Take the right steps when a breach of your Oracle Database environment becomes known or suspected. You will learn techniques for discerning how an attacker got in, what data they saw, and what else they might have done.
This book helps you understand forensics in relation to Oracle Database, and the tools and techniques that should be used to investigate a database breach. You will learn the measures to put in place now to make it harder for an attack to be successful, and to aid in the detection and investigation of future attacks. You will know how to bring together tools and methods to create a holistic approach and investigation when an event occurs, helping you to be confident of your ability to react correctly and responsibly to threats against your organization’s data.
What You'll Learn
- Detect when breaches have or may have occurred
- React with confidence using an organized plan
- Determine whether a suspected breach is real
- Determine the scope of data that has been compromised
- Preserve evidence for possible criminal prosecutions
- Put in place measures to aid future investigations
Who This Book is For
Database administrators, system administrators, and other technology professionals who may be called upon to investigate breaches of security involving Oracle Database
| About the Author |
|
vii | |
| Acknowledgments |
|
ix | |
| Introduction |
|
xi | |
|
|
|
1 | (26) |
|
|
|
2 | (6) |
|
|
|
7 | (1) |
|
|
|
7 | (1) |
|
|
|
8 | (1) |
|
What Is Incident Response? |
|
|
9 | (1) |
|
What Is Forensic Analysis? |
|
|
10 | (1) |
|
|
|
10 | (9) |
|
What Is Oracle Database Forensics? |
|
|
19 | (1) |
|
How Does Oracle Function and Store Data? |
|
|
20 | (4) |
|
|
|
24 | (3) |
|
|
|
27 | (66) |
|
Heisenberg's Uncertainty Principle of Oracle |
|
|
28 | (1) |
|
Audit Trail or No Audit Trail? |
|
|
29 | (1) |
|
The Problem of Detecting READ |
|
|
30 | (1) |
|
Identity and Accountability |
|
|
31 | (1) |
|
|
|
32 | (2) |
|
|
|
34 | (26) |
|
|
|
34 | (7) |
|
Tables or Views with Bind Data |
|
|
41 | (1) |
|
Tables or Views with Timestamps |
|
|
42 | (2) |
|
|
|
44 | (1) |
|
|
|
45 | (1) |
|
|
|
46 | (2) |
|
|
|
48 | (1) |
|
|
|
49 | (2) |
|
|
|
51 | (1) |
|
|
|
52 | (3) |
|
|
|
55 | (1) |
|
|
|
56 | (2) |
|
|
|
58 | (2) |
|
|
|
60 | (1) |
|
|
|
60 | (13) |
|
|
|
60 | (3) |
|
|
|
63 | (1) |
|
|
|
63 | (1) |
|
|
|
64 | (2) |
|
|
|
66 | (1) |
|
SYSDBA Audit Trace Files and Logs |
|
|
66 | (3) |
|
|
|
69 | (2) |
|
|
|
71 | (2) |
|
|
|
73 | (1) |
|
|
|
73 | (2) |
|
|
|
75 | (9) |
|
|
|
84 | (3) |
|
|
|
87 | (6) |
|
Chapter 3 Incident Response Approach |
|
|
93 | (26) |
|
|
|
94 | (1) |
|
Create an Incident Response Approach |
|
|
95 | (24) |
|
|
|
96 | (2) |
|
Create an Incident Response Team |
|
|
98 | (3) |
|
Create an Incident Response Process |
|
|
101 | (12) |
|
Create and Collate a Toolkit |
|
|
113 | (6) |
|
Chapter 4 Reacting to an incident |
|
|
119 | (36) |
|
|
|
120 | (1) |
|
|
|
121 | (1) |
|
Incident Verification and Identification |
|
|
122 | (5) |
|
|
|
127 | (1) |
|
Disconnecting the System or Shutting Down |
|
|
128 | (1) |
|
|
|
128 | (3) |
|
Live Response and Artifact Collection |
|
|
131 | (24) |
|
Views, Base Tables, RAC, and Synonyms? |
|
|
132 | (5) |
|
|
|
137 | (1) |
|
Server and Database State |
|
|
137 | (1) |
|
|
|
137 | (4) |
|
|
|
141 | (1) |
|
Collect Oracle Logs Files from the Server |
|
|
141 | (4) |
|
|
|
145 | (1) |
|
|
|
146 | (1) |
|
|
|
147 | (6) |
|
|
|
153 | (2) |
|
Chapter 5 Forensic Analysis |
|
|
155 | (22) |
|
|
|
156 | (1) |
|
|
|
156 | (16) |
|
|
|
172 | (1) |
|
|
|
172 | (1) |
|
|
|
172 | (1) |
|
|
|
172 | (1) |
|
|
|
173 | (1) |
|
|
|
173 | (1) |
|
|
|
173 | (1) |
|
|
|
174 | (1) |
|
|
|
174 | (3) |
|
Chapter 6 What To Do Next? |
|
|
177 | (20) |
|
|
|
177 | (4) |
|
Thinking About Database Security |
|
|
181 | (6) |
|
Enabling Sophisticated Audit Trails |
|
|
187 | (5) |
|
|
|
192 | (2) |
|
|
|
194 | (3) |
| Index |
|
197 | |
Pete Finnigan is the founder and CEO of PeteFinnigan.com Limited, a company based in York, UK that specializes in helping customers secure data held in their Oracle databases. He has assisted customers all over the world in performing security audits of their Oracle databases. He also has assisted clients with Oracle incident response and forensics, and design and implementation work on Oracle features such as Virtual Private Database (VPD), encryption, masking, and many more services. Pete also provides very popular detailed training on many aspects of Oracle Security. He has spoken many times at conferences around the world on the subject of Oracle security. Pete is an Oracle ACE for security and also a member of The OAKTable network of Oracle scientists. He graduated from university in Leeds, UK with an honors degree in electronics and electrical systems.
Pete authored the books SANS Oracle Step-byStep Guide version 1 and version 2 and also co-authored the book Expert Oracle Practices. He can be found on Linked In, Facebook, Twitter, and his company's website.
