Life was good. Our Oracle database was locked down. Scott and his infamous feline password were long ago dropped. The listener was harder than the Saturday New York Times crossword. Nessus had nothing on me!
Then along came the Oracle CPU. What, you say, our DB version is no longer supported by the "lifetime support" policy? So we upgrade and we patch and we scan again; fully expecting a clean bill of health.
But while we did manage to patch the vulnerabilities, our DB is no longer locked down. Scott has risen from the dead along with his infamous default password. The listener is now softer than the money running Washington.
The moral: Attempts to make your database a little more secure can make it a lot less secure.
Make sure you scan your Oracle DBs regularly but particularly after any upgrades or patches. Invest in a tool. I like AppSentry from Integrigy because I work a lot with the Oracle E-Business Suite where this tool is unmatched. But it works great for plain old Oracle databases as well. See Integrigy's Web Site for details and Stephen Kost's Oracle Security Blog at the same site is always a worthy read.