The best way to gain security awareness, is to learn to hack

One of our managers at my former employer was not amused. You might say he was appalled. I wrote on our company blog a post (in Dutch) about how to use the Java exploit in the Oracle database, recently shown by David Litchfield in 2010. This manager was very sure our customers would not understand my point of view, spreading this danger to everyone who wanted to know. My point was: if DBA’s know what dangers are lurking around their (unpatched) Oracle databases, they might understand why patching and least privilege policies were necessary.

At that time I was thinking “then you might not want to know about my next project”. I was working on a hacking course for DBA’s. The year before some of our managers asked me to do a session about Oracle security. Four students turned up. But as I started telling them about security measures, I quickly found out they didn’t know why all these measures actually were necessary. I was thinking a security awareness session was more useful. But how to sell a security awareness training to paying customers? Would you go to such a session, knowing this would go out of your training budget?

I came up with a course called “Hack Your Own Database”. It was a workshop of one day in which students got an overview of hacking methods that might be useful to attack a badly protected Oracle database: SQL injection, port scanning, usage of an excess of privileges and access to the OS and of course that Java exploit. Luckily most managers thought it would be okay to teach this. Invitations were send to our customers.

Business wise it was a great success. I did the session four times with in total 40 students. What I liked about it, was that it had the effect I hoped it would get. Alread during lunch I often heared collegues of the same companies, that did this training together, talk about what they would check first the next day. The best of all, I rarely had to explain anymore why you had to take these (often time consuming) security measures. Students were very aware of the dangers of database hacking now.

Database security in general used to be a worry I always had. Because I knew what was possible if a database wasn’t properly protected. Now 40 students knew and hopefully they have spread the word. I’m almost sure most of them did. That was why this course was so apealing: it wasn’t just that hacking is fun. It is. But a lot of DBA’s have no real, honest idea why to add these security tasks to their already busy schedule. The course answered a big unanswered question none dared or bothered to ask.

And the manager that my story began with? He later moved to another company, but I later heared that he had said he was wrong about the hacking issue and he congratulated us with the success.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , . Bookmark the permalink.

One Response to The best way to gain security awareness, is to learn to hack

  1. Pingback: Struggling to install Metasploit with Oracle drivers | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s