I’ve seen my fair share of Oracle databases in control systems and have been thinking more about it since working on some Bandolier Security Audit Files for a SCADA system with an Oracle component. With that in mind, here are a few bits of Oracle-related news and tips.

• Oracle announced today that this quarter’s cycle includes patches that address “59 new security vulnerability fixes across hundreds of Oracle products”. If you have an Oracle component in your SCADA or DCS, when is the last time it was patched? This is one of the most often overlooked platforms for security patching, partially because of the perceived pain of doing so. It’s rare to find a dedicated DBA in an operations group, so finding expertise often means reaching across organizational boundaries to work with IT. (not to bring up that worn-out topic)

• Tenable announced late last week a new feature in Nessus that allows patch auditing for Oracle. This is part of the same Nessus credentialed scanning functionality used by Bandolier. Like the database compliance checks, the new patch auditing plugin relies on database credentials rather than OS credentials — it looks in database tables to determine whether patches are missing. This is one more benefit to using credentialed scanning in your control systems.

• Speaking of credentials… if you 1.) have an Oracle database and 2.) haven’t purposefully and intentionally addressed the issue, you probably have default user accounts and passwords. This has obvious security implications and can also be a problem for NERC CIP compliance. Fortunately, there’s a list available that contains the default user names and passwords. Unfortunately, there are over 500 of them. You can always do a quick “select * from all_users;” and start your checking there but an automated tool makes it much easier. There are a number of Oracle default account/password checking tools available, but — you guessed it — our standby Nessus scanner has this capability as well. Just be sure to check “Test default accounts” in your scan policy under Preferences – Oracle Settings.