Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Organizations are spending loads of money on security controls but is that protection secure enough..
  • So we have to deal with Threats from applications using databases Web services, customer web portals, intranet sites Threats from database users with malicious intentions Authorized users Unauthorized users
  • By reviewing the application generated error messages By reviewing the URL of the web application Downloading the code placed in production environments (ASP, JSP, PHP) Directory listing and directory traversal attack can help in getting the source code for server side scripts including ASP, JSP and PHP Some bugs have been identified in web servers and applications server which let the attackers to view the application code Even the pseudo (or intermediate code) such as CIL or MSIL created by java and .net compilers can be decompiled using the special tools E.g. JAD, Mocha, Salamander .Net decompiler
  • Provides additional layer of security Its safer to have attackers accessing the encrypted data than clear text Types of encryption Encrypt the data in transit Encrypt the data at rest
  • Who is getting connected Remote IP, Application, login time, logoff time, user_id, NO PASSWORDS What data is being accessed Who is making changes to the schema User id, object name, object type, timestamp,owner Use database audit features External auditing system Compare schema snapshots Database errors Userid, sesionid, host, timestamp, error details Stored procedure code change Database links related actions Updates to sensitive information
  • Database should be able to protect itself from the unauthorized users
  • OWASPAU08_Session_16_Nain.ppt

    1. 1. Dealing With Threats to Databases Sandeep Singh Nain Security Analyst, IBM Australia [email_address] +61-405-369420 AppSec 2008, Australia February, 2008
    2. 2. About Me <ul><li>OWASP Member </li></ul><ul><ul><ul><li>Melbourne chapter </li></ul></ul></ul><ul><li>Security Analyst </li></ul><ul><ul><ul><li>IBM Australia ( www.ibm.com /services/security ) </li></ul></ul></ul><ul><li>Background </li></ul><ul><ul><ul><li>Application development (ASP, .NET, PHP) </li></ul></ul></ul>
    3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>Threats to databases </li></ul><ul><ul><li>From applications </li></ul></ul><ul><ul><li>From configuration flaws </li></ul></ul><ul><ul><li>Database rootkits </li></ul></ul><ul><li>Auditing and activity monitoring </li></ul><ul><li>Questions and answers… </li></ul>
    4. 4. Introduction? <ul><li>Every organization has one or more databases </li></ul>FINANCIAL DATA CUSTOMER DATA SENSITIVE INFO CORPORATE DATABASE WHICH MUST BE PROTECTED
    5. 5. <ul><li>Question: Is the protection secure enough??? </li></ul>
    6. 6. A common scenario And the database is fully secure… NO IT'S NOT Database security is not limited to firewalls, IPS or IDS…
    7. 7. The Real Threat <ul><li>Database trusts the applications and users interacting with it </li></ul>
    8. 8. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Applications </li></ul><ul><li>1. Application Code Exposure </li></ul>
    9. 9. Application code exposure <ul><li>Attackers / malicious users analyze the </li></ul><ul><ul><li>URL and error messages </li></ul></ul><ul><ul><li>Application code </li></ul></ul><ul><li>to determine </li></ul><ul><ul><li>What platform is being used </li></ul></ul><ul><ul><li>What business rules are in place </li></ul></ul><ul><ul><li>And, How is database being accessed i.e. </li></ul></ul><ul><ul><ul><li>connection strings, actual SQL queries etc. </li></ul></ul></ul><ul><ul><li>Helps in launching the database attack </li></ul></ul><ul><ul><ul><li>Directly </li></ul></ul></ul><ul><ul><ul><li>Or through application </li></ul></ul></ul>
    10. 10. Application Configuration Files <ul><li>Holds connection details </li></ul><ul><ul><li>Contains database server name </li></ul></ul><ul><ul><li>And username and password to connect to database </li></ul></ul><ul><li>Is it stored securely? </li></ul>
    11. 11. Application Configuration Files <ul><li>Huh, Attackers won’t find my configuration file </li></ul><ul><ul><li>Why don’t you ask my friend Google </li></ul></ul><ul><ul><ul><li>*Search for ext:php intext:&quot;$dbms&quot;&quot;$dbhost&quot;&quot;$dbuser&quot;&quot;$dbpasswd&quot;&quot;$table_prefix&quot;&quot;phpbb_installed“ </li></ul></ul></ul><ul><ul><ul><ul><li>(This will search for the configuration files for phpBB, a popular `php` based bulletin board) </li></ul></ul></ul></ul>*http:// johnny.ihackstuff.com /
    12. 12. Anatomy of Application Configuration Files <ul><li>Options to store configuration files </li></ul><ul><ul><li>Web.config and global.asa files </li></ul></ul><ul><ul><li>UDL files </li></ul></ul><ul><ul><li>Registry </li></ul></ul><ul><ul><li>Include text files </li></ul></ul><ul><ul><li>Hard coding connection string </li></ul></ul>For microsoft technologies For all
    13. 13. Suggestions <ul><li>Use windows authentication or LDAP authentication (if possible) to connect to database over a secure channel </li></ul><ul><li>Never store the username and password in clear text </li></ul><ul><ul><li>Encrypt the configuration files </li></ul></ul><ul><ul><ul><li>Use DPAPI (for windows 2000 and above) </li></ul></ul></ul><ul><li>Create a baseline </li></ul><ul><ul><li>Monitor the database connections being made </li></ul></ul><ul><ul><li>Make a list of IP Addresses and applications which should be allowed to access the database </li></ul></ul><ul><ul><ul><li>And deny access to others using a good SQL firewall </li></ul></ul></ul>
    14. 14. Protecting the code <ul><li>Code obfuscation </li></ul><ul><ul><li>Provides security through obscurity </li></ul></ul><ul><ul><li>Converting the intermediate code into a form that makes reverse engineering very difficult (not impossible though) </li></ul></ul><ul><ul><ul><li>Add code to break decompilers </li></ul></ul></ul><ul><ul><ul><li>Use tools e.g. DashO and HoseMocha for java. </li></ul></ul></ul><ul><li>Don’t store application code in unsecured environments </li></ul><ul><ul><li>Security of development and test environments is as necessary as of the production environment </li></ul></ul><ul><ul><ul><li>Patch the development and test environments regularly </li></ul></ul></ul>
    15. 15. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Applications </li></ul><ul><li>2. SQL Injection </li></ul>
    16. 16. SQL Injection <ul><li>Famous attack </li></ul><ul><ul><li>September 2004 </li></ul></ul><ul><ul><li>The Cardsystems breach incident, where hackers stole 263,000 credit card numbers </li></ul></ul><ul><ul><li>Several million dollars fraudulent credit and debit purchases had been made with these cards </li></ul></ul><ul><li>What is it? </li></ul><ul><ul><li>Injecting SQL commands in URL or Form fields (GET or POST data) to alter the result </li></ul></ul><ul><ul><ul><li>Most effective and popular attack </li></ul></ul></ul><ul><ul><ul><li>Approx 23% of the successful attacks (in 2006) </li></ul></ul></ul><ul><ul><li>Ref: http://www.webappsec.org/projects/whid/list_id_2004-17.shtml </li></ul></ul>
    17. 17. SQL Injection <ul><li>Can be used to </li></ul><ul><ul><li>Bypass authentication </li></ul></ul><ul><ul><ul><ul><li>Select USERID from USER where USERID = ` ` or 1=1; -- and password=‘a’; </li></ul></ul></ul></ul><ul><ul><li>Access sensitive data </li></ul></ul><ul><ul><ul><ul><li>Select username, address, phone from USERS where city=‘Mel’ </li></ul></ul></ul></ul><ul><ul><ul><li>UNION ALL select name, crdate from sysobjects where xtype=‘U’ </li></ul></ul></ul><ul><ul><li>Even shutting down a system </li></ul></ul><ul><ul><ul><ul><li>Select USERID from USER where USERID = `` ; SHUTDOWN with NOWAIT -- ; </li></ul></ul></ul></ul><ul><ul><li>And more… </li></ul></ul>
    18. 18. SQL Injection <ul><li>Applicable to all the DBMS </li></ul><ul><ul><li>SQL Server, Oracle, DB2, Sybase , MySQL & more </li></ul></ul><ul><ul><li>Vulnerability lies in the application code and not on the database server </li></ul></ul>
    19. 19. SQL Injection <ul><li>Countermeasures </li></ul><ul><ul><li>Limiting application vulnerabilities </li></ul></ul><ul><ul><ul><li>Find the vulnerability and fix the code </li></ul></ul></ul><ul><ul><ul><li>All input must be sanitized </li></ul></ul></ul><ul><ul><ul><li>SQL used to access data must not be formed by string concatenation </li></ul></ul></ul><ul><ul><ul><li>Prepared statements and parameterized stored procedures must be used wherever possible </li></ul></ul></ul><ul><ul><ul><li>Add quotes to all user input including numerical data </li></ul></ul></ul><ul><ul><ul><li>Don’t display the database generated error messages </li></ul></ul></ul>
    20. 20. SQL Injection <ul><ul><li>Don’t trust the application </li></ul></ul><ul><ul><ul><li>Filter every SQL command sent by the application </li></ul></ul></ul><ul><ul><ul><ul><li>Don’t let application issue any OS level commands </li></ul></ul></ul></ul><ul><ul><li>Provide minimal data access </li></ul></ul><ul><ul><ul><li>Granular access control </li></ul></ul></ul><ul><ul><li>Create baseline and monitor </li></ul></ul><ul><ul><ul><li>What database objects are being used by the application? </li></ul></ul></ul><ul><ul><ul><li>What commands are being used? </li></ul></ul></ul>
    21. 21. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Applications </li></ul><ul><li>3. Buffer Overflows </li></ul>
    22. 22. Buffer Overflows <ul><li>Database systems are software products </li></ul><ul><ul><li>Just like any other systems they also have vulnerabilities </li></ul></ul><ul><ul><ul><li>Such as buffer overflows </li></ul></ul></ul><ul><li>Risk of buffer overflow </li></ul><ul><ul><li>May allow an unauthorized user to gain root privileges to the host operating systems. </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><li>A number of buffer overflow vulnerabilities have been found in database systems </li></ul><ul><ul><li>Oracle (8, 8i, 9i), SQL Server (7, 2000), DB2 (8.2, 9.1) </li></ul></ul>
    23. 23. Buffer overflow in system functions / extended stored procedures <ul><li>What is it? </li></ul><ul><ul><li>Injecting an extra long string as a parameter to the system stored procedures / functions allowing overwriting of the memory buffer with arbitrary data </li></ul></ul><ul><ul><li>Can be exploited through SQL injection </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>MS SQL Server: xp_displayparamstmt , xp_proxiedmetadata </li></ul></ul><ul><ul><li>Oracle: BFILENAME, NUMTODSINTERVAL </li></ul></ul><ul><li>Vulnerable servers </li></ul><ul><ul><li>MS SQL Server 7, MS SQL Server 2000, MSDE 1.0, MSDE 2000 </li></ul></ul><ul><ul><li>Oracle 8i, 9i </li></ul></ul><ul><li>Ref: http://www.appsecinc.com/resources/alerts/mssql/02-0000.html </li></ul>
    24. 24. Countermeasures <ul><li>Apply latest patches ASAP </li></ul><ul><ul><li>remove or minimize the application’s access to the vulnerable function </li></ul></ul><ul><li>Protect from SQL injection </li></ul>
    25. 25. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Configuration Flaws </li></ul><ul><li>1. Improper Access Control </li></ul>
    26. 26. Improper access control <ul><li>Common scenario </li></ul><ul><ul><li>Database schema is considered as a part of the application </li></ul></ul><ul><ul><li>Or, Extension to the application </li></ul></ul><ul><ul><ul><li>Therefore, should be controlled by the application itself </li></ul></ul></ul><ul><ul><ul><ul><li>i.e. application has full access to all objects in the schema </li></ul></ul></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Any security breach that occurs at the application layer can become a security incident at database level </li></ul></ul>
    27. 27. Granular access control <ul><li>Limit application access </li></ul><ul><ul><li>Implement fine grained access control (row level access, table level access) </li></ul></ul><ul><ul><li>Make sure database control is at database layer and not application layer </li></ul></ul><ul><li>Create database access baselines </li></ul>
    28. 28. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Configuration Flaws </li></ul><ul><li>2. Insecure Database Links </li></ul>
    29. 29. Insecure database links <ul><li>Linked databases </li></ul><ul><ul><li>Expose objects in one database to another </li></ul></ul><ul><ul><li>Clients can connect to one database and fetch the data stored in linked database without even knowing the actual location of the data </li></ul></ul><ul><ul><li>Being used in a lot of enterprise applications and architectures </li></ul></ul><ul><ul><li>SO WHAT’S THE PROBLEM??? </li></ul></ul>
    30. 30. Insecure database-to-database communication Limited access Full access
    31. 31. Securing the database to database communications <ul><li>Never create the links using administrative privileges </li></ul><ul><ul><li>Avoid fixed user links </li></ul></ul><ul><ul><ul><li>Use current user links instead </li></ul></ul></ul><ul><li>Monitor the database link usage regularly </li></ul><ul><ul><li>Not just the connections but also the content being communicated </li></ul></ul><ul><ul><ul><li>Only the authorized data should be communicated </li></ul></ul></ul>
    32. 32. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Configuration Flaws </li></ul><ul><li>3. Database doing more than required </li></ul>
    33. 33. Database doing more than required <ul><li>Vendors are adding functionalities like </li></ul><ul><ul><li>Running shell commands </li></ul></ul><ul><ul><li>Inbuilt Web server </li></ul></ul><ul><ul><li>HTML Page generation </li></ul></ul><ul><ul><li>HTTP endpoints </li></ul></ul><ul><li>Helpful but dangerous </li></ul><ul><ul><li>Opens up unnecessary attack surface </li></ul></ul><ul><ul><li>Let database handle what it is intended to. </li></ul></ul><ul><ul><ul><li>Security vs. Ease </li></ul></ul></ul>
    34. 34. <ul><li>Threats to Databases </li></ul><ul><li>from </li></ul><ul><li>Configuration Flaws </li></ul><ul><li>4. Unencrypted Data </li></ul>
    35. 35. Unencrypted Data <ul><li>Databases contain </li></ul><ul><ul><li>Confidential and proprietary information </li></ul></ul><ul><li>Therefore, unauthorized database access may lead to </li></ul><ul><ul><li>Privacy breach incidents </li></ul></ul><ul><ul><li>Identity thefts </li></ul></ul><ul><li>How to protect </li></ul><ul><ul><li>Encrypt the confidential data </li></ul></ul><ul><ul><ul><li>Encrypt the data in transit </li></ul></ul></ul><ul><ul><ul><li>Encrypt the data at rest </li></ul></ul></ul>
    36. 36. Encrypting data in transit <ul><li>What to encrypt </li></ul><ul><ul><li>Whole (or parts of the) data in transit is encrypted </li></ul></ul><ul><li>How to encrypt </li></ul><ul><ul><li>Encryption/ Decryption occurs at end points </li></ul></ul><ul><ul><li>Data stored in the database is not encrypted </li></ul></ul><ul><ul><li>Use </li></ul></ul><ul><ul><ul><li>SSL, SSH Tunnels </li></ul></ul></ul><ul><li>Why to encrypt </li></ul><ul><ul><li>protects from MITM attack </li></ul></ul><ul><ul><li>Protects from data being sniffed </li></ul></ul><ul><ul><ul><li>Tools : Ethereal, TCP Dump </li></ul></ul></ul>
    37. 37. Sniffing the data in transit User ID Database name MS SQL Server traffic
    38. 38. Encrypting Data at Rest <ul><li>What to encrypt </li></ul><ul><ul><li>Sensitive data stored in the database </li></ul></ul><ul><ul><ul><li>E.g. Credit card info, SSN, passwords etc. </li></ul></ul></ul><ul><ul><li>The whole database </li></ul></ul><ul><li>Why to encrypt </li></ul><ul><ul><li>Additional layer of security </li></ul></ul><ul><ul><ul><li>Protects from unauthorized access </li></ul></ul></ul><ul><ul><ul><li>Can’t be decrypted (easily) </li></ul></ul></ul><ul><ul><ul><li>Unauthorized users can’t read the data even if they have Administrator access </li></ul></ul></ul>
    39. 39. Encrypting Data at Rest <ul><li>How to encrypt </li></ul><ul><ul><li>Encryption at application layer </li></ul></ul><ul><ul><li>Using the database encryption tools </li></ul></ul><ul><ul><ul><li>Encryptonizer for MS SQL Server </li></ul></ul></ul><ul><ul><ul><li>Encryption wizard for Oracle </li></ul></ul></ul><ul><ul><ul><li>IBM Database encryption expert for DB2 </li></ul></ul></ul><ul><ul><li>Encryption at File System layer i.e. file level encryption </li></ul></ul><ul><ul><ul><li>EFS for NTFS(MS Windows 20000 and above), IBM’s Encryption Facility for z/OS </li></ul></ul></ul><ul><ul><ul><li>FreeOFTE, DiskCryptor (Open source) </li></ul></ul></ul>
    40. 40. <ul><li>Database Rootkits </li></ul>
    41. 41. Database rootkits <ul><li>What are rootkits </li></ul><ul><ul><li>A rootkit is a collection of programs that enables and maintains the administrator-level access to a computer or computer network </li></ul></ul><ul><li>DB rootkits are similar to OS rootkits </li></ul><ul><li>Purpose </li></ul><ul><ul><li>To create backdoors in databases </li></ul></ul><ul><ul><li>To hide database processes </li></ul></ul><ul><ul><li>To hide database users </li></ul></ul><ul><ul><li>To hide database jobs </li></ul></ul><ul><ul><li>Modify internal functions </li></ul></ul>
    42. 42. Database rootkits <ul><li>Implementation </li></ul><ul><ul><li>By modifying the database (system) objects </li></ul></ul><ul><ul><li>Changing the execution path </li></ul></ul><ul><ul><ul><li>Creating a local object with the identical name </li></ul></ul></ul><ul><ul><ul><li>Creating a synonym pointing to a different object </li></ul></ul></ul>
    43. 43. Countermeasures <ul><li>Use base tables instead of views for critical objects (e.g. users, processes) </li></ul><ul><li>Use absolute execution paths for critical objects (e.g. SYS.dbms_crypto) </li></ul><ul><li>Compare the repository regularly against a (secure) baseline </li></ul><ul><li>For more on rootkits </li></ul><ul><li>http://www.red-database-security.com/wp/db_rootkits_us.pdf </li></ul>
    44. 44. <ul><li>Auditing </li></ul><ul><li>and </li></ul><ul><li>Activity Monitoring </li></ul>
    45. 45. Auditing <ul><li>Is a </li></ul><ul><ul><li>Way to ensure proper controls are in place </li></ul></ul><ul><ul><li>Ensures compliance </li></ul></ul><ul><li>Is not </li></ul><ul><ul><li>A method to secure systems </li></ul></ul><ul><ul><ul><li>But tells you what is not secure </li></ul></ul></ul><ul><ul><ul><li>Or what may result in an incident so that you can investigate </li></ul></ul></ul>
    46. 46. Audit categories <ul><li>Security assessment (Not covered) </li></ul><ul><ul><li>Vulnerability assessment </li></ul></ul><ul><ul><li>Penetration testing </li></ul></ul><ul><li>Activity monitoring (Using the audit trail) </li></ul><ul><ul><li>Helps to identify illicit activity from insiders (authorized users) </li></ul></ul><ul><ul><li>Helps to address unknown threats </li></ul></ul><ul><ul><li>Helps in being pro-active rather than reactive </li></ul></ul>
    47. 47. Audit trail <ul><li>It answers the questions </li></ul><ul><ul><li>Who did it? </li></ul></ul><ul><ul><li>What did they do? </li></ul></ul><ul><ul><li>When did they do it? </li></ul></ul>
    48. 48. Audit trail implementation – Must Monitor Events <ul><li>DBA actions </li></ul><ul><ul><li>DDL statements, Administration commands </li></ul></ul><ul><li>Access to sensitive data </li></ul><ul><ul><li>Database system tables </li></ul></ul><ul><ul><li>As defined in the organization’s policies </li></ul></ul><ul><li>After hours access </li></ul><ul><li>Remote Administration </li></ul><ul><li>Known attacks </li></ul>
    49. 49. Deployment considerations for Audit trail <ul><li>Coverage v/s Volume </li></ul><ul><ul><li>Only store useful information </li></ul></ul><ul><li>False positives </li></ul><ul><ul><li>Too many unnecessary alerts </li></ul></ul><ul><li>Integrity of the audit trail </li></ul><ul><ul><li>No one should be able to modify the audit trail </li></ul></ul><ul><ul><li>Must be stored in secure environment </li></ul></ul>
    50. 50. <ul><li>Conclusion </li></ul>
    51. 51. <ul><li>Question Time </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.