data dictionary, they can be granted theSELECT ANY DICTIONARY system privilege individually.

• FOLLOW THE PRINCIPLE OF LEAST PRIVILEGE: Oraclerecommends to avoid giving high privileges to new databaseusers, even if those users are privileged users. Special attentionshould be given when assigning privileges to applicationschemas. SYSDBA role should be granted with high cautionand to the people in most trusted position. All users’ activities,who connects with SYSDBA role or other administrative rolesshould be constantly monitored.

• PUBLIC PRIVILEGES: The topic of PUBLIC privileges is partof Oracle’s overall secure-by-default initiative that started with

47

Oracle Database 9i. New in the Oracle Database 11g release aregranular authorizations for numerous PL/SQL network utilitypackages granted to PUBLIC.

• RESTRICT PERMISSIONS ON RUN-TIME FACILITIES: Whengranting permissions on run-time facilities such as the OracleJava Virtual Machine (OJVM), grant permissions to the explicitor actual document root file path. This code can be changedto use the explicit file path: dbms java.grant permission(’SCOTT’, ’SYS:java.io.FilePermission’, ’<<ALL FILES>>’, ’read’); dbms java.grant permission (’SCOTT’,’SYS:java.io.FilePermission’, ’<<actual directory path >>’,’read’);

• AUTHENTICATE CLIENTS: Oracle recommends tomake sure that database initialization parameterREMOTE OS AUTHENT is set to FALSE. It is a defaultvalue for this parameter and should not be changed. Thisconfiguration is more secure. It is enforcing server-basedauthentication of clients connecting to an Oracle database.

• RESTRICT OPERATING SYSTEM ACCESS: Oracle recommen-dations to restrict amount of users, who have operating sys-tems access to Oracle Database host and to limit the ability tomodify permissions of default file, Oracle Database installationdirectory, and its content. Oracle owner and privileged systemusers should not change these permissions. They can bemodified only in case if Oracle give instructions to do so. Onlytrusted users should be able to own and modify path or fileto Oracle database, such as DBA or another trusted operatingsystem account.

• SECURE THE ORACLE LISTENER: The Oracle Listenershould be properly configured for optimal security. OracleDatabase 10g Release 1 and higher uses local OS authenticationas the default authentication mode. This mode requires the

48

Oracle Net administrator to be a member of the local DBAgroup. Setting a password for the TNS listener in OracleDatabase 10g Release 1 and higher simplifies local adminis-tration. However, setting a password requires good passwordmanagement to prevent unauthorized users from guessing thepassword and potentially gaining access to privileged listeneroperations. Customers may wish to consider not setting apassword for the TNS listener starting with Oracle Database10g Release 1. Passwords should be used for databases priorto Oracle Database 10g Release 1 or for remote administrationof listeners on Oracle Database 10g Release 1 and higherdatabases. You should also consider using a firewall. Properuse of a firewall will reduce exposure to security relatedinformation including port openings and other configurationinformation located behind the firewall. Oracle Net supports avariety of firewalls.

• SECURE EXTERNAL PROCEDURES: The default configura-tion for external procedures no longer requires a networklistener to work with Oracle Database and EXTPROC agent.The EXTPROC agent is spawned directly by Oracle Databaseand eliminates the risks that extproc might be spawned byOracle Listener, unexpectedly. This default configuration isrecommended for maximum security. Having your EXTPROCagent spawned by Oracle Listener is necessary if you use: [7]

– Multi-threaded Agent.

– Oracle Database in MTS mode on Windows.

– AGENT clause of the LIBRARY specification or AGENTIN clause of the PROCECDURE specification such thatyou can redirect external procedures to a differentEXTPROC agent. Please refer to the Oracle Net ServicesGuide for instructions on properly configuring Oracle NetServices for external procedures.

49

• PREVENT RUNTIME CHANGES TO LISTENER:Recommended and default value for AD-MIN RESTRICTIONS LISTENER is ON and runtime changesto the listener parameters are disabled. To be able to doany changes LISTENER.ORA file should be modified andmanually reloaded.

• CHECKING NETWORK IP ADDRESSES: Oracle recommendsto use Oracle Net valid note security feature to control ac-cess from specific IP addresses to Oracle server processes.Setting parameters in Oracle Net configuration file proto-col.ora allows or denies specific client IP addresses to makeconnections to Oracle listener: tcp.validnote checking = YES,tcp.excluded nodes = list of IP addresses, tcp.invited nodes =list of IP addresses.

• HARDEN THE OPERATING SYSTEM: Make sure that UserDatagram Protocol (UDP) and Transmission Control Protocol(TCP) ports are closed for unnecessary services, which UNIXand Windows systems provide. Both type of ports should beclosed for each disabled service. Disabling only one type ofport does not make operating system more secure.

• ENCRYPT NETWORK TRAFFIC: Oracle recommendation is toencrypt network traffic between application servers, databases,and clients. Oracle supports SSL certificates and networkencryption without certificates.

• APPLY ALL SECURITY PATCHES: Operating systems andOracle latest patches should be applied. Follow up OracleTechnology Network (OTN) security site for information onlatest security alerts provided by Oracle. Also, check OracleWorldwide Supports services site, Metalink, for more detailedinformation, upcoming security patches, and specific securityconfiguration information.

50

• REPORT SECURITY ISSUES TO ORACLE:Any vulnerabilitiesfounded in Oracle Database can be reported as a request toOracle Worldwide Support Services using Metalink or email:secalert [email protected]. Description of the problem, productversion, platform, scripts, and examples are necessary toprovide in a request. [7]

51

B Key Features and Benefitsof Oracle Database Vault

• Preventive controls to block privileged users and DBAs fromaccessing sensitive data in the databases.

• Enforce operational controls inside the database, lock downthe configuration, and prevent audit findings.

• Seal off highly sensitive application objects during mainte-nance periods and in response to cyber threats.

• Increase security controls for consolidation, cloud environ-ments, and outsourcing, and help to comply with regulationsfrom multiple countries.

• Identify used and unused privileges and roles with PrivilegeAnalysis.

• Application-specific protection policies for enterprise applica-tions including Fusion Applications, E-Business Suite, People-Soft, Siebel, and SAP.

52

C Oracle Database Vaultprovides essential safeguardsagainst common threats

• Threats that exploit stolen credentials obtained from socialengineering, key-loggers, and other mechanisms to get accessto privileged accounts in your database.

• Threats from insiders that misuse privileged accounts to accesssensitive data, or to create new accounts, and grant additionalroles and privileges for future exploits.

• Threats from insiders who bypass the organization’s usagepolicies (including IP address, date, and time of usage),or from unintended mistakes from junior DBAs who mightuse unauthorized SQL commands that change the databaseconfiguration and put the database in a vulnerable state.

• Threats to sensitive data during maintenance window from theapplication administrators.

• Threats that exploit weaknesses in the application to escalateprivileges and attack other applications on the same database.

53

D The PCI-DSS Require-ments

Requirement 1: Install and maintain firewall configuration toprotect card-holder data.

The first requirement, describes different requirements of net-work security that organization need to comply with PCI-DSS. [14]

Requirement 1.1, Establish and implement firewall and routerconfiguration standards formalize testing whenever configurationschange, identifies all connections between the cardholder dataenvironment and other networks (including wireless) with doc-umentation and diagrams, documents business justification andvarious technical settings for each implementation, that diagram allcardholder data flows across systems and networks, and stipulate areview of configuration rule sets at least every six months: [14]

• 1.1.1 A formal process for approving and testing all networkconnections and changes to the firewall and router configura-tions

• 1.1.2 Current network diagram with all connections to card-holder data, including any wireless networks

• 1.1.3 Requirements for a firewall at each Internet connectionand between any demilitarized zone (DMZ) and the internalnetwork zone

• 1.1.4 Description of groups, roles, and responsibilities forlogical management of network components

• 1.1.5 Documentation and business justification for use of allservices, protocols, and ports allowed, including documen-tation of security features implemented for those protocolsconsidered to be insecure

54

• 1.1.6 Requirement to review firewall and router rule sets atleast every six months

Requirement 1.2, Build firewall and router configurations thatrestrict all traffic, inbound and outbound, from untrusted networks(including wireless) and hosts, and specifically deny all other trafficexcept for protocols necessary for the cardholder data environment:[14]

• 1.2.1 Restrict inbound and outbound traffic to that which isnecessary for the cardholder data environment.

• 1.2.2 Secure and synchronize router configuration files.

• 1.2.3 Install perimeter firewalls between any wireless networksand the cardholder data environment, and configure thesefirewalls to deny or control (if such traffic is necessary forbusiness purposes) any traffic from the wireless environmentinto the cardholder data environment.

Requirement 1.3, Prohibit direct public access between the Inter-net and any system component in the cardholder data environment:[14]

• 1.3.1 Implement a DMZ to limit inbound traffic to only sys-tem components that provide authorized publicly accessibleservices, protocols, and ports.

• 1.3.2 Limit inbound Internet traffic to IP addresses within theDMZ.

• 1.3.3 Do not allow any direct connections inbound or outboundfor traffic between the Internet and the cardholder data envi-ronment.

• 1.3.4 Do not allow internal addresses to pass from the Internetinto the DMZ.

55

• 1.3.5 Do not allow unauthorized outbound traffic from thecardholder data environment to the Internet.

• 1.3.6 Implement stateful inspection, also known as dynamicpacket filtering. (That is, only established connections areallowed into the network.)

• 1.3.7 Place system components that store cardholder data (suchas a database) in an internal network zone, segregated from theDMZ and other untrusted networks.

• 1.3.8 Do not disclose private IP addresses and routing infor-mation to unauthorized parties. Note: Methods to obscure IPaddressing may include, but are not limited to:

– Network Address Translation (NAT)

– Placing servers containing cardholder data behind proxyservers/firewalls or content caches,

– Removal or filtering of route advertisements for privatenetworks that employ registered addressing,

– Internal use of RFC1918 address space instead of regis-tered addresses.

Requirement 1.4, Install personal firewall software on any mobileand/or employee-owned devices that connect to the Internet whenoutside the network, and which are also used to access the network.[14]

Requirement 1.5, Ensure that related security policies and opera-tional procedures are documented, in use, and known to all affectedparties. [14]

Requirement 2 is the following: Do not use vendor-supplied defaultsfor system passwords and other parameters. [14]

Requirement 2.1, Always change ALL vendor-supplied defaultsand remove or disable unnecessary default accounts before in-stalling a system on the network. This includes wireless devices

56

that are connected to the cardholder data environment or are usedto transmit cardholder data: [14]

• 2.1.1 For wireless environments connected to the cardholderdata environment or transmitting cardholder data, changewireless vendor defaults, including but not limited to defaultwireless encryption keys, passwords, and SNMP communitystrings.

Requirement 2.2, Develop configuration standards for all systemcomponents that address all known security vulnerabilities andare consistent with industry-accepted definitions. Update systemconfiguration standards as new vulnerability issues are identified:[14]

• 2.2.1 Implement only one primary function per server toprevent functions that require different security levels fromco-existing on the same server. (For example, web servers,database servers, and DNS should be implemented on separateservers.) Note: Where virtualization technologies are inuse, implement only one primary function per virtual systemcomponent.

• 2.2.2 Enable only necessary and secure services, protocols,daemons, etc. as required for the function of the system. Im-plement security features for any required services, protocolsor daemons that are considered to be insecure.

• 2.2.3 Configure system security parameters to prevent misuse

• 2.2.4 Remove all unnecessary functionality, such as scripts,drivers, features, ubsystems, file systems, and unnecessaryweb servers.

Requirement 2.3, Using strong cryptography, encrypt allnon-console administrative access such as browser/web-basedmanagement tools. [14]

57

Requirement 2.4, Maintain an inventory of system componentsthat are in scope for PCI DSS. [14]


Requirement 2.6, Shared hosting providers must protect eachentity’s hosted environment and cardholder data (details are in PCIDSS Appendix A: Additional PCI DSS Requirements for SharedHosting Providers.) [14]

Requirement 3 is the following: Protect stored cardholder data. [14]Requirement 3.1, Limit cardholder data storage and retention

time to that which is required for business, legal, and/or regulatorypurposes, as documented in your data retention policy. Purgeunnecessary stored data at least quarterly: [14]

• 3.1.1 Implement a data retention and disposal policy thatincludes: Limiting data storage amount and retention timeto that which is required for legal, regulatory, and businessrequirements.

– Processes for secure deletion of data when no longerneeded.

– Specific retention requirements for cardholder data.

– A quarterly automatic or manual process for identifyingand securely deleting stored cardholder data that exceedsdefined retention requirements.

Requirement 3.2, Do not store sensitive authentication data afterauthorization (even if it is encrypted). See table below. Renderall sensitive authentication data unrecoverable upon completion ofthe authorization process. Issuers and related entities may storesensitive authentication data if there is a business justification, andthe data is stored securely: [14]

• 3.2.1 Do not store the full contents of any track from themagnetic stripe (located on the back of a card, equivalent data

58

contained in a chip, or elsewhere). This data is alternativelycalled full track, track, track 1, track 2, and magnetic-stripedata.

• 3.2.2 Do not store the card-verification code or value(three-digit or four-digit number printed on the front orback of a payment card) used to verify card-not-presenttransactions

• 3.2.3 Do not store the personal identification number (PIN) orthe encrypted PIN block.

Requirement 3.3, Mask PAN when displayed (the first six andlast four digits are the maximum number of digits you may display),so that only authorized people with a legitimate business need cansee the full PAN. This does not supersede stricter requirementsthat may be in place for displays of cardholder data, such as ona point-of-sale receipt. [14]

Requirement 3.4, Render PAN unreadable anywhere it is storedincluding on portable digital media, backup media, in logs, anddata received from or stored by wireless networks. Technologysolutions for this requirement may include strong one-way hashfunctions of the entire PAN, truncation, index tokens with securelystored pads, or strong cryptography. (See PCI DSS Glossary fordefinition of strong cryptography [14].) Note: It is a relatively trivialeffort for a malicious individual to reconstruct original PAN data ifthey have access to both the truncated and hashed version of a PAN.Where hashed and truncated versions of the same PAN are presentin an entity’s environment, additional controls should be in place toensure that the hashed and truncated versions cannot be correlatedto reconstruct the original PAN. [14]

• 3.4.1 If disk encryption is used (rather than file- orcolumn-level database encryption), logical access must bemanaged independently of native operating system accesscontrol mechanisms (for example, by not using local user

59

account databases). Decryption keys must not be tied to useraccounts.

Requirement 3.5, Document and implement procedures to pro-tect any keys used for encryption of cardholder data from disclosureand misuse: [14]

• 3.5.1 Restrict access to cryptographic keys to the fewest num-ber of custodians necessary

• 3.5.2 Store cryptographic keys securely in the fewest possiblelocations and forms

Requirement 3.6, Fully document and implement key manage-ment processes and procedures for cryptographic keys used forencryption of cardholder data: [14]

• 3.6.1 Generation of strong cryptographic keys

• 3.6.2 Secure cryptographic key distribution

• 3.6.3 Secure cryptographic key storage

• 3.6.4 Cryptographic key changes for keys that have reachedthe end of their cryptoperiod (for example, after a definedperiod of time has passed and/or after a certain amount ofcipher-text has been produced by a given key), as defined bythe associated application vendor or key owner, and basedon industry best practices and guidelines (for example, NISTSpecial Publication 800-57).

• 3.6.5 Retirement or replacement (for example, archiving, de-struction, and/or revocation) of keys as deemed necessarywhen the integrity of the key has been weakened (for example,departure of an employee with knowledge of a clear-text key),or keys are suspected of being compromised. Note: If retiredor replaced cryptographic keys need to be retained, thesekeys must be securely archived (for example, by using a key

60

encryption key). Archived cryptographic keys should only beused for decryption/verification purposes.

• 3.6.6 If manual clear-text cryptographic key management op-erations are used, these operations must be managed usingsplit knowledge and dual control (for example, requiring twoor three people, each knowing only their own key component,to reconstruct the whole key). Note: Examples of manual keymanagement operations include, but are not limited to: keygeneration, transmission, loading, storage and destruction.

• 3.6.7 Prevention of unauthorized substitution of cryptographickeys

• 3.6.8 Requirement for cryptographic key custodians to for-mally acknowledge that they understand and accept theirkey-custodian responsibilities


Requirement 4 is the following: Encrypt transmission of cardholderdata across open, public networks. . [14]

Requirement 4.1, Use strong cryptography and security pro-tocols such as SSL/TLS, SSH or IPSec to safeguard sensitivecardholder data during transmission over open, public networks(e.g. Internet, wireless technologies, cellular technologies, GeneralPacket Radio Service (GPRS), and satellite communications). En-sure wireless networks transmitting cardholder data or connectedto the cardholder data environment use industry best practices (e.g.,IEEE 802.11i) to implement strong encryption for authentication andtransmission. The use of WEP as a security control is prohibited:[14]

• 4.1.1 Ensure wireless networks transmitting cardholder data orconnected to the cardholder data environment, use industry

61

best practices (e.g., IEEE 802.11i) to implement strong encryp-tion for authentication and transmission. Note: The use ofWEP as a security control was prohibited as of 30 June, 2010.

Requirement 4.2, Never send unprotected PANs by end usermessaging technologies (for example, e-mail, instant messaging,chat, etc.). [14]


Requirement 5 is the following: Use and regularly update antivirussoftware or programs. [14]

Requirement 5.1, Deploy anti-virus software on all systemscommonly affected by malicious software (particularly personalcomputers and servers). For systems not affected commonly by ma-licious software, perform periodic evaluations to evaluate evolvingmalware threats and confirm whether such systems continue to notrequire anti-virus software: [14]

• 5.1.1 Ensure that all anti-virus programs are capable of de-tecting, removing, and protecting against all known types ofmalicious software.

Requirement 5.2, Ensure that all anti-virus mechanisms are keptcurrent, perform periodic scans, generate audit logs, which areretained per PCI DSS Requirement 10.7. [14]

Requirement 5.3, Ensure that anti-virus mechanisms are activelyrunning and cannot be disabled or altered by users, unless specif-ically authorized by management on a case-by-case basis for alimited time period. [14]


Requirement 6 is the following: Develop and maintain securesystems and applications. [14]

62

Requirement 6.1, Establish a process to identify security vul-nerabilities, using reputable outside sources, and assign a riskranking (e.g. high, medium, or low) to newly discovered securityvulnerabilities. [14]

Requirement 6.2, Protect all system components andsoftware from known vulnerabilities by installing applicablevendor-supplied security patches. Install critical security patcheswithin one month of release. [14]

Requirement 6.3, Develop internal and external software appli-cations including web-based administrative access to applicationsin accordance with PCI DSS and based on industry best practices.Incorporate information security throughout the software develop-ment life cycle. This applies to all software developed internally aswell as bespoke or custom software developed by a third party: [14]

• 6.3.1 Removal of custom application accounts, user IDs, andpasswords before applications become active or are released tocustomers.

• 6.3.2 Review of custom code prior to release to production orcustomers in order to identify any potential coding vulnera-bility. Note: This requirement for code reviews applies to allcustom code (both internal and public-facing), as part of thesystem development lifecycle. Code reviews can be conductedby knowledgeable internal personnel or third parties. Webapplications are also subject to additional controls, if they arepublic facing, to address ongoing threats and vulnerabilitiesafter implementation, as defined at PCI DSS Requirement 6.6.

Requirement 6.4, Follow change control processes and proce-dures for all changes to system components: [14]

• 6.4.1 Separate development/test and production environments

• 6.4.2 Separation of duties between development/test and pro-duction environments

63

• 6.4.3 Production data (live PANs) are not used for testing ordevelopment

• 6.4.4 Removal of test data and accounts before productionsystems become active

• 6.4.5 Change control procedures for the implementation ofsecurity patches and software modifications. Procedures mustinclude the following: [14]

– 6.4.5.1 Documentation of impact.

– 6.4.5.2 Documented change approval by authorized par-ties.

– 6.4.5.3 Functionality testing to verify that the change doesnot adversely impact the security of the system.

– 6.4.5.4 Back-out procedures.

Requirement 6.5, Prevent common coding vulnerabilities insoftware development processes by training developers in securecoding techniques and developing applications based on securecoding guidelines including how sensitive data is handled inmemory: [14]

• 6.5.1 Injection flaws, particularly SQL injection. Also considerOS Command Injection, LDAP and XpPath injection flaws aswell as other injection flaws.

• 6.5.2 Buffer overflow.

• 6.5.3 Insecure cryptographic storage.

• 6.5.4 Insecure communications.

• 6.5.5 Improper error handling.

• 6.5.6 All High vulnerabilities identified in the vulnerabilityidentification process (as defined in PCI DSS Requirement 6.2).

64

Note: This requirement is considered a best practice until June30, 2012, after which it becomes a requirement.

Requirements 6.5.7 through 6.5.9, below, apply to web applica-tions and application interfaces (internal or external):

• 6.5.7 Cross-site scripting (XSS).

• 6.5.8 Improper Access Control (such as insecure direct objectreferences, failure to restrict URL access, and directory traver-sal).

• 6.5.9 Cross-site request forgery (CRSF).

Requirement 6.6, Ensure all public-facing web applications areprotected against known attacks, either by performing applicationvulnerability assessment at least annually and after any changes, orby installing an automated technical solution that detects and pre-vents web-based attacks (for example, a web-application firewall)in front of public-facing web applications, to continually check alltraffic. [14]


Requirement 7 is the following: Restrict cardholder information bybusiness need to know. [14]

Requirement 7.1, Limit access to system components and card-holder data to only those individuals whose job requires suchaccess: [14]

• 7.1.1 Restriction of access rights to privileged user IDs to leastprivileges necessary to perform job responsibilities

• 7.1.2 Assignment of privileges is based on individual person-nel’s job classification and function

• 7.1.3 Requirement for a documented approval by authorizedparties specifying required privileges

65

• 7.1.4 Implementation of an automated access control system

Requirement 7.2, Establish an access control system for systemscomponents that restricts access based on a user’s need to know,and is set to deny all unless specifically allowed: [14]

• 7.2.1 Coverage of all system components

• 7.2.2 Assignment of privileges to individuals based on jobclassification and function

• 7.2.3 Default deny-all setting


Requirement 8 is the following: Assign a unique ID to each personwith computer access. [14]

Requirement 8.1, Define and implement policies and proceduresto ensure proper user identification management for users andadministrators on all system components. Assign all users a uniqueuser name before allowing them to access system components orcardholder data. [14]

Requirement 8.2, Employ at least one of these to authenticateall users: something you know, such as a password or passphrase;something you have, such as a token device or smart card; orsomething you are, such as a biometric. Use strong authenticationmethods and render all passwords unreadable during transmissionand storage using strong cryptography. [14]

Requirement 8.3, Implement two-factor authentication for allremote network access that originates from outside the network,by employees, administrators, and third parties including ven-dor access for support or maintenance. Examples of two-factortechnologies include remote authentication and dial-in service(RADIUS) with tokens; terminal access controller access controlsystem (TACACS) with tokens; or other technologies that facilitate

66

two-factor authentication. Using one factor twice (e.g. using twoseparate passwords) is not considered two-factor authentication.[14]

Requirement 8.4, Develop, implement, and communicate au-thentication procedures and policies to all users. [14]

Requirement 8.5, Do not use group, shared, or generic IDs, orother authentication methods. Service providers with access tocustomer environments must use a unique authentication credential(such as a password/passphrase) for each customer environment:[14]

• 8.5.1 Control addition, deletion, and modification of user IDs,credentials, and other identifier objects

• 8.5.2 Verify user identity before performing password resets.

• 8.5.3 Set passwords for first-time use and resets to a uniquevalue for each user and change immediately after the first use.

• 8.5.4 Immediately revoke access for any terminated users.

• 8.5.5 Remove/disable inactive user accounts at least every 90days.

• 8.5.6 Enable accounts used by vendors for remote access onlyduring the time period needed. Monitor vendor remote accessaccounts when in use.

• 8.5.7 Communicate authentication procedures and policies toall users who have access to cardholder data.

• 8.5.8 Do not use group, shared, or generic accounts andpasswords, or other authentication methods.

• 8.5.9 Change user passwords at least every 90 days.

• 8.5.10 Require a minimum password length of at least sevencharacters.

67

• 8.5.11 Use passwords containing both numeric and alphabeticcharacters.

• 8.5.12 Do not allow an individual to submit a new passwordthat is the same as any of the last four passwords he or she hasused.

• 8.5.13 Limit repeated access attempts by locking out the userID after not more than six attempts.

• 8.5.14 Set the lockout duration to a minimum of 30 minutes oruntil administrator enables the user ID.

• 8.5.15 If a session has been idle for more than 15 minutes,require the user to re-authenticate to re-activate the terminalor session.

• 8.5.16 Authenticate all access to any database containing card-holder data. This includes access by applications, administra-tors, and all other users. Restrict user direct access or queriesto databases to database administrators.

Requirement 8.6, Use of other authentication mechanisms suchas physical security tokens, smart cards, and certificates must beassigned to an individual account. [14]

Requirement 8.7, All access to any database containing card-holder data must be restricted: all user access must be throughprogrammatic methods; only database administrators can havedirect or query access; and application IDs for database applica-tions can only be used by the applications (and not by users ornon-application processes). [14]


Requirement 9 is the following: Restrict physical access to card-holder data. [14]

68

Requirement 9.1, Use appropriate facility entry controls to limitand monitor physical access to systems in the cardholder dataenvironment: [14]

• 9.1.1 Use video cameras and/or access control mechanisms tomonitor individual physical access to sensitive areas. Reviewcollected data and correlate with other entries. Store for atleast three months, unless otherwise restricted by law.

• 9.1.2 Restrict physical access to publicly accessible networkjacks. For example, areas accessible to visitors should not havenetwork ports enabled unless network access is specificallyauthorized.

• 9.1.3 Restrict physical access to wireless access points, gate-ways, handheld devices, networking/communications hard-ware, and telecommunications lines.

Requirement 9.2, Develop procedures to easily distinguish be-tween onsite personnel and visitors, such as assigning ID badges.[14]

Requirement 9.3, Control physical access for onsite personnelto the sensitive areas. Access must be authorized and based onindividual job function; access must be revoked immediately upontermination, and all physical access mechanisms, such as keys,access cards, etc. returned or disabled: [14]

• 9.3.1 Authorized before entering areas where cardholder datais processed or maintained

• 9.3.2 Given a physical token (for example, a badge or accessdevice) that expires and that identifies the visitors as not onsitepersonnel

• 9.3.3 Asked to surrender the physical token before leaving thefacility or at the date of expiration

69

Requirement 9.4, Ensure all visitors are authorized before en-tering areas where cardholder data is processed or maintained;given a physical token that expires and that identifies visitors asnot onsite personnel; and are asked to surrender the physical tokenbefore leaving the facility or at the date of expiration. Use a visitorlog to maintain a physical audit trail of visitor information andactivity, including visitor name, company, and the onsite personnelauthorizing physical access. Retain the log for at least three monthsunless otherwise restricted by law. [14]

Requirement 9.5, Physically secure all media; store mediaback-ups in a secure location, preferably off site. [14]

Requirement 9.6, Maintain strict control over the internal orexternal distribution of any kind of media. [14]

Requirement 9.7, Maintain strict control over the storage andaccessibility of media: [14]

• 9.7.1 Classify the media so the sensitivity of the data can bedetermined.

• 9.7.2 Send the media by secured courier or other deliverymethod that can be accurately tracked.

Requirement 9.8, Destroy media when it is no longer needed forbusiness or legal reasons. [14]

Requirement 9.9, Protect devices that capture payment card datavia direct physical interaction with the card from tampering andsubstitution. This includes periodic inspections of POS devicesurfaces to detect tampering, and training personnel to be awareof suspicious activity: [14]

• 9.9.1 Properly maintain inventory logs of all media and con-duct media inventories at least annually.

Requirement 9.10, Ensure that related security policies andoperational procedures are documented, in use, and known to allaffected parties: [14]

70

• 9.10.1 Shred, incinerate, or pulp hardcopy materials so thatcardholder data cannot be reconstructed.

• 9.10.2 Render cardholder data on electronic media unrecover-able so that cardholder data cannot be reconstructed.

Requirement 10 is the following: Track and monitor all access tonetwork resources and cardholder data. [14]

Requirement 10.1, Implement audit trails to link all access tosystem components to each individual user. [14]

Requirement 10.2, Implement automated audit trails for allsystem components for reconstructing these events: all individualuser accesses to cardholder data; all actions taken by any individualwith root or administrative privileges; access to all audit trails;invalid logical access attempts; use of and changes to identificationand authentication mechanisms (including creation of new ac-counts, elevation of privileges), and all changes, additions, deletionsto accounts with root or administrative privileges; initialization,stopping or pausing of the audit logs; creation and deletion ofsystem-level objects: [14]

• 10.2.1 All individual accesses to cardholder data

• 10.2.2 All actions taken by any individual with root or admin-istrative privileges

• 10.2.3 Access to all audit trails

• 10.2.4 Invalid logical access attempts

• 10.2 5 Use of identification and authentication mechanisms

• 10.2.6 Initialization of the audit logs

• 10.2.7 Creation and deletion of system-level objects

Requirement 10.3, Record audit trail entries for all system com-ponents for each event, including at a minimum: user identifica-tion, type of event, date and time, success or failure indication,

71

origination of event, and identity or name of affected data, systemcomponent or resource: [14]

• 10.3.1 User identification

• 10.3.2 Type of event

• 10.3.3 Date and time

• 10.3.4 Success or failure indication

• 10.3.5 Origination of event

• 10.3.6 Identity or name of affected data, system component, orresource

Requirement 10.4, Using time synchronization technology, syn-chronize all critical system clocks and times and implement controlsfor acquiring, distributing, and storing time: [14]

• 10.4.1 Critical systems have the correct and consistent time.

• 10.4.2 Time data is protected.

• 10.4.3 Time settings are received from industry-accepted timesources

Requirement 10.5, Secure audit trails so they cannot be altered:[14]

• 10.5.1 Limit viewing of audit trails to those with a job-relatedneed.

• 10.5.2 Protect audit trail files from unauthorized modifications.

• 10.5.3 Promptly back up audit trail files to a centralized logserver or media that is difficult to alter.

• 10.5.4 Write logs for external-facing technologies onto a logserver on the internal LAN.

72

• 10.5.5 Use file integrity monitoring or change detection soft-ware on logs to ensure that existing log data cannot be changedwithout generating alerts (although new data being addedshould not cause an alert).

Requirement 10.6, Review logs and security events for all systemcomponents to identify anomalies or suspicious activity. Performcritical log reviews at least daily. [14]

Requirement 10.7, Retain audit trail history for at least one year;at least three months of history must be immediately available foranalysis. [14]

Requirement 10.8, Ensure that related security policies andoperational procedures are documented, in use, and known to allaffected parties. [14]

Requirement 11 is the following: Regularly test security systemsand processes. [14]

Requirement 11.1, Implement processes to test for the presenceof wireless access points (802.11) and detect and identify all autho-rized and unauthorized wireless access points on a quarterly basis.Maintain an inventory of authorized wireless access points andimplement incident response procedures in the event unauthorizedwireless access points are detected. [14]

Requirement 11.2, Run internal and external network vulnera-bility scans at least quarterly and after any significant change inthe network. Perform rescans as needed, until passing scans areachieved. After passing a scan for initial PCI DSS compliance, anentity must, in subsequent years, pass four consecutive quarterlyscans as a requirement for compliance. Quarterly external scansmust be performed by an Approved Scanning Vendor (ASV). Scansconducted after network changes and internal scans may be per-formed by internal staff: [14]

• 11.2.1 Perform quarterly internal vulnerability scans.

• 11.2.2 Perform quarterly external vulnerability scans via anApproved Scanning Vendor (ASV) approved by the Payment

73

Card Industry Security Standards Council (PCI SSC).

• 11.2.3 Perform internal and external scans after any significantchange.

Requirement 11.3, Develop and implement a methodology forpenetration testing that includes external and internal penetrationtesting at least annually and after any upgrade or modification. Ifsegmentation is used to reduce PCI DSS scope, perform penetrationtests to verify the segmentation methods are operational andeffective: [14]

• 11.3.1 Network-layer penetration tests

• 11.3.2 Application-layer penetration tests

Requirement 11.4, Use network intrusion detection and/or in-trusion prevention techniques to detect and/or prevent intrusionsinto the network. Monitor all traffic at the perimeter of thecardholder data environment as well as at critical points inside ofthe cardholder data environment, and alert personnel to suspectedcompromises. IDS/IPS engines, baselines, and signatures must bekept up to date. [14]

Requirement 11.5, Deploy a change detection mechanism (forexample, file integrity monitoring tools) to alert personnel tounauthorized modification of critical system files, configuration filesor content files. Configure the software to perform critical filecomparisons at least weekly. Implement a process to respond toany alerts generated by the change-detection solution. [14]

Requirement 11.6, Ensure that related security policies andoperational procedures are documented, in use, and known to allaffected parties. [14]

Requirement 12 is the following: Maintain a policy that addressesinformation security for all personnel. [14]

Requirement 12.1, Establish, publish, maintain, and disseminatea security policy; review the security policy at least annually andupdate when the environment changes: [14]

74

• 12.1.1 Addresses all PCI DSS requirements

• 12.1.2 Includes an annual process that identifies threats, andvulnerabilities, and results in a formal risk assessment

• 12.1.3 Includes a review at least annually and updates whenthe environment changes

Requirement 12.2, Implement a risk assessment process that isperformed at least annually and upon significant changes to the en-vironment that identifies critical assets, threats, and vulnerabilities,and results in a formal assessment. [14]

Requirement 12.3, Develop usage policies for critical technolo-gies to define their proper use by all personnel. These include re-mote access, wireless, removable electronic media, laptops, tablets,handheld devices, email and Internet: [14]

• 12.3.1 Explicit approval by authorized parties

• 12.3.2 Authentication for use of the technology

• 12.3.3 A list of all such devices and personnel with access

• 12.3.4 Labeling of devices to determine owner, contact infor-mation, and purpose

• 12.3.5 Acceptable uses of the technology

• 12.3.6 Acceptable network locations for the technologies

• 12.3.7 List of company-approved products

• 12.3.8 Automatic disconnect of sessions for remote accesstechnologies after a specific period of inactivity

• 12.3.9 Activation of remote access technologies for vendors andbusiness partners only when needed by vendors and businesspartners, with immediate deactivation after use

75

• 12.3.10 For personnel accessing cardholder data via remoteaccess technologies, prohibit copy, move, and storage of card-holder data onto local hard drives and removable electronicmedia, unless specifically authorized for a defined businessneed.

Requirement 12.4, Ensure that the security policy and proceduresclearly define information security responsibilities for all personnel.[14]

Requirement 12.5, Assign to an individual or team informationsecurity responsibilities defined by 12.5 subsections: [14]

• 12.5.1 Establish, document, and distribute security policies andprocedures.

• 12.5.2 Monitor and analyze security alerts and information,and distribute to appropriate personnel.

• 12.5.3 Establish, document, and distribute security incidentresponse and escalation procedures to ensure timely andeffective handling of all situations.

• 12.5.4 Administer user accounts, including additions, dele-tions, and modifications

• 12.5.5 Monitor and control all access to data.

Requirement 12.6, Implement a formal security awareness pro-gram to make all personnel aware of the importance of cardholderdata security: [14]

• 12.6.1 Educate personnel upon hire at least annually. Note:Methods can vary depending on the role of the personnel andtheir level of access to the cardholder data.

• 12.6.2 Require personnel to acknowledge at least annuallythat they have read and understood the security policy andprocedures.

76

Requirement 12.7, Screen potential personnel prior to hire tominimize the risk of attacks from internal sources. Examplescreening includes previous employment history, criminal record,credit history, and reference checks. [14]

Requirement 12.8, Maintain and implement policies and proce-dures to manage service providers with which cardholder data isshared, or that could affect the security of cardholder data: [14]

• 12.8.1 Maintain a list of service providers.

• 12.8.2 Maintain a written agreement that includes an acknowl-edgement that the service providers are responsible for thesecurity of cardholder data the service providers possess.

• 12.8.3 Ensure there is an established process for engagingservice providers including proper due diligence prior toengagement.

• 12.8.4 Maintain a program to monitor service providers’ PCIDSS compliance status at least annually.

Requirement 12.9, Additional requirement for service providersonly: Service providers acknowledge in writing to customers thatthey are responsible for the security of cardholder data that theypossess or otherwise store, process, or transmit on behalf of thecustomer, or to the extent they could impact the security of thecustomer’s cardholder data environment: [14]

• 12.9.1 Create the incident response plan to be implementedin the event of system reach. Ensure the plan addresses thefollowing, at a minimum:

– Roles, responsibilities and communication and contactstrategies in the event of a compromise including notifi-cation of the payment brands, at a minimum

– Specific incident response procedures

– Business recovery and continuity procedures

77

– Data backup processes

– Analysis of legal requirements for reporting compromises

– Coverage and responses of all critical system components

– Reference or inclusion of incident response proceduresfrom the payment brands

• 12.9.2 Test the plan at least annually.

• 12.9.3 Designate specific personnel to be available on a 24/7basis to respond to alerts.

• 12.9.4 Provide appropriate training to staff with securitybreach response responsibilities.

• 12.9.5 Include alerts from intrusion detection, intrusion pre-vention, and file integrity monitoring systems.

• 12.9.6 Develop a process to modify and evolve the incidentresponse plan according to lessons learned and to incorporateindustry developments.

Requirement 12.10, Implement an incident response plan. Beprepared to respond immediately to a system breach. [14]

The last requirement is the following: Shared hosting providersmust protect the cardholder data environment

Requirement A.1, Protect each entity’s (that is merchant, serviceprovider, or other entity) hosted environment and data, per A.1.1through A.1.4. A hosting provider must fulfill these requirementsas well as all other relevant sections of the PCI DSS: [14]

• A.1.1 Ensure that each entity only runs processes that haveaccess to that entity’s cardholder data environment.

• A.1.2 Restrict each entity’s access and privileges to its owncardholder data environment only.

78

• A.1.3 Ensure logging and audit trails are enabled and uniqueto each entity’s cardholder data environment and consistentwith PCI DSS Requirement 10.

• A.1.4 Enable processes to provide for timely forensic investiga-tion in the event of a compromise to any hosted merchant orservice provider [14].

79

Security Methods and How They Are Applied in Oracle...

Documents

Transcript of Security Methods and How They Are Applied in Oracle...