Our colleagues over at SearchOracle.com’s Eye on Oracle blog have been writing about some common or not-so-common security bloopers experienced by Oracle database administrators. Site Editor Tim DiChiara asked for feedback from readers who experienced security lapses and he got it. In two separate blog entries, DiChiara lays out seven interesting and sometimes funny bloopers that resulted in often not-so-funny security lapses at some organizations.
In one set of security bloopers emailed to Dichiara, a DBA highlights the growing internal threat faced by nearly all organizations:
An Oracle database administrator for a major university was caught “enhancing” college transcripts to allow people to gain acceptance to top professional schools. The DBA had complete control over the Oracle database and the auditing mechanism and was charging friends and acquaintances thousands of dollars to add courses and improve existing grades. Because the DBA controlled the audit mechanism, she was able to completely erase all traces of the fraudulent changes.
This fraud went undetected for more than five years until a professor discovered the fraud. The professor was asked questions about a former student as part of a pre-employment background check and discovered that the student had never taken his class even though the official university transcript indicated an “A” for the course.
In another instance, a software consultant discovered a DBA typing in a default password used for the sys and system accounts on every Oracle database installed. (‘change_on_install’ and ‘manager’)
Some of the security lapses highlighted are among the most common. Despite all the news stories, tips and professional advice that can be found online, ultimately it’s human error or lapses in judgment that can result in a data security breach. What’s the answer? Is it a failure in the hiring process that results in sub-par IT pros running some organization’s systems or are minor mistakes leading to major security holes?