Building a database security program

912 views
706 views

Published on

This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
912
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Building a database security program

  1. 1. BUILDING A DATABASE SECURITYPROGRAMMatt Presson@matt_pressonSr. Information Security Analyst, Leading Multi-National Insurance Brokerage
  2. 2. WHO AM I? Sr. Information Security Analyst Focus mainly on Application Security and related issues Recently focused on designing a database security program
  3. 3. OBJECTIVE Why database security is important The process of developing the program What to watch out for NOT giving a blueprint!
  4. 4. WHY DATABASE SECURITY?
  5. 5. BECAUSE WE ARE FAILING!
  6. 6. WHY DATABASE SECURITY? It stores your most sensitive data Traditional controls are not adapted to new attacks  Firewalls  IDS, IPS  AV, HIDS and HIPS  Full Disk Encryption Breaches are still happening!
  7. 7. WHY DATABASE SECURITY?
  8. 8. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  9. 9. PLANNING Determine stakeholders  People with a vested interest in keeping data safe  Not just a part of the security department  Critical business leaders  Compliance/Audit organization  Application support managers Determine your goals and areas of focus  Address current business issues and concerns Planning  Unique to each organization Determine Stakeholders Goals & Focus Areas Standards & Policies
  10. 10. PLANNING Standards and Policies  Build configurations  Password complexity  Access control  Permissions management  Data classification Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  11. 11. PLANNING Data Classification  Different levels of assurance for different data types  Keep it SIMPLE!  Example (security viewpoint):  Confidential – e.g. HR data, Financials, etc.  Internal – e.g. Org Charts  Public – Released earnings info, Company tweets, etc. Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  12. 12. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  13. 13. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  14. 14. DISCOVERY AND ASSESSMENT Focus at the application layer Gather a manageable list of business critical apps  What are your most important systems?  What applications have the largest impact on your ability to do business?  What systems do our auditors/regulators care about most? Discover and Assess Secure Monitor Access Secure Infrastructure
  15. 15. SECURE ACCESS Minimize the number of accounts  Get a list of accounts from DBA  Group the accounts by usage, e.g. Applications, DBAs, Individuals (normal and admin) Reduce the number of admin accounts  Talk to the person – determine what the real need is Minimize account permissions  Can you use a view? Discover and Assess  What about a stored procedure? Secure Monitor Access Secure Infrastructure
  16. 16. SECURE ACCESS Control where accounts access from  Are web and application servers ok?  Should DBAs have access directly from their workstations?  Should employees have access from their workstations?  Do you need terminal servers or bastion hosts?  Should a database be accessible Discover and Assess from the Internet? Secure Monitor Access Secure Infrastructure
  17. 17. SECURE INFRASTRUCTURE Ensure you are up-to-date on OS patches  Free / Commercial scanners  Windows Update  *nix distro repositories Don’t forget about the DB software itself!  MySQL authentication bypass – CVE-2012-2122  Oracle TNS Poisoning – CVE-2012-1675  SQL Server 2003 Local Administrator Discover and Assess group Secure Monitor Access Secure Infrastructure
  18. 18. MONITORING Watch what your employees are doing  Built-in transaction logs or auditing solutions  Third-party tools  Database triggers Have different levels of monitoring  Failed logins for everyone  All activity by privileged accounts  Individual account activity Discover and Assess outside of “the norm” Monitor Secure Access Secure Infrastructure
  19. 19. MONITORING Watch for specific events  Access outside of the normal activity period  Failed login attempts  Returning too much sensitive data  Abnormally high number of requests  SQL injection attempts Discover and Assess Secure Monitor Access Secure Infrastructure
  20. 20. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  21. 21. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  22. 22. ONGOING MANAGEMENT Periodically audit completed systems  Work with your DBAs  Collaborate with internal audit Keep your documentation current  Review updated vendor documents  Discuss upcoming migration plans with technology teams Ongoing Management Periodic Audits Review / Update Standards Review / Update Policies
  23. 23. SUMMARY We have to protect the data Engage with the business  Determine their concerns  Address their issues  Become a business partner/enabler Secure your most critical systems first Don’t forget about the infrastructure Monitor, monitor, monitor Stay current
  24. 24. QUESTIONS?
  25. 25. APPENDIX 1 – STANDARDS AND POLICIES Resources  Database Vendor  NIST  Government Agencies, e.g. NSA  Standards Bodies, e.g. SANS, IANS  International CERTs  Existing company documentation

×