Re: Security audit of Oracle databases
- From: stephen booth <stephenbooth.uk@xxxxxxxxx>
- To: ian@xxxxxxxxxxxxxxxxx
- Date: Tue, 12 Apr 2005 19:29:13 +0100
On Apr 12, 2005 6:35 PM, MacGregor, Ian A. <ian@xxxxxxxxxxxxxxxxx> wrote:
> Oracle's willingness to allow potential customers to download the =
> product and take it for a test spin is great. Suppose however, someone =
> installs Oracle on his desktop. The installation will not be maintained, =
> it will not be patched. The possibiliy for compromise is signifiicant. =
> The person who only wanted to learn Oracle and discovers someone has =
> taken over his machine.
Or the person who installs Visio and finds that you get a free M$-SQL
server install so being vulnerable to a number of worms. Or the
person who buys a PC with M$ Windows XP pre-installed and turns on the
firewall so thinks they're safe, but doesn't know that it exposes RPC
services to the internet (if you install a firewall that blocks them
then FTP will fail intermittantly, it can't use the secondary FTP
server for some reason). Maybe they install any one of a number of
personal firewall products, not realising that most of them are
decidedly pourous (Zone Alarm seems to be the best). Perhaps they let
their antivirus software get out of date. Or click on email
attachments with filenames like funnybunny.jpg.exe. Or the person
who turns on Telnet and tFTP on their Linux/Unix/FreeBSD box so they
can access it from other boxes on their home wireless network not
realising that they've just opened it up to anyone within 100m.
Any software setup/maintained (or even just used) by someone who
doesn't know what they're doing has the chance of being a security
risk. What's important is how easy it is for someone who does know
what they are doing to turn off those services that aren't needed and
to secure those that are.
Stephen
--
It's better to ask a silly question than to make a silly assumption.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
