Zum Inhalt springen

Berliner Expertenseminar: Oracle Security mit Pete Finnigan

26. September 2012 - 27. September 2012 in Berlin



Oracle Database Security Audit Training Course


(In dem Expertenseminar zum Thema Oracle Security spricht Pete Finnigan. Die Veranstaltung findet ausschließlich in englischer Sprache statt und ist nur als 2-Tagespaket buchbar)

The course is delivered by Pete Finnigan, a principal consultant with years of real world experience in auditing and securing customers Oracle databases. Pete is also well known for writing and presenting extensively in the area of Oracle security. The course includes the slides and delegate notes and is delivered on customers sites.

Das Mitbringen eigener Notebooks ist für dieses Seminar nicht notwendig!


Inhalte des Seminars/Content:


This course teaches the delegates how to confidently perform a security audit on an Oracle database. The course gets the delegates up to speed on the reasons Oracle databases are invariably insecure. Everyone is brought up to the same level in terms of where to look, what to look for and why. The course shows how a security audit is planned, how to prepare yourself for it, your staff and your environments.

The course is aimed at the fundamentals of how to review a database and why and does not focus on simply running tools. It is important to understand why something is an issue, to understand how to check that its an issue and importantly understand the implications in respect to your own databases and applications before using pre-built or commercial tools.

The course includes a complete simulated audit by running through step-by-step all of the steps and components of an Oracle database audit via the medium of slides but importantly using a sample Oracle database and fully functioning content management application as a basis for the audit. Each area of the Oracle security audit is demonstrated and explained in detail.

The course has been designed by Pete Finnigan and is up to date using all supported versions of Oracle from 9iR2 through Oracle 11g. The course is run on your own site and is over two days and includes the following topics:

  • Background to key database files, structures, configurations and files relative to security
  • Oracle security tools, checklists and more
  • Why audit an Oracle database
  • Exploiting Oracle, SQL Injection, configuration, escalation of privilege and more
  • Planning an audit
  • Setting up for an audit, gathering tools, prepping laptop, people, access
  • Starting the audit
  • Software installed, versions and attack surface
  • Enumerating users, password strength and more
  • Assessing users, privileges and RBAC
  • Auditing the Oracle database association with the file system
  • Audit Oracle networking
  • Audit the database configuration
  • Specialist considerations, Credit cards, personally identifiable data and more
  • Review the audit trail
  • Data analysis, vulnerability assessment
  • Document findings, develop a policy and deciding what to fix
  • A look at some of the automated tools


First Day:

  • 9:00 – 10:30 : Lesson 1
  • 10:30 – 10:45: Coffee break
  • 10:45 – 12:15: Lesson 2
  • 12:15 – 13:15 Lunch
  • 13:15 – 14:45: Lesson 3
  • 14:45 – 15:00: Coffee break
  • 15:00 – 16:30: Lesson 4

Second Day:

  • 9:00 – 10:30 : Lesson 5
  • 10:30 – 10:45: Coffee break
  • 10:45 – 12:15: Lesson 6
  • 12:15 – 13:15 Lunch
  • 13:15 – 14:45: Lesson 7
  • 14:45 – 15:00: Coffee break
  • 15:00 – 16:30: Lesson 8

A detailed agenda for how to perform an Oracle security audit is available here

Lesson 1 – Start From The Beginning

  • Introduction to Oracle Security
    • Overview of the current key issues
    • Course structure
  • First principals
  • Test environment
  • Oracle structure with a security slant
    • Database logical structure
    • Database physical structure
    • Key components
    • Basic tools
    • SQL and PL/SQL

Lesson 2 – Information And Exploits

  • Background to Oracle Security
    • Information
    • Tools
    • Checklists
  • Why perform a security audit on an Oracle database
    • Internal threats
    • Power users
    • DBA’s
    • Bugs
  • Exploits and attack vectors
    • Configuration
    • SQL Injection
    • Data theft

Lesson 3 – Planning And Starting The Audit

  • Planning an audit
    • Environment
    • Tools
    • Planning
    • Expected results
  • Preparing for an audit
    • Gathering tools
    • Preparing
    • Keep it neutral
  • Starting the audit
    • Organizing connections
    • Understand the architecture

Lesson 4 – Interview, Base Data And Users

  • Interview key staff
    • Backups
    • Resilience
    • Access methods
  • Base data
    • Versions
    • Patches
    • Software installed
  • Audit users
    • Enumeration
    • Password strength
    • Profiles

Lesson 5 – Operating System And Network

  • Review and audit the operating system
    • Looking for passwords
    • Data Leakage
    • Configuration
    • Permissions
  • Review the Oracle networking
    • Passwords
    • Listener configuration
    • Permissions
    • Logging

Lesson 6 – Database Configuration

  • Review the database configuration
    • Roles
    • Profiles
    • Resources
    • Permissions on objects
    • Code
    • Privileges
    • Parameters

Lesson 7 – Specialist Considerations

  • Step 1 – Review critical data
    • Reviewing critical data
    • Authentication
    • Personally Identifiable Information
    • Credit Cards
    • Problems with special data
  • Step 2 – Review audit trails
    • Oracle audit facilities
    • Audit the audit trails
    • Audit configuration
    • Audit data storage
    • Logins – failed and successful
    • Listener logs

Lesson 8 – Writing Up The Audit

  • Analyse the data found
  • Risk assessment
  • Identify vulnerabilities
  • Document the audit
  • Correction strategy
  • Longer term and policies
  • Automate the process
    • Tools
    • Monitoring
  • Conclusions


noch keine Agenda vorhanden


Günstig reisen

Mit dem Kooperationsangebot der DOAG und der Deutschen Bahn reisen Sie kostengünstig das ganze Jahr über zu den Veranstaltungen der DOAG.

Mehr Informationen

Premium Card

Die Event-Flatrate für DOAG-Veranstaltungen: die DOAG Premium Card. Ihr Vorteil: einmal bezahlen – das ganze Jahr an vielen DOAG-Veranstaltungen teilnehmen.

Mehr Informationen

Mitglied werden

DOAG-Mitglieder erhalten ab 20 Prozent Nachlass auf die regulären Ticketpreise. Die persönliche Mitgliedschaft kostet nur 120 Euro pro Jahr. Informieren Sie sich!

Mehr Informationen

Zwei-Tageskarte inkl. Abendveranstaltung

  • 950,00 Mitglieder
  • 1.200,00 Nicht-Mitglieder











Vertragspartner ist die DOAG Dienstleistungen GmbH.


Cornel Albert DOAG Dienstleistungen GmbH Zum Profil