||Oracle Tips by Burleson
Chapter 4 General Oracle Security
no authorization to look into the database, but
are not necessarily hackers.
HIPAA rules specify that the database be
accessible only by authorized users. All users without any
authorization to the database, whether they are benign, like a
curious internal employee, or a jumpy teenage hacker trying to prove
his coming of age to his girlfriend, or malignant hackers trying to
steal credit card and health information with the intent to profit
from it, should find access to the database very difficult. Object
masquerading will help to prevent disclosure of protected
information to these types of intruders.
If possible, use a misleading name for tables
and columns containing sensitive data to fool intruders. This
follows the principle of "Security by Obscurity"!
We discussed the use of profiles in the
password section. However, in addition to the password enforcement
functions, profiles can be used to enforce the HIPAA security
requirements very effectively. The law says that you have to make
adequate arrangements to ensure that malicious persons do not abuse
connections to the database.
The following parameters can be controlled by
– Hackers typically break
into the database using a username, not by stealing the SYS
password. Internal employees also break into the database using a
user id they already know. In the case of lax users, the password
may be stolen and the hackers may use their password.
The above text is
an excerpt from:
Oracle Privacy Security Auditing
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only
and has an
immediate download of working security scripts: