Let's talk about direct attacks on the database and the single best way to deter them. Such attacks usually need either a direct user connection to the database server (you would never allow such a thing, would you?) or the ability to get to the database server via one of the many ports Oracle enables for different components. On an Oracle 10g Release 2 database there can be upwards of 20 such ports depending on what components are installed and this does no take into account the ports that are used by the operating system on the database server itself. Each of these ports represents a potential attack vector and the single best way to defend against such an attack is to put the database server behind a firewall, and yes, I mean even from trusted users on your intranet.
Of course you can and should change the default port settings but some are not configurable and anyway this is just a minor bit of slight of hand that will not stop someone determined enough to run a port scan (unless of course you had that firewall).
Sure, you should harden the database listener and configure the invited nodes list to allow connections only from trusted servers (hopefully only application servers and not end user workstations). Great, and what about those other 19 ports??? Most of these are ports only an administrator needs but without a firewall they are there for the hacking. In addition to the listener, there are three for Enterprise Manager, three for iSQL*Plus (please don't tell me you installed this component on a production database), three more for Ultrasearch, two for XML DB and five or six more for RAC depending on the operating system, plus a smattering of others.
Is this iron-clad protection - no! Firewalls can be hacked like anything else and SQL injection attacks from the application tier can cause severe damage without directly attacking the database itself from a client. Still, a firewall is the first and best way to prevent direct attacks on your database.
The next best way is to not allow end-users to directly connect to the database server at all but that will remain a topic for the future.