Database patch denial: How 'critical' are Oracle's CPUs?

Some respondents expressed doubt about the importance of Oracle patches. One reader from a SearchOracle.com blog post, for example, wrote about why Oracle database administrators shouldn't waste time applying patches. Here's an excerpt:

"All of our Oracle technology is inaccessible to the outside world so applying these patches is analogous to protecting the pre-set stations on a car radio in case it gets broken into…Plus, I worry the CPU patch will break some of the bug fixes we have installed and require yet another merge patch."

On the face of it, the survey results may seem alarming from a security perspective. After all, one of the security professional's mantras is: "make sure you have the latest patches installed." Obviously, some folks feel that their databases are safe as long as their organization has good network defenses preventing unauthorized external access. But is this a reasonable position?

The case for not patching
Speaking as the administrator for a number of SQL databases, I don't install all patches on all my databases, and I have two main reasons for that. For one, I'm not using the features that my un-deployed patches are designed to protect; skipping the patch saves downtime and testing. Also, I share the above-cited blogger's fears that installing a patch will break something, including a previously installed bug fix.

However, there are some serious caveats with dismissing any Oracle CPUs. Those working in a development environment may perceive little benefit to instal

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management strategies Data leak prevention: Mistakes in database design, business processes How to secure enterprise instant messaging How to enforce an enterprise data leak prevention policy The basics of enterprise GRC project management Best email antivirus policy? Scan everything Best practices for a privileged access policy to secure user accounts How to create a data classification policy Best practices: How to implement and maintain enterprise user roles How to apply government data classification standards to your company Social hacking: The easy way to breach network security Platform and OS Security Management New attack code targets Microsoft ActiveX zero-day vulnerability Microsoft patches WebDAV security vulnerability in bevy of updates RSA council addresses growing security risks in the cloud Adobe shifts to Microsoft patching process, incident response plan Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft patches serious Excel zero-day, Windows flaws System management appliance improves school's software deployment Government offers £6m to fund complex network security infrastructure Are Windows Vista security features up to par? Windows security: Remote Desktop, hosts file and keyboard lock down Information Security Risk Assessment: Methodology and Analysis The basics of enterprise GRC project management Security budgets take hit in media, tech industry, survey finds What considerations should be made when outsourcing IT infrastructure? Information Security magazine online 2009: Now available on demand How to integrate the security of both physical and virtual machines Building a framework-based compliance program Sensitive data is insecure abroad, McAfee report finds Back to security basics, say Infosecurity Europe exhibitors Reports show security awareness and training are still lagging How important is 'risk management?'

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ling patches. Yet downtime is not an issue as it is with a production database. Furthermore, there is the question of synchronization between development and production environments; software developed on an unpatched system may not run on a fully patched production system.

For some databases, the analogy to protecting car radio stations may hold true; there are some databases that are never accessible to unauthorized users. However, be quite sure that is the case before blithely rejecting all patches. What about patches that fix holes exploitable by insiders? Are all the people who can get to the database via internal systems trusted? Perhaps in a small company, but otherwise it's important to have some access controls installed. Naturally, apply any relevant patches to those controls to make sure they keep out untrusted insiders.

Questioning the data and the decision
Some have questioned whether the Sentrigo survey is a representative sample of Oracle administrators. However, even if the number of respondents installing zero updates was 33% and not 66%, it would be cause for concern; the results suggest an outright rejection of the updates. It is hard to imagine that many databases don't need any of the patches included in those updates.

And one has to wonder who is signing off on the decision to skip them. Is this decision in writing? Does it include a list of the patches and an explanation of why specific patches are not needed, to create an audit trail and assign accountability?

Depending on the type of organization, the need for such documentation may be imputed from compliance requirements such as requirements like ISO/IEC 27002, Sarbanes-Oxley and HMG InfoSec Standard No. 2. The manager in charge of the administrator who handles Oracle patch deployments would be wise to consider documenting when patches go undeployed in case the rationale needs to be justified later.

The price of bad patching practices
Many CIOs and CISOs assume their companies' database administrators are doing their part to assure the security of their databases; in many organizations, that may be the case. But in some cases, administrators may ignore patches because they falsely believe their databases are inaccessible to the outside world. Such statements are what outside penetration firms are routinely tasked to test.

While it's entirely possible that the database administrator of a small firm may be in a position to make such a statement categorically, the penalties for error on this point are considerable. Consider a case involving the Federal Trade Commission and Guess?, Inc. It makes for cautionary reading.

The company's website was found to be vulnerable to a SQL injection attacks for which patches and other fixes were known to be available. Guess? had to therefore submit to a settlement imposed by the FTC. Not that the settlement results ruined the company, but you can bet things were uncomfortable in the IT department for quite some time because an expensive problem could have been easily avoided.

If you're the kind of Oracle administrator who has the power to approve or deny, and thus know about every connection to every database; and if you keep up with the work of Oracle experts like David Litchfield, author of The Oracle Hackers Handbook, and thus know about new developments like the lateral SQL injection as soon as the bad guys did, then you might be comfortable declaring your databases safe and Oracle updates unnecessary.

If you are not in that position, then you might want to consider instituting procedures to evaluate Oracle updates and install all that apply to your architecture. If you're not deploying all of the patches, document when and why they are not installed.

Anyone in charge of patching anything as complex as Oracle databases certainly has our sympathy. Sympathy, however, is likely to be in short supply if your company suffers a security breach through a hole that could have been patched with a published update.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.