Oracle Information InDepth



Stay Connected

Database Security

Oracle on Twitter Oracle on Facebook Oracle Blog

Identity Management

Oracle on Twitter Oracle on Facebook Oracle Blog 

June 2014

Subscribe Subscribe Forward Forward

Back to the main page

Five Hard Lessons Learned from the Verizon Report on APT1 Attack

In its latest annual Data Breach Investigations Report, Verizon supports recent findings that a unit of the Chinese military known as APT1 stole sensitive data from 141 corporations over the last seven years.

An advanced persistent threat (APT) is a kind of ongoing cyber attack by a group of well-coordinated, well-funded cybercriminals who penetrate an organization slowly and methodically in order to obtain high-value data.

After examining details of the APT1 attack, Oracle Database security expert Troy Kitch, principal director of security software product marketing, came up with the following five key lessons learned.

Lesson 1: Passwords are not enough.
Analysis of attacks such as those by APT1 reveals again and again that password weaknesses are a major target of cybercriminals. There are multiple ways to reduce this attack surface, including

  • Self-service reset every 90 days
  • Multifactor authentication
  • Knowledge-based authentication
  • Behavioral analytics
  • Step-up authentication

Solution: The adaptive access management capabilities of Oracle Access Management Suite Plus help organizations prevent fraud and misuse by strengthening existing authentication flows, evaluating the risk of events as they happen, and providing risk-based interdiction mechanisms such as multifactor out-of-band authentication.

Lesson 2: Excessive privileges are common.
Too often, database administrators (DBAs) enable "all privileges" when setting up a database, with the assumption that they can never be sure when they might need them. The problem is, DBAs get busy and these holes are never closed. If the DBA leaves the company or moves to another group, that list of individuals with excess privileges grows longer and more difficult to manage.

Solution: With Oracle Database Vault, you can proactively identify privileged users' or applications' unused privileges and roles and then protect data from inappropriate access.

Lesson 3: The evidence of attacks is in front of us.
Abuse of privileged access is not invisible. It can be clearly detected in the form of failed logins, new account creation, privilege grants, and sensitive data reads and writes. However, many organizations aren't tracking privileged user activities. For example, according to a recent Independent Oracle Users Group survey, only 39 percent of organizations monitor sensitive writes and only 33 percent monitor sensitive reads.

Solution: With Oracle Audit Vault and Database Firewall, you can get reports on consolidated audit data and logs generated by databases, operating systems, directories, file systems, and custom sources—all in a secure, centralized repository.

Lesson 4: Break-ins are too easy.
Most security breaches take less than five minutes. SQL injection attacks take advantage of poorly written application code that enables attackers to communicate through the application tier, directly to the database. And if sensitive data in production databases is not transparently encrypted, both at rest or in motion, it is all too easy for attackers to access it. The same goes for data in nonproduction environments, which often goes unmasked.

Solution: Oracle Audit Vault and Database Firewall accurately detects and blocks unauthorized database activity by monitoring traffic to Oracle and non-Oracle databases. Oracle Advanced Security provides transparent data encryption and redaction within Oracle Database. And Oracle Data Masking Pack enables masking of production data for development, testing, and outsourcing.

Lesson 5: Misconfigurations help attackers.
Configuration drift is a great way to give attackers the foothold they need to access critical systems. Unfortunately, many DBAs do not track the location of every database in their environments, nor do they track the exact location of sensitive data within those databases.

Solution: With Oracle Database Lifecycle Management Pack, you can simplify the standardization and patching of all Oracle Databases to keep configurations aligned and ensure prompt implementation of the latest security updates.

Read the Verizon 2014 Data Breach Investigations Report.

Get the free technical primer e-book: Securing Oracle Database 12c from McGraw-Hill.

Back to Top

Please send questions or comments to

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor is it subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

  Hardware and Software, Engineered to Work Together Contact Us | Legal Notices and Terms of Use | Privacy Statement
Oracle Corporation


Oracle Corporation - Worldwide Headquarters, 500 Oracle Parkway, OPL - E-mail Services, Redwood Shores, CA 94065, United States

Your privacy is important to us. You can login to your account to update your e-mail subscriptions or you can opt-out of all Oracle Marketing e-mails at any time.

Please note that opting-out of Marketing communications does not affect your receipt of important business communications related to your current relationship with Oracle such as Security Updates, Event Registration notices, Account Management and Support/Service communications.