Database Security: What Gets Overlooked?

1,819 views
1,705 views

Published on

I produced this webinar, copy-edited the presentation, created graphical concepts and sourced graphics.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,819
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Database Security: What Gets Overlooked?

  1. 1. Database Security: What Gets Overlooked? Cal Slemp, Managing Director, Protiviti James Hulscher, Senior Manager, Protiviti The program will begin shortly. Please listen to the webinar through your computer with the speakers turned on.0 © 2012 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  2. 2. Some Reminders . . . ASKING QUESTIONS Click on the “ASK A QUESTION” link at the top of your screen. Please provide your email address for a swift reply. Q&A There will be a Q&A session at the end of the presentation COPY OF SLIDES After the webinar, all attendees will be able to access the recording and the presentation slides POLLING QUESTIONS/VOTES Participation is voluntary. Results will be included in the slides. NEED HELP? If you need help during the webinar, click “RATE THIS”  “Not hearing audio? Click here for help”1 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  3. 3. Today’s Presenters Cal Slemp – Global Protiviti leader for IT Security & Privacy – 30+ years of experience in information technology risk & strategy consulting – Deep expertise in the pharmaceutical, manufacturing, consumer packaged goods and retail industries James Hulscher – 15 years of experience in IT – Manufacturing, education, health care, insurance, and financial services – Completing Ph.D. in Information Assurance with specialization in security2 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  4. 4. Why Is Database Security Critical? Highly valuable asset – DATA Vulnerable Support business critical operations Data breach requirements Data leveraged for further attacks As strong as your weakest link Database attacks steadily increase3 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  5. 5. Security Breaches Continue to Worsen 2011 Yet another record-breaking year for security breaches4 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  6. 6. Database Security – Types of Attacks Attacks on organizational data infrastructure are becoming increasingly complex5 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  7. 7. Database Security – Tools and Resources Increased malware availability Rapidly advancing capability Organizational resources and pace are outstripped6 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  8. 8. Database Security – Who’s Responsible for the Data? The Challenge: A proactive, evolving, and privacy- focused strategy and methodology7 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  9. 9. Database Security – Who’s Responsible for the Data? Who in the organization is responsible for data security and privacy?8 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  10. 10. Database Security – Who’s Responsible for the Data? Everyone! – Security Team(s) – DBAs/Architects – Developers/Application Support – Network and Systems Administrators – End Users – Vendors (Extranets)9 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  11. 11. Database Security – Significant Loss $7.2 Million10 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  12. 12. The Evolution of Data Security – Data As the Target11 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  13. 13. The Evolution of Data Security – Organized Attacks Typically, an organized group of malicious users, not just an individual, and typically globally.12 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  14. 14. The Evolution of Data Security – Regulatory Requirements Compliance and regulatory requirements for organizations have significantly increased IT Auditors must understand the avenues to the data and the impacts of weak or missing controls More than just network penetration tests, vulnerability scans, database penetration tests13 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  15. 15. The Evolution of Data Security – Consumer Awareness Consumer awareness of data theft = Financial Loss Reputation Damage14 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  16. 16. The Evolution of Data Security – A Paradigm Shift15 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  17. 17. The Evolution of Data Security – A Paradigm Shift Comprehensive view of securing data, and the systems within the enterprise16 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  18. 18. Why the Data? Data leakage can provide the information for a much more sophisticated attack on an organization Ultimately, the data will lead to some type of gain17 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  19. 19. Understanding Database Logging18 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  20. 20. Understanding Database Logging Native Logging (Vendor Provided) – How did the user get to the DB? – How/when/who created the user?19 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  21. 21. Database Monitoring Identifies: – Unauthorized changes to data structure – Illicit activity (e.g. mass data extract) Provides audit trails for compliance requirements20 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  22. 22. Database Monitoring Prevention and early detection for quick reaction21 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  23. 23. What Types of Changes Take Place Within a Database? DML is Data Manipulation Language – Insert – Select – Update – Delete22 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  24. 24. What Types of Changes Take Place Within a Database? DML attack via SQL Injection23 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  25. 25. What Types of Changes Take Place Within a Database? DCL is Data Control Language – Grant – Grant rights to an object or entire database – Revoke – Remove access rights to an object or database24 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  26. 26. What Types of Changes Take Place Within a Database? Why is DCL critical to DB functions? – A malicious user can grant/revoke rights to users, schemas, and applications that connect to a DB.25 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  27. 27. Methodology : Outside-In Tools Technologies Security Appliances Controls26 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  28. 28. Methodology : Outside-In Audit and systematic reviews of: – Database activity – DML/DCL changes from external sources27 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  29. 29. Methodology : Outside-In Types of access control28 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  30. 30. Methodology : Outside-In Encryption29 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  31. 31. Methodology : Inside-Out Internal attacks are likely, due to – Abuse of privileged and super user accounts – End users allowing code/malware to enter: email, social media, thumb drives – Abuse of data by organizational partners or service providers30 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  32. 32. Methodology: Inside-Out Develop and encrypt data that can only be used by applications.31 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  33. 33. Methodology: Inside-Out Background check Financial monitoring Criminal monitoring32 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  34. 34. Methodology: Inside-Out Incident Preparation and Response33 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  35. 35. Methodology: Inside-Out 3rd Party audits – Deep database penetration tests – Reviews of database logs – Manual testing of applications34 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  36. 36. Let’s Review Some Examples SQL Injections – How they work at a high level35 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  37. 37. SQL Example 1 SQL Injection. Web-based application communicating with a backend database. “OLE DB Provider…ODBC SQL Driver [SQL Server} Error xxxxxxx error converting “ABC” into a column of data type int”36 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  38. 38. SQL Example 2 Using http or a webpage once a footprint has been detected. http://ABCBank/index.asp?username=admin; password=1’ OR 1=1;--37 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  39. 39. What Is a Stored Procedure? Stored Procedures – the solution for preventing SQL Injections?38 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  40. 40. SQL Example 3 Allowing direct SQL sessions to your database – telnet session – T-SQL – PL/SQL Example: SELECT userNAME from users where userNAME=‘ ‘; shutdown with nowait; --’ and userpass=‘ ‘39 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  41. 41. Unification An example – DBO (Privileged Account) with no rights to write data to the server – Server admin creates DBO account for DBA – Consistency in password procedures?40 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  42. 42. Further Unification Evaluation – Real World Examples Another example – Install of 3rd-party app requires admin rights – Password change may impact maintenance and support – Additional risks41 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  43. 43. Database Auditing Database systems are both the most overlooked and the most crucial areas in need of securing Database security requirements in: – HIPPA - Dodd-Frank - US Patriot Act (AML) – HITECH - ISO 27000 - Various Industry – SOX - PCI – DSS – GLBA - EU Data Protection Directive42 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  44. 44. Auditing Database Errors Architecture reviews – applications and middleware43 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  45. 45. Principles for Developing a Database Audit Strategy Protect the audit trail Audit mainstream activities Audit critical actions Archive audit records44 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  46. 46. Controls are Critical Document – Storage management architecture Audit – At random times – Especially after migrations, upgrades, and during implementation45 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  47. 47. Database Improvements Will Enable Compliance Example – Configuration Parameters46 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  48. 48. Tools and Resources Commercial Tools: – Acunetix – website vulnerability scanning tool – Nessus – vulnerability assessment scanning tool Freely Available: – BackTrack5 – Numerous vulnerability assessment tools – Havij – Find SQL Injection vulnerabilities47 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  49. 49. 2012 and the Continued Evolution Data protection requirements will increase More mobile devices Social media = more ways to share data Know your data48 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  50. 50. Contact Information For more information about our approach to database security, including database logging and database monitoring, please contact Jim Hulscher 601 Carlson Parkway Suite 1120 Minnetonka, MN 55305 USA Direct: 952.249.2219 james.hulscher@protiviti.com Powerful Insights. Proven Delivery. ®49 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  51. 51. VOTES50 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  52. 52. VOTES51 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.
  53. 53. VOTES52 © 2011 Protiviti Inc. CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.

×