Contenu connexe
Similaire à Database Security: What Gets Overlooked? (20)
Database Security: What Gets Overlooked?
- 1. Database Security: What
Gets Overlooked?
Cal Slemp, Managing Director, Protiviti
James Hulscher, Senior Manager, Protiviti
The program will begin shortly. Please listen to the webinar
through your computer with the speakers turned on.
0 © 2012 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 2. Some Reminders . . .
ASKING QUESTIONS Click on the “ASK A QUESTION” link
at the top of your screen. Please provide your email
address for a swift reply.
Q&A There will be a Q&A session at the end of the
presentation
COPY OF SLIDES After the webinar, all attendees will be
able to access the recording and the presentation slides
POLLING QUESTIONS/VOTES Participation is voluntary.
Results will be included in the slides.
NEED HELP? If you need help during the webinar, click
“RATE THIS” “Not hearing audio? Click here for help”
1 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 3. Today’s Presenters
Cal Slemp
– Global Protiviti leader for IT Security & Privacy
– 30+ years of experience in information technology risk & strategy
consulting
– Deep expertise in the pharmaceutical, manufacturing, consumer
packaged goods and retail industries
James Hulscher
– 15 years of experience in IT
– Manufacturing, education, health care, insurance, and financial
services
– Completing Ph.D. in Information Assurance with specialization in
security
2 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 4. Why Is Database Security Critical?
Highly valuable asset – DATA
Vulnerable
Support business critical operations
Data breach requirements
Data leveraged for further attacks
As strong as your weakest link
Database attacks steadily increase
3 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 5. Security Breaches Continue to Worsen
2011 Yet another record-breaking year for security
breaches
4 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 6. Database Security – Types of Attacks
Attacks on organizational data infrastructure are
becoming increasingly complex
5 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 7. Database Security – Tools and Resources
Increased malware availability
Rapidly advancing capability
Organizational resources
and pace are outstripped
6 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 8. Database Security – Who’s Responsible for the Data?
The Challenge:
A proactive, evolving, and privacy-
focused strategy and methodology
7 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 9. Database Security – Who’s Responsible for the Data?
Who in the organization is responsible for data security
and privacy?
8 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 10. Database Security – Who’s Responsible for the Data?
Everyone!
– Security Team(s)
– DBAs/Architects
– Developers/Application Support
– Network and Systems
Administrators
– End Users
– Vendors (Extranets)
9 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 11. Database Security – Significant Loss
$7.2
Million
10 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 12. The Evolution of Data Security – Data As the Target
11 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 13. The Evolution of Data Security – Organized Attacks
Typically, an organized group of malicious users, not
just an individual, and typically globally.
12 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 14. The Evolution of Data Security – Regulatory Requirements
Compliance and regulatory requirements for
organizations have significantly increased
IT Auditors must understand the avenues to the data
and the impacts of weak or missing controls
More than just network penetration tests, vulnerability
scans, database penetration tests
13 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 15. The Evolution of Data Security – Consumer Awareness
Consumer awareness of data theft =
Financial Loss
Reputation
Damage
14 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 16. The Evolution of Data Security – A Paradigm Shift
15 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 17. The Evolution of Data Security – A Paradigm Shift
Comprehensive view of securing data, and the systems
within the enterprise
16 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 18. Why the Data?
Data leakage can provide the information for a much
more sophisticated attack on an organization
Ultimately, the data
will lead to some
type of gain
17 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 19. Understanding Database Logging
18 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 20. Understanding Database Logging
Native Logging (Vendor Provided)
– How did the user get to the DB?
– How/when/who created the user?
19 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 21. Database Monitoring
Identifies:
– Unauthorized changes to data structure
– Illicit activity (e.g. mass data extract)
Provides audit
trails for compliance
requirements
20 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 22. Database Monitoring
Prevention and early detection for quick reaction
21 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 23. What Types of Changes Take Place Within a Database?
DML is Data Manipulation Language
– Insert
– Select
– Update
– Delete
22 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 24. What Types of Changes Take Place Within a Database?
DML attack via SQL Injection
23 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 25. What Types of Changes Take Place Within a Database?
DCL is Data Control Language
– Grant – Grant rights to an object or entire database
– Revoke – Remove access rights to an object or database
24 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 26. What Types of Changes Take Place Within a Database?
Why is DCL critical to DB functions?
– A malicious user can grant/revoke
rights to users, schemas,
and applications
that connect to a DB.
25 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 27. Methodology : Outside-In
Tools
Technologies
Security Appliances
Controls
26 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 28. Methodology : Outside-In
Audit and systematic reviews of:
– Database activity
– DML/DCL changes from external sources
27 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 29. Methodology : Outside-In
Types of access
control
28 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 30. Methodology : Outside-In
Encryption
29 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 31. Methodology : Inside-Out
Internal attacks are likely, due to
– Abuse of privileged and super user accounts
– End users allowing code/malware to enter: email, social media,
thumb drives
– Abuse of data by organizational partners or service providers
30 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 32. Methodology: Inside-Out
Develop and encrypt data that can only be used by
applications.
31 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 33. Methodology: Inside-Out
Background check
Financial monitoring
Criminal monitoring
32 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 34. Methodology: Inside-Out
Incident Preparation and Response
33 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 35. Methodology: Inside-Out
3rd Party audits
– Deep database penetration tests
– Reviews of database logs
– Manual testing
of applications
34 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 36. Let’s Review Some Examples
SQL Injections – How they work at a high level
35 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 37. SQL Example 1
SQL Injection. Web-based
application communicating with a
backend database.
“OLE DB Provider…ODBC
SQL Driver [SQL Server}
Error xxxxxxx error
converting “ABC” into a
column of data type int”
36 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 38. SQL Example 2
Using http or a webpage once a footprint has been
detected.
http://ABCBank/index.asp?username=admin;
password=1’ OR 1=1;--
37 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 39. What Is a Stored Procedure?
Stored Procedures – the solution for preventing SQL
Injections?
38 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 40. SQL Example 3
Allowing direct SQL sessions to your database
– telnet session
– T-SQL
– PL/SQL
Example: SELECT userNAME
from users where userNAME=‘ ‘;
shutdown with nowait; --’ and
userpass=‘ ‘
39 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 41. Unification
An example
– DBO (Privileged Account) with no rights to write data to the server
– Server admin creates DBO account for DBA
– Consistency in password procedures?
40 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 42. Further Unification Evaluation – Real World Examples
Another example
– Install of 3rd-party app requires admin rights
– Password change may impact maintenance and support
– Additional risks
41 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 43. Database Auditing
Database systems are both the most overlooked and the
most crucial areas in need of securing
Database security requirements in:
– HIPPA - Dodd-Frank - US Patriot Act (AML)
– HITECH - ISO 27000 - Various Industry
– SOX - PCI – DSS
– GLBA - EU Data Protection Directive
42 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 44. Auditing Database Errors
Architecture reviews – applications and middleware
43 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 45. Principles for Developing a Database Audit Strategy
Protect the audit
trail
Audit mainstream
activities
Audit critical
actions
Archive audit
records
44 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 46. Controls are Critical
Document
– Storage management architecture
Audit
– At random times
– Especially after migrations, upgrades, and during implementation
45 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 47. Database Improvements Will Enable Compliance
Example – Configuration Parameters
46 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 48. Tools and Resources
Commercial Tools:
– Acunetix – website vulnerability scanning tool
– Nessus – vulnerability assessment scanning tool
Freely Available:
– BackTrack5 – Numerous vulnerability
assessment tools
– Havij – Find SQL Injection vulnerabilities
47 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 49. 2012 and the Continued Evolution
Data protection requirements will increase
More mobile devices
Social media = more
ways to share data
Know your data
48 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 50. Contact Information
For more information about our approach to database
security, including database logging and database
monitoring, please contact
Jim Hulscher
601 Carlson Parkway
Suite 1120
Minnetonka, MN 55305 USA
Direct: 952.249.2219
james.hulscher@protiviti.com
Powerful Insights. Proven Delivery. ®
49 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 51. VOTES
50 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 52. VOTES
51 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
- 53. VOTES
52 © 2011 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.