Database Security and ComplianceRon Ben-Natan, IBM Distinguished EngineerCTO for Data Security, Compliance and Optimizatio...
Database Security in the Forefront                                          7 Steps        • Data loss prevention       • ...
Which types of information assets are compromised?    3
The “Unknown” Factor   4
Requirements/Initiatives                                              Discovery & Classification                  SOX     ...
Example 1 - ANY System Privileges    •    Oracle has over 100 system privileges    •    Nearly every ANY system privilege ...
Example 2 – UTL_FILE  file_name := utl_file.fopen(<dir>,<file name>, ‘w’);  utl_file.put_line(file_name, ‘abcdefgh’, true)...
Assessing & Securing               Assessing               Vulnerability               Assessment                         ...
Complexity “Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve Missio...
Example 3 - Passwords     • Spida –        – Microsoft SQL Server        – Empty sa password        – Xp_cmdshell        –...
Example 4 - Buffer Overflow Attacks        Sapphire worm/SQL Slammer               “Zero-day attack”   11
Monitoring & Auditing                                                             Investigation                           ...
Compliance – Many Regulations – Internal & External   13
Breach Discovery   14
15
More Oracle Performance tests     • Sun E6500     • 28 CPUs, 28 GB     • 100 concurrent connections        – Each doing in...
Before Any Auditing      Throughout – Approximately 19,000 inserts per minute     last pid: 21715; load averages: 7.27, 4....
Oracle with Standard Auditing • Throughout – Approximately 13,000 inserts per minute          – 30% drop in throughput    ...
Database Activity Monitoring - DAM     • Other reasons to look beyond native Auditing        – Heterogeneous support      ...
Protecting                                                                            Violations &                        ...
IBM Guardium - Addressing the Full Lifecycle21
Scalable Multi-Tier Architecture                                                                                        IB...
Thank you!23
Upcoming SlideShare
Loading in …5
×

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US

616 views

Published on

Præsentation fra Smarter Business 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
616
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US

  1. 1. Database Security and ComplianceRon Ben-Natan, IBM Distinguished EngineerCTO for Data Security, Compliance and Optimization © 2012 IBM Corporation
  2. 2. Database Security in the Forefront 7 Steps • Data loss prevention • Hardening • Compliance requirements • Assessing • Mature best practices • Classifying • Monitoring • Auditing • Enforcing • Encrypting 2
  3. 3. Which types of information assets are compromised? 3
  4. 4. The “Unknown” Factor 4
  5. 5. Requirements/Initiatives Discovery & Classification SOX PCI DPD Basel II GLBA Security ... BreachesSep. of duties ... Assessing Scoping Database Data Auditing Discovery Classification Scope & TechnicalInfrastructure Requirements Protecting Hosts Databases Applications 5
  6. 6. Example 1 - ANY System Privileges • Oracle has over 100 system privileges • Nearly every ANY system privilege can be used by an attacker to assume DBA privileges:  EXECUTE ANY PROCEDURE  There are many procedures within the SYS schema that run with definer rights – so if I can run them I can assign myself privileges  exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true);  exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’);  exec sys.ltadm.executesql(‘grant dba to ronb’);  CREATE ANY VIEW  I’ll create a procedure that gives me DBA privileges running with invoker rights  I’ll create a view in the SYSTEM schema that will run the procedure  I’ll convince a DBA to access the view  CREATE ANY TRIGGER  I’ll create a procedure that grants me DBA, running with invoker rights  Pick a user with DBA privileges  Pick a table within that user schema for which PUBLIC has some privileges (e.g. SELECT)  I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the procedure  I’ll access the object (since I’m using a PUBLIC privilege)  I now have DBA privileges! (the trigger runs as the schema owner) 6
  7. 7. Example 2 – UTL_FILE file_name := utl_file.fopen(<dir>,<file name>, ‘w’); utl_file.put_line(file_name, ‘abcdefgh’, true); utl_file.fclose(file_name); The ability to write files to the OS is a very dangerous thing  Runs with the database instance owner privileges  Can be used to delete audit files  Can be used to delete or corrupt a data file – including the SYSTEM tablespace  Can use it to change config files  Can use it to write a .rhosts file to allow access to the OS  Can use it to write to .cshrc or .login for the oracle OS account  Can use it to write a login.sql or glogin.sql file to cause a SQL command to be called with privileges of a DBA 7
  8. 8. Assessing & Securing Assessing Vulnerability Assessment Change Tracking Scope & Configuration Technical Assessment Security Secure Proven CAS ConfigRequirements Recommendations Configuration Compliance Behavioral Assessment 8
  9. 9. Complexity “Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve Mission Impossible-like scenarios. Quite the opposite, in fact.” 9
  10. 10. Example 3 - Passwords • Spida – – Microsoft SQL Server – Empty sa password – Xp_cmdshell – Propagation – Made it to 4th place in SANS “Top Ten” • APPS/APPSweblogic.jdbc.connectionPool.eng= <ias-resources> Provider=SQLOLEDB; url=jdbc:weblogic:oracle, <jdbc> Data Source=192.168.1.32; driver=weblogic.jdbc.oci.Driver, <database>ORCL</database> Initial Catalog=Northwind; loginDelaySecs=2, <datasource>ORCL</datasource> User ID=sa; initialCapacity=50, <username>scott</username> Password=sapwd; capacityIncrement=10, <password>tiger</password> maxCapacity=100, <driver-type>ORACLE_OCI</driver-type> props=user=scott,password=tiger,server=ORCL </jdbc> </ias-resources> 10
  11. 11. Example 4 - Buffer Overflow Attacks Sapphire worm/SQL Slammer “Zero-day attack” 11
  12. 12. Monitoring & Auditing Investigation Support Monitoring & Auditing Data Access Investigation Audit Auditing Trails Policy Scope & Technical Privileged Requirements User Application Monitoring & Monitoring Auditing Audit Compliance 12
  13. 13. Compliance – Many Regulations – Internal & External 13
  14. 14. Breach Discovery 14
  15. 15. 15
  16. 16. More Oracle Performance tests • Sun E6500 • 28 CPUs, 28 GB • 100 concurrent connections – Each doing inserts (real application table, with indexes etc.) – 100 ms delay between each insert16
  17. 17. Before Any Auditing Throughout – Approximately 19,000 inserts per minute last pid: 21715; load averages: 7.27, 4.66, 3.41 10:29:02 271 processes: 269 sleeping, 2 on cpu CPU states: 66.3% idle, 25.3% user, 2.6% kernel, 5.8% iowait, 0.0% swap Memory: 26G real, 20G free, 4885M swap in use, 32G swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 15044 oracle10 12 49 0 2137M 965M sleep 1:17 0.34% oracle 20904 oracle10 1 59 0 2123M 970M sleep 0:15 0.31% oracle 20773 oracle10 1 39 0 2124M 971M sleep 0:16 0.31% oracle 20932 oracle10 1 59 0 2123M 970M sleep 0:14 0.31% oracle 21008 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20946 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20789 oracle10 1 59 0 2123M 970M sleep 0:16 0.30% oracle 20873 oracle10 1 59 0 2123M 971M sleep 0:15 0.30% oracle 20958 oracle10 1 54 0 2123M 971M sleep 0:13 0.30% oracle 21004 oracle10 1 59 0 2123M 970M sleep 0:13 0.30% oracle 20795 oracle10 1 59 0 2123M 970M sleep 0:15 0.30% oracle 21002 oracle10 1 59 0 2123M 971M sleep 0:13 0.30% oracle 20867 oracle10 1 53 0 2124M 972M sleep 0:15 0.29% oracle17
  18. 18. Oracle with Standard Auditing • Throughout – Approximately 13,000 inserts per minute – 30% drop in throughput • Load average almost double last pid: 7622; load averages: 14.51, 9.90, 8.72 11:32:32 271 processes: 269 sleeping, 2 on cpu CPU states: 28.2% idle, 66.5% user, 3.0% kernel, 2.3% iowait, 0.0% swap Memory: 26G real, 19G free, 4930M swap in use, 32G swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 4036 oracle10 1 59 0 2124M 1239M sleep 1:13 0.65% oracle 4082 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4086 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4055 oracle10 1 55 0 2124M 1239M sleep 1:13 0.64% oracle 4034 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4139 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4174 oracle10 1 53 0 2124M 1239M sleep 1:11 0.64% oracle 4162 oracle10 1 59 0 2124M 1239M sleep 1:11 0.64% oracle 3927 oracle10 1 35 0 2124M 1239M sleep 1:09 0.64% oracle 4078 oracle10 1 51 0 2124M 1239M sleep 1:09 0.63% oracle 4010 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3947 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3939 oracle10 1 23 0 2124M 1239M sleep 1:13 0.61% oracle 4119 oracle10 1 59 0 2124M 1239M sleep 1:10 0.61% oracle 4020 oracle10 1 41 0 2124M 1239M sleep 1:11 0.60% oracle18
  19. 19. Database Activity Monitoring - DAM • Other reasons to look beyond native Auditing – Heterogeneous support – Easier to deploy and manage – IPC interception to avoid impact to the database – Functionality/Maturity • Security and Auditing – Assessments – Policies – Change management – Audit (as opposed to auditing) • Automation • Compliance packages – Independence of the audit trail – Separation of duties – Allows security functions such as prevention and redaction19
  20. 20. Protecting Violations & Incidents Security Monitoring & Data Protection Remidiation Monitoring & Data Access Data Extrusion Privileged Scope Anomaly Protecttion Protection User Access & Detection Control TechnicalRequirements Access Compliance 20
  21. 21. IBM Guardium - Addressing the Full Lifecycle21
  22. 22. Scalable Multi-Tier Architecture IBM System z Data Center 2 Development, Tes Collector t & Training Host-Based Probe Central Policy (S-TAP) Manager & Audit Optim Repository Collector Data-Level Access Control (S-GATE) Data Center 1 Integration with LDAP/AD, IAM, Change Management, SIEM, Archiving, etc. 2222
  23. 23. Thank you!23

×