Technical Director | Database and Cloud Security
Oracle, Consulting Services | Minneapolis, Minnesota US
Oracle ACE Director Alum
Dan Morgan’s Oracle Database Attack Surface Reduction Master Class has been designed for an audience of senior technologists, DBAs and Developers, as well as senior Information Security professionals not put off by technical details and demonstrations live in SQL*Plus.
In Scope for this workshop are unpublished exploits, undocumented parameters, and more than 745 configuration changes that can impact the ability of an Oracle Database to survive a sophisticated attack by persons and bots even if they have phished valid credentials. The focus will be on enhancing the value of what customer’s already own. The Workshop’s goal is to provide information security professions with the information they need to reduce the attack surface of what they already own.
Melbourne Master Class
Venue: Deloitte Office, Level 32, 477 Collins Street, Melbourne 3000
Perth Master Class
Venue: Perth Oracle Office, Level 9, 225 St Georges Terrace, Perth 6000
Venue: Deloitte Office, Level 9, 225 George Street, Sydney 2000
Limited places – first in, best dressed!
Overview: The Oracle Database Security Seminar is intended for a technical audience consisting of Oracle DBAs, SQL and PL/SQL Developers, and Information Security Professionals. The curriculum does not contain any promotional or sales related content for any product or any Cloud.
Persons working in the public sector in military, intelligence, law enforcement, in industries such as finance, banking, insurance, healthcare, investment, or whose work involves Oracle Databases and contents that require serious attention to security will find significant unpublished new material relating to Oracle versions from 7 through 21c.
Section 1: Introduction
Morgan will introduce himself and provide a brief background on the real-world nature of the threats to Oracle Databases and the data and source code they contain.
Section 2: Ransomware
Tired of hearing the same generic information about ransomware … use encryption, use MFA, blah, blah, blah. The section will address unpublished information specific to only the Oracle Database and protecting it from attack.
Section 3: User and the Principle of Least Privilege
If you are expecting general, non-specific, information you already know … this isn’t it. Morgan will show how an attacker, with a single SQL statement can bypass Identity Management systems and how to protect your databases from this attack as well as significant additional guidance, with a lot of SQL, for creating, managing, and securing users and privileges.
Section 4: Dangerous Parameters, Dangerous Objects, Dangerous Features
The Oracle Database is extraordinarily rich in features and options and with that power comes risks that must be mitigated through security configuration. If you don’t know how attackers abuse them, some undocumented, how can you lock them down? this section will get down in the weeds with specifics.
Section 5: Exfiltration and Infiltration
The reason why people break into databases are primarily to get source code, to get intellectual property, to get data, or to corrupt data. This section of the class will focus on the most common forms of getting bytes into and out of databases through backdoors.
Section 6: Net Services
Oracle’s Net Services, SQLNET.ORA, LISTENER.ORA, and TNSNAMES.ORA syntax elements are a massive untapped resource of rarely deployed capabilities. This section will cover the most important of these features and how to use them to protect against bad actors even if the attacker has phished valid credentials.
Section 7: Live Demos
This section will include live demonstrations, in SQL*Plus, of successful attacks along with guidance on how to prevent them … all without using anything you have not already purchased.