Presentación de mi proyecto de final de carrera en Oracle.
Muestra un breve resumen del mismo, no incluye la parte teórica de auditoría de sistemas de información y se centra sobre todo en aspectos prácticos relacionados con la seguridad de los datos y en como se puede cumplir con la LOPD usando muchos de los productos de los que Oracle dispone.
Soluciones de Oracle para la Auditoría, Seguridad y Gobierno de TI
1.
2. PFC – Soluciones de Oracle para la Auditoría, Seguridad y Gobierno de TI Mario Redón Luz
3. Estructura del PFC <Insert Picture Here> Sobre Oracle Corporation Auditoría, Seguridad y Gobierno de TI Portfolio de Oracle Normativaslegales Casos de éxito en clientes Casosprácticos Conclusiones Referencias
20. Amenazas internasSecurity Strategy The Ponemon Institute finds that Majority of 400 directors surveyed recognize that the right IT strategy is very important for Reinos of all reported security breaches were due to insiders 70% 70% 69% Compliance 66% Customer Satisfaction Average cost per record in a data breach $197 $197 57% Managing Risk Reglas y factores Source: Ponemon Institute Source: Corporate Board Member/ Deloitte Consulting, March 2007
21.
22.
23. El wave de la derecha no tiene en cuenta AuditVaultThe Forrester Wave™: Enterprise Database Auditing and Real-Time Protection, Q4 2007
44. Cifrado entre cliente y servidor de BDRespuesta sin cifrar Artículo 104 Telecomunicaciones de la LOPD
45. Cifrado entre cliente y servidor de BDHabilitando el cifrado Debemosañadirlassiguienteslíneas en sqlnet.ora : SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER=(AES256) Tendrá efecto en las nuevas conexiones
47. Cifrado de la BD en discoIntroducción BD almacenada en ficheros *.dbf Formas de verlos (si se tiene acceso): Comando strings UNIX Herramientas DUL Servidor de bases de datos: Oracle 11g Enterprise EditionRelease 2 bajo Oracle Enterprise Linux 5.3 32bit Herramienta DUL: Recoveryfor Oracle 2.6 (Demo Version) bajo Microsoft Windows Vista 64bit Comando strings UNIX
48. Cifrado de la BD en discoConsecuencias Artículo 91 Control de acceso y Artículo 101 Gestión y distribución de soportes.
49. Cifrado de la BD en discoConfiguración del wallet Se recomienda que esté fuera de Oracle Home: chmod 750 wallets
50.
51.
52. SELECT descifrar- Cuidado con los índices que estén cifrados
65. AuditVaultConfiguración – Desde el punto de vista del administrador – Bestpractices No compartir una cuenta entre múltiples usuarios Política cambio contraseñas DatabaseVault: activado por defecto Usar HTTPS y SSL
66. AuditVaultConfiguración – Desde el punto de vista del auditor Crear políticas y reglas Sentencias SQL Objetos de esquema de BD: tablas, vistas Privilegios Fine-grainedauditing Reglas de captura (REDO data) Crear y monitorizar alertas Ver y personalizar informes Responder a informes y alertas
72. Referencias ISACA, CISA Review Manual 2009, USA, 2009 ISACA, IS Standards, Guidelines and Procedures for Auditing and Control Professionals, USA, 2007,www.isaca.org/standards http://www.oracle.com/products/ http://www.oracle.com/security/ http://www.oracle.com/customers/ Normativas y leyes: LOPD, PCI DSS, SOX http://www.oracle.com/documentation/
alter table account modify (ssn decrypt)Also consider the use of indexes. In the above example, let's assume that there's an index on the column SSN, namedin_accounts_ssn. If the query against the ACCOUNTS table has an equality predicate, as follows,select * from accounts where ssn = '123456789'; the index in_accounts_ssn is used. If the query instead uses a LIKE predicate, as in select * from accounts where ssn like '123%'; the index will be ignored, and a full table scan will be used. The reason is simple. The B-tree structure of the index makes sure that values with the same first few characters—"fraternal", "fraternity", and so on—are physically close together. When processing a LIKE predicate, Oracle Database 10g searches the index entries via a pattern match, and physical proximity helps speed up the index search, which is better than the full table scan.However, if the column is encrypted, the actual values in the index are very different (since they're encrypted), and thus they'd be scattered all over the index. This makes index scans more expensive than full table scans. Hence, in this LIKE predicate query example, Oracle Database 10g chooses to ignore the index and does a full table scan.In the case of equality predicates, the specific index entry is searched instead of a number of values following a pattern. So, an execution path using the index is faster than a full table scan, and the optimizer chooses to use the index. When you're deciding which columns to encrypt, consider how encryption affects indexes, and be aware that you might want to rewrite certain queries involving encrypted columns.
AV Server InstallAV AgentInstallConexión con AV Server hostname:port:servicename
The audit records generated through the BY ACCESS audit option have more information, such as execution status (return code), date and time of execution, the privileges used, the objects accessed, the SQL text itself and its bind values. In addition, the BY ACCESS audit option captures the SCN for each execution and this can help flashback queries.Oracle Database records separately each execution of a SQL statement, the use of a privilege, and access to the audited object. Given that the values for the return code, timestamp, SQL text recorded are accurate for each execution, this can help you find how many times the action was performed.The BY ACCESS audit records have separate LOGON and LOGOFF entries, each with fine-grained timestamps.
Create user-defined reports to filter specific data.Send the report to other users as a PDF file.Schedule the report to be generated at specific times and then sent to users as a PDF file. You can create an e-mail distribution list, called a profile, to be used specifically for different types of reporting and alert activities.