Ravi Kant Rai
Database Security Issues
Major Security Vulnerabilities
 Bugs in database software components (e.g. buffer overflows)
left un-patched
 Lack of ne...
Major Threats
 ApplicationVulnerability
 Internal Employees
Mitigating Risk
ApplicationVulnerabilities
Default username Password
 While Default Installation of Database there are default
username/password created
Vendor user...
Exploitation
Exploitation
Audit
 Oracle Database 11g now offers a way to quickly identify
users with default passwords, implemented in the rather
l...
Solution
Lock all Default username and passwords
Password Policy must be in place for all users
Lockout policies
Password ...
Least Privilege
 Least Privilege account
should be allocated to all
application user.
 It will Mitigate risk of data
los...
Privileges
Public Privileges
ORACLE FUNCTIONS
Oracle supplies over 1,000 functions in about 175 standard
database packages that poten...
Auditing
 For Oracle’s built-in auditing functionality, you must not only
determine the rationale behind the turning on o...
Architecture Review (Oracle)
Secure Network Architecture
Application Security
Solution
Major Threat
 SQL Injection
 A SQL injection attack consists of insertion or "injection" of
a SQL query via the input da...
SQL Injection
Error
Solution
 Error BasedTrigger could be a solution for SQL Injection.
 The most powerful protection against SQL injection ...
Thanks
Nächste SlideShare
Wird geladen in …5
×

Database security issues

4.994 Aufrufe
4.605 Aufrufe

Veröffentlicht am

null Mumbai Chapter - June 2013 Meet

Veröffentlicht in: Bildung, Technologie
0 Kommentare
4 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

Keine Downloads
Aufrufe
Aufrufe insgesamt
4.994
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
410
Aktionen
Geteilt
0
Downloads
248
Kommentare
0
Gefällt mir
4
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

Database security issues

  1. 1. Ravi Kant Rai Database Security Issues
  2. 2. Major Security Vulnerabilities  Bugs in database software components (e.g. buffer overflows) left un-patched  Lack of network isolation (external and internal)  Improper security configuration  Use of default user accounts and passwords  Use of null passwords  Excessive privileges
  3. 3. Major Threats  ApplicationVulnerability  Internal Employees
  4. 4. Mitigating Risk ApplicationVulnerabilities
  5. 5. Default username Password  While Default Installation of Database there are default username/password created Vendor username Password Oracle HR HR My sql ROOT Ms sql-server SA SA
  6. 6. Exploitation
  7. 7. Exploitation
  8. 8. Audit  Oracle Database 11g now offers a way to quickly identify users with default passwords, implemented in the rather ludicrously simple way of checking a single data dictionary view  DBA_USERS_WITH_DEFPWD
  9. 9. Solution Lock all Default username and passwords Password Policy must be in place for all users Lockout policies Password life time must be configured
  10. 10. Least Privilege  Least Privilege account should be allocated to all application user.  It will Mitigate risk of data loss.
  11. 11. Privileges
  12. 12. Public Privileges ORACLE FUNCTIONS Oracle supplies over 1,000 functions in about 175 standard database packages that potentially can be exploited in a SQL injection attack. SELECTTRANSLATE('' || UTL_HTTP.REQUEST('http://192.168.1.1/') || '', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual;
  13. 13. Auditing  For Oracle’s built-in auditing functionality, you must not only determine the rationale behind the turning on of auditing, but also the level of auditing and its impact on system resources. Oracle auditing gets turned on as soon as you set theAUDIT_TRAIL we can audit the following:  Statement Auditing: Audits on the type of SQL statement used, such as any SQL statement on a table.  Privilege Auditing: Audits use of a particular system privilege, such as CREATETABLE  Object: Audits specific statements on specific objects such as ALTER PROFILE on the DEFAULT profile.
  14. 14. Architecture Review (Oracle)
  15. 15. Secure Network Architecture
  16. 16. Application Security Solution
  17. 17. Major Threat  SQL Injection  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application  A successful SQL injection exploit can read sensitive data from the database, modify database  SQL Injection attacks occur when the data entered in the application is from an untrusted source and that same data is used to dynamically construct a SQL Query.
  18. 18. SQL Injection
  19. 19. Error
  20. 20. Solution  Error BasedTrigger could be a solution for SQL Injection.  The most powerful protection against SQL injection attacks is the use of bind variables.  Every passed string parameter should be validated.  The PL/SQL Gateway can be configured to display varying levels of error messages.
  21. 21. Thanks

×