SlideShare a Scribd company logo

PUBLISHED: Database Security

R
RichardBatka

Consolidation, Clustering, Linux, Asset Management, Policy Management, Vulnerability Management, Audit & Threat Management, Analytics & Reporting, Least Privileged Account, SQL Injection, PCI, Sarbanes-Oxley, DSS, DISA-STIG, FISMA, MITS

1 of 6
securityCORNER Database Security in Linux Environments: Standards & Practices Database Security in Linux Environments: Standards & Practices Richard C. Batka The Database in the information technology world is really akin to the vault in the old school banking world. It’s where the cash is. D atabase Security: Databases are where run bigger, more powerful databases, and do more with organizations are storing their crown Jules, them. In doing that, according to the prevailing logic, there most important information, whether you're going to use less computing power and you will It be their intellectual property; or customer save a ton of money–because 1 system can host multiple information, healthcare information, banking or credit card applications. (Yes my friends, performance will be a topic information. Data has become the heart of the business. for another article). The database is *THE* place where data lives 99 per- So the world becomes one big happy Oracle database cent of its life. So it only makes sense to secure that data running on a Linux cluster that can serve 4 or 5 different repository the same way the banks secure the vault. The applications instead of having 4 of 5 different separately big heavy door protecting the little compartments inside administered databases. What about Software as a Ser- and security guards are layers to really protect the inner vice (cloud computing models)? Now some company’s core – where the money is. are offering up application and even database access as a service. Fact Those databases have become these multi-tenant 43 percent of databases contain critical/sensitive data. structures where a bunch of different companies are all storing their data in a shared database (take the SASS Consolidation & Clustering model for example.) There is a radical shift that’s going on in the market and its being driven by the database vendors. It's a move towards Database Security in Linux Environments database consolidation, clustering technologies, multi-ap- is Changing plication, and multi tenant environments. What you will Other changes are taking place; we are seeing a change find is that these vendors are going into the market saying that is being driven by not only the cloud model, but 44 LINUX+DVD 1/2010
securityCORNER Database Security in Linux Environments: Standards & Practices by the multi-tenant nature that you see Fact We Need the Security Require- inside the cloud. Take a look at an internal 84 percent of organizations feel that their ments to Become More Stringent cloud situation in a large organization; it database security is adequate. You’re not just trying to protect against some probably doesn’t change very much. But Attackers have a lot more to go after hacker sitting in a dorm room making an if you’re a company selling cloud services when you have these big repositories internet connection to the database, but your or a global organization that is a consumer either because they are clusters or they dealing with your legitimate customer. The of them, you will find applications storing are multi-tenant databases, so it's a more inside user trying to abuse the access you data from lots of different customers in interesting target with a more valuable have given them inside the system to get ac- one place. reward. As the target becomes more in- cess to other peoples data and there you see teresting obviously the security require- the tie-in very clearly between the database Example ments need to get more stringent in order application and the operating system that Salesforce.com customer data sits in a to protect that target. runs it. database with a whole bunch of other company’s customer data and it's all being Fact Attack the db to Attack the o/s to served up by the salesforce application. Most organizations will experience more Attach the db? Security requirements on that system (and then 1 breach every 12 months. We all know that Linux is the premier choice by the way, they use Linux) are much more As a database user, I become a poten- for a secure operating system platform, but stringent because the cost of a breach isn’t tial attacker trying to take and get access to that reputation causes people to take a just one customers data, but the data from a the other tenant’s data in a system because relaxed stance when addressing security. number of different customers (outside) and chances are, my competitor’s information The environment also changes when you they know that makes them very attractive is on the same system because they are drop your favorite database on top of that to attackers. consumers of the same service that I am. operating system. The majority of today's �� �� � �� �� �� �� �� � ����� ������� ���������� ���������� ������� ������ ��������� ����������� ������������� ��������� ���������� �������������� ���������� �� �� � �� �� ��� � Figure 1. Circle red raw www.lpmagazine.org/en 45
securityCORNER Database Security in Linux Environments: Standards & Practices databases are so complicated and intricate Then import it into my local instance of the policy wherever possible. Remember, it’s it's almost like running another operating database which will let me see all the other everyone’s business at risk. The big credit system entirely. Vulnerabilities in the tenants’ data. card breaches that we have seen over the database expose the underlying operating As an owner of data you should become last year or two, the Heartland Payment system (regardless or vendor) as do the more concerned about the safety of your data Systems, TJX, DSW Shoes – all of them miss-configurations in the database, all of when you store it in a multi-tenant situation. were apparently done by the same group of which can turn back around and expose the Be on the lookout for competitive business people using the same attack vectors. database. situations where you can potentially have a situation where you have all you competitors Tip Example storing their information in the same data- SQL injection attacks happen when an Functionality in the database that lets a da- base as well. application constructs SQL statements tabase user read and write operating system directly from user input (or) when the files directly in Oracle (default privilege Example application uses stored procedures to connect granted to everyone) is called the PRIVI- What if you’re a credit card processor to the cluster. People frequently think that the LIDGE TO EXECUTE THE UTL FILE. It and you are processing transactions for use of SSL or IPSec will protect them (they lets you read/write files in the operating sys- competing merchants? Think of all those are just looking at the wrong layer of the OSI tem through the database, so if I can do that restrictions, those controls that your model.) Popular countermeasures are: as a user I can now do other stuff like open customers are going to want to have to up the database backup file and pull out all keep there data segregated from one- • Constraining user input (copy) the other data (raw data file format). another. Look to deploy very stringent • Parameterized SQL for data access • Least privileged account to access the database • Type-safe SQL in combination with dy- namic SQL What you will see is that the SQL injection attack method will continue to be used and will be used to inject vulnerabilities in appli- cations to directly interact with the database in order to leverage database miss-configura- tions and vulnerabilities. To directly interact with the operating system underneath the database, and then leverage that operating system access to install things like sniffer software that could monitor the network and watch actual credit card transactions being validated by credit card providers on the network. That goes from an attack where you're hitting a web application and maybe Figure 2. Alert could deface an application to your hitting the database. It’s here that you can gain access to customer information like credit card numbers and names that you could use to make fraudulent purchases. Even attacks where you pick up the actual credit card validation traffic where now you have all the information that you need to print fake credit cards which is really the ultra scary situation. Warning It's the chain of vulnerabilities that gets to the core operating system that was actually secure in the beginning, but all bets are off when you start attacking it as the database user (which is a privileged operating system user) on most systems. It's important to pay Figure 3. Dashboard careful attention to what folks are doing with 46 LINUX+DVD 1/2010
securityCORNER Database Security in Linux Environments: Standards & Practices there database, since it becomes a matter of Step Three: Assess settings. Having a policy/approach to how the weakest link regardless of the security – 3 pillar approach your going to secure your database and then operating system platform. going out and measuring your databases First Pillar: Vulnerabilities against that policy ensures they are config- Fact Does your database have vulnerabilities that ured properly and securely – if it's critical. SQL Injection is a simple attack method and can really expose you? If you don’t have those security settings continues to be devastatingly effective. Vulnerabilities to look out for are ones turned on, you're leaving yourself open to From the attacker perspective there like: attacks. really is no good reason to move beyond it until it ceases to be such a successful attack • Denial of service attacks, where some- Third Pillar: Entitlement Review vector. The severity of this situation is only one can stop the database from running Who has access to what? Who can really see multiplied as the popularity of virtualization or responding from queries, the critical data in the database and how did /multi-tenant architectures continues to • Buffer overflow vulnerabilities, where they get that access? grow. someone can take control of the data- base server and take all the data. Fact Fact • Privilege escalation vulnerabilities, Privilege models in today’s databases have The Heartland Payment Systems (Princeton, where a user can either get access to grown in complexity. N.J.-based provider of credit and debit card data that they shouldn’t have access to It's very difficult to look at a database processing services) 2008/2009 data breach or in more extreme cases where they and actually know who can see the data. Are displaced TJX Companies January 2007 give themselves the ability to make there conflicting privileges in the database? breach in the record books as the largest ever themselves the system administrator and breach with over 100 million cards being take ownership of the database and all Example compromised. the data in it. The privilege to add a new check to the SQL injection attack is so effective be- • Weak passwords queue for processing and the privilege to cause there are millions of web applications delete those checks from the register. loaded with vulnerabilities, and people are Second Pillar: Configuration It's very plausible that someone can just not fixing them. From a systems per- Looking at the database from a configuration write/process checks and then delete them spective, these risks are so critical, because standpoint. afterwards making it easy to steal money they exist right at the location where the data Make sure that the security features – take time to look at those entitlements in is being stored. That is where database secu- in the database are turned on and set up the database at a detailed level. This is a key rity really comes into focus. properly. Many people are unaware of the pillar of database assessment. fact that today's databases are jam packed That assessment is going to give you Database Standards & Practices with security features that are frequently a bunch of findings. So you're going to Today's Linux security practitioner, tasked overlooked. find some vulnerabilities that you will with the security of the most valuable corpo- Very often the database vendors ship need to fix. You're going to find some rate assets, should take a lifecycle approach. their products with a fairly wide open and configuration settings that will need to insecure configuration by default which change. You're going to find some access Step One: Discover forces administrators turn on the security controls that are too loose and need to be Before you can secure anything, you need to know what you have. A detailed inven- tory of your database environment is key. Keep in mind that the environment is con- stantly changing, so this part will need to be done continuously to keep up with the changes in a dynamic environment – par- ticularly if you are in a heavily virtualized environment. Step Two: Classify Classify your databases. Ok, so you found an Oracle database, that’s cool, but what does that mean? What is it holding? Is it the roster of the company softball team? Or is it the da- tabase that handles my cash transactions? Or the next place that I’m going to drill for oil? Classify the databases by business value. It's a critical step in the lifecycle to really help you focus on what’s important. Figure 4. PolicyEditor www.lpmagazine.org/en 47
securityCORNER Database Security in Linux Environments: Standards & Practices tightened up. Now you need to prioritize Fact You have segregation of duties and the tasks which lead us to our next step. Organizations operating with an unstruc- violations that you cant get yourself out of tured remediation policy have learned that – everyone has at least one. The database Step Four: Prioritize this phase takes the most time and cost the administrator, a back office employee, You know the value of each of the data- most money. It is a leading contributor to who can see and modify any front office bases (since you went through and classi- the erosion of 5x9’s (Availability) in high data in the database you need to monitor fied them); you know the vulnerabilities of demand environments. what they are doing to make sure they are the misconfigurations that you have. Now not abusing the access they've been given based on the risk posed by those vulner- Step Six: Compensating Control access to. abilities, those misconfigurations, those Once you fix what you can, you need to It's a continuous cycle because the inappropriate access controls combined monitor what you can’t. database environment is changing. The with the business value of the database (you vulnerabilities that are out there (and that should apply weights/values to everything) • Monitor for someone exploiting the vul- are known) are constantly changing. The and build a priority list of what you need to nerability that you can’t apply the patch threat vectors are changing all the time, so fix first. This will lead you to think about to. we need to constantly be cycling through some interesting math to calculate total net • Monitor somebody taking advantage of this lifecycle in a continuous way to ensure new exposure cost (a topic I will cover in granted access in a case where you can't that we always manage risk and keep it another article) revoke it. to a minimal level. In addition to being • Monitor those things that the security compliant with the regulatory environment Step Five: Fix it features in the database would prevent that is wrapped around so many of these Let's be honest – for many reasons technical from happening. databases (just take a look at PCI, Sarbanes- and not so technical, you're not going to be • Monitor for people making things hap- Oxley, PCI, DSS, DISA-STIG, FISMA, and able to fix everything. Did someone say the pen. MITS for example.) political layer? (OSI/Model layer 8.) Many careers have been damaged due to arguments about this phase. People have needlessly ar- gued about remediation and approaches to wide scale/automated patch management with little thought as to reason, purpose or extenuating circumstances. Truth is that in many cases, it will simply be because an ap- plication doesn’t support the latest patch or some unreasonable change will be required to do so and you can’t button up that privi- lege escalation vulnerability. Fact The nature of remediation is changing and it's only a small part of the picture. Resources • Common Vulnerabilities and exposures database online http:// cve.mitre.org/ • Secure Code Against SQL Injection http://msdn.microsoft.com/en-us/ library/ms998271.aspx • Application Security http:// www.appsecinc.com • DbProtect (tools the experts use) http://www.appsecinc.com/products/ dbprotect/index.shtml • InterviewTomorrow (Helping Americans get back to work) Free job posting website http:// interviewtomorrow.com Figure 5. Report ApplicationInventory 48 LINUX+DVD 1/2010
securityCORNER Database Security in Linux Environments: Standards & Practices The Tool of Choice DbProtect is the recipient of: The 2009 BAT- The Database Security industry is An excellent tool to secure these complex KA PRODUCT AWARD FOR DATABASE evolving (thanks to you, the Linux/Database databases environments is DbProtect. SECURITY. Security Engineer/Administrator) to the point It’s perfect for asset management, policy For the auditor and IT advisor market where forward thinking is required, no longer management, vulnerability management, they have AppDetectivePro (6.2 as of this asked for from product managers. Places audit and threat management, and analytics/ writing) that is laptop based. It receives regu- like Application Security are successfully reporting. lar updates and has been doing so since 2003. delivering on this request every day. They DbProtect will go out and do database Impressive! I also like the sheer number of are integrating the lifecycle approach discovery; database assessment (so it scans checks (in excess of 2000 to date). (discover, classify, assess, prioritize, fix and for vulnerabilities, misconfigurations, and monitor) into the tools and helping solve user rights); help you develop a remedia- Conclusion very complex database security problems tion plan writing fix scripts and since it has More often than not when you mention from a truly holistic perspective. Take time a database monitoring capability. It will tell Database Security to someone they will out to evaluate DbProtect and I know you you who has access to what data and when,point you in the direction of a 120 page will be impressed. Go forward and secure who is making what changes, and who is try- whitepaper that’s really nothing more those databases. I'll see you next time. Now ing to exploit a known vulnerability in one then a pseudo exercise in the use of com- where did I put that ream of paper? of your databases. I like DbProtect for three plex technical/business vocabulary. Can key reasons: I get a man page over here please? You end up being the guy in the office who has • Management console to search for paper because you used ev- • Distributed Scanning & Monitoring of erything in the printer, or they tell you to databases (agentless) download some cool tool that has a great • Reporting interface. Thanks to Josh Shaul and Thom VanHorn for the interview and excellent background infor- mation Eric T.S.Gonzales, John B. Ottman, Arron C. Newman, Peter Schwartz, John Colton, Rob Chapdelaine, Dave McNa- mara, Mariya Lynch, and all the other great folks at Application Security. About the Author Richard C. Batka has held various management and engineering positions with Microsoft, Symantec, PricewaterhouseCooper, Thomson Reuters, and JPMorgan Chase. He has spent the last 17 years devoted to the complex issues of enterprise application development, security, infrastructure, data management and regulatory compliance. A graduate of New York University he holds numerous industry certifications. Currently, Mr.Batka is the CEO of a privately funded consulting service firm in New York that provides strategy and engineering services internationally to a select group of clients. Mr. Batka holds no financial interest in Application Security. Mr. Batka can be reached at rbusa1@gmail.com. Figure 6. Report NIST www.lpmagazine.org/en 49

Recommended

How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
Dana Gardner
 
Bodleian Library's DAMS system
Bodleian Library's DAMS systemBodleian Library's DAMS system
Bodleian Library's DAMS system
benosteen
 
Information Storage and Management notes ssmeena
Information Storage and Management notes ssmeena Information Storage and Management notes ssmeena
Information Storage and Management notes ssmeena
ssmeena7
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Atul Pant
 
Evolve Com Tec Presentation
Evolve Com Tec PresentationEvolve Com Tec Presentation
Evolve Com Tec Presentation
samanthahubbard
 
Tape Storage Future Directions and the Data Explosion
Tape Storage Future Directions and the Data ExplosionTape Storage Future Directions and the Data Explosion
Tape Storage Future Directions and the Data Explosion
IBM India Smarter Computing
 
Hadoop, Big Data, and the Future of the Enterprise Data Warehouse
Hadoop, Big Data, and the Future of the Enterprise Data WarehouseHadoop, Big Data, and the Future of the Enterprise Data Warehouse
Hadoop, Big Data, and the Future of the Enterprise Data Warehouse
tervela
 
PUBLISHED: Facebook Cloud Computing
PUBLISHED: Facebook Cloud ComputingPUBLISHED: Facebook Cloud Computing
PUBLISHED: Facebook Cloud Computing
RichardBatka
 

Recommended

How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
Dana Gardner
 
Bodleian Library's DAMS system
Bodleian Library's DAMS systemBodleian Library's DAMS system
Bodleian Library's DAMS system
benosteen
 
Information Storage and Management notes ssmeena
Information Storage and Management notes ssmeena Information Storage and Management notes ssmeena
Information Storage and Management notes ssmeena
ssmeena7
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Atul Pant
 
Evolve Com Tec Presentation
Evolve Com Tec PresentationEvolve Com Tec Presentation
Evolve Com Tec Presentation
samanthahubbard
 
Tape Storage Future Directions and the Data Explosion
Tape Storage Future Directions and the Data ExplosionTape Storage Future Directions and the Data Explosion
Tape Storage Future Directions and the Data Explosion
IBM India Smarter Computing
 
Hadoop, Big Data, and the Future of the Enterprise Data Warehouse
Hadoop, Big Data, and the Future of the Enterprise Data WarehouseHadoop, Big Data, and the Future of the Enterprise Data Warehouse
Hadoop, Big Data, and the Future of the Enterprise Data Warehouse
tervela
 
PUBLISHED: Facebook Cloud Computing
PUBLISHED: Facebook Cloud ComputingPUBLISHED: Facebook Cloud Computing
PUBLISHED: Facebook Cloud Computing
RichardBatka
 
Choosing A Secondary Storage
Choosing A Secondary StorageChoosing A Secondary Storage
Choosing A Secondary Storage
Jessica Tanner
 
Filr white paper
Filr white paperFilr white paper
Filr white paper
Novell
 
Hot Technologies of 2012
Hot Technologies of 2012Hot Technologies of 2012
Hot Technologies of 2012
Inside Analysis
 
The Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer NetworksThe Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer Networks
Jessica Deakin
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
How Global Data Availability Accelerates Collaboration And Delivers Business ...
How Global Data Availability Accelerates Collaboration And Delivers Business ...How Global Data Availability Accelerates Collaboration And Delivers Business ...
How Global Data Availability Accelerates Collaboration And Delivers Business ...
Dana Gardner
 
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
Dana Gardner
 
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower CostHow Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
Dana Gardner
 
Database Essay
Database EssayDatabase Essay
Database Essay
College Papers Writing Service
 
Rothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security PostureRothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security Posture
Ben Rothke
 
IRJET- Secured Hadoop Environment
IRJET- Secured Hadoop EnvironmentIRJET- Secured Hadoop Environment
IRJET- Secured Hadoop Environment
IRJET Journal
 
What is big data
What is big dataWhat is big data
What is big data
ShubShubi
 
Tape and cloud strategies for VM backups
Tape and cloud strategies for VM backupsTape and cloud strategies for VM backups
Tape and cloud strategies for VM backups
Veeam Software
 
NogaLogic brochure 11v11
NogaLogic brochure 11v11NogaLogic brochure 11v11
NogaLogic brochure 11v11
Giuliano Bonassi
 
Analyst Report : The Enterprise Use of Hadoop
Analyst Report : The Enterprise Use of Hadoop Analyst Report : The Enterprise Use of Hadoop
Analyst Report : The Enterprise Use of Hadoop
EMC
 
IRJET- Open Source Solution for Centralized Storage System using Network ...
IRJET- Open Source Solution for Centralized Storage System using Network ...IRJET- Open Source Solution for Centralized Storage System using Network ...
IRJET- Open Source Solution for Centralized Storage System using Network ...
IRJET Journal
 
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache HadoopA Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
IJTET Journal
 
Big data and hadoop ecosystem essentials for managers
Big data and hadoop ecosystem essentials for managersBig data and hadoop ecosystem essentials for managers
Big data and hadoop ecosystem essentials for managers
Manjeet Singh Nagi
 
Big data data lake and beyond
Big data data lake and beyond Big data data lake and beyond
Big data data lake and beyond
Rajesh Kumar
 

More Related Content

Similar to PUBLISHED: Database Security

Hot Technologies of 2012
Hot Technologies of 2012Hot Technologies of 2012
Hot Technologies of 2012
Inside Analysis
 
The Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer NetworksThe Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer Networks
Jessica Deakin
 
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache HadoopA Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
IJTET Journal
 

Similar to PUBLISHED: Database Security (20)

Choosing A Secondary Storage
Choosing A Secondary StorageChoosing A Secondary Storage
Choosing A Secondary Storage
 
Filr white paper
Filr white paperFilr white paper
Filr white paper
 
Hot Technologies of 2012
Hot Technologies of 2012Hot Technologies of 2012
Hot Technologies of 2012
 
The Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer NetworksThe Proliferation And Advances Of Computer Networks
The Proliferation And Advances Of Computer Networks
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environments
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environments
 
How Global Data Availability Accelerates Collaboration And Delivers Business ...
How Global Data Availability Accelerates Collaboration And Delivers Business ...How Global Data Availability Accelerates Collaboration And Delivers Business ...
How Global Data Availability Accelerates Collaboration And Delivers Business ...
 
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
How the Journey to Modern Data Management is Paved with an Inclusive Edge-to-...
 
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower CostHow Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
How Consistent Data Services Deliver Simplicity, Compatibility, And Lower Cost
 
Database Essay
Database EssayDatabase Essay
Database Essay
 
Rothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security PostureRothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security Posture
 
IRJET- Secured Hadoop Environment
IRJET- Secured Hadoop EnvironmentIRJET- Secured Hadoop Environment
IRJET- Secured Hadoop Environment
 
What is big data
What is big dataWhat is big data
What is big data
 
Tape and cloud strategies for VM backups
Tape and cloud strategies for VM backupsTape and cloud strategies for VM backups
Tape and cloud strategies for VM backups
 
NogaLogic brochure 11v11
NogaLogic brochure 11v11NogaLogic brochure 11v11
NogaLogic brochure 11v11
 
Analyst Report : The Enterprise Use of Hadoop
Analyst Report : The Enterprise Use of Hadoop Analyst Report : The Enterprise Use of Hadoop
Analyst Report : The Enterprise Use of Hadoop
 
IRJET- Open Source Solution for Centralized Storage System using Network ...
IRJET- Open Source Solution for Centralized Storage System using Network ...IRJET- Open Source Solution for Centralized Storage System using Network ...
IRJET- Open Source Solution for Centralized Storage System using Network ...
 
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache HadoopA Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
A Survey on Approaches for Frequent Item Set Mining on Apache Hadoop
 
Big data and hadoop ecosystem essentials for managers
Big data and hadoop ecosystem essentials for managersBig data and hadoop ecosystem essentials for managers
Big data and hadoop ecosystem essentials for managers
 
Big data data lake and beyond
Big data data lake and beyond Big data data lake and beyond
Big data data lake and beyond
 

PUBLISHED: Database Security

  • 1. securityCORNER Database Security in Linux Environments: Standards & Practices Database Security in Linux Environments: Standards & Practices Richard C. Batka The Database in the information technology world is really akin to the vault in the old school banking world. It’s where the cash is. D atabase Security: Databases are where run bigger, more powerful databases, and do more with organizations are storing their crown Jules, them. In doing that, according to the prevailing logic, there most important information, whether you're going to use less computing power and you will It be their intellectual property; or customer save a ton of money–because 1 system can host multiple information, healthcare information, banking or credit card applications. (Yes my friends, performance will be a topic information. Data has become the heart of the business. for another article). The database is *THE* place where data lives 99 per- So the world becomes one big happy Oracle database cent of its life. So it only makes sense to secure that data running on a Linux cluster that can serve 4 or 5 different repository the same way the banks secure the vault. The applications instead of having 4 of 5 different separately big heavy door protecting the little compartments inside administered databases. What about Software as a Ser- and security guards are layers to really protect the inner vice (cloud computing models)? Now some company’s core – where the money is. are offering up application and even database access as a service. Fact Those databases have become these multi-tenant 43 percent of databases contain critical/sensitive data. structures where a bunch of different companies are all storing their data in a shared database (take the SASS Consolidation & Clustering model for example.) There is a radical shift that’s going on in the market and its being driven by the database vendors. It's a move towards Database Security in Linux Environments database consolidation, clustering technologies, multi-ap- is Changing plication, and multi tenant environments. What you will Other changes are taking place; we are seeing a change find is that these vendors are going into the market saying that is being driven by not only the cloud model, but 44 LINUX+DVD 1/2010
  • 2. securityCORNER Database Security in Linux Environments: Standards & Practices by the multi-tenant nature that you see Fact We Need the Security Require- inside the cloud. Take a look at an internal 84 percent of organizations feel that their ments to Become More Stringent cloud situation in a large organization; it database security is adequate. You’re not just trying to protect against some probably doesn’t change very much. But Attackers have a lot more to go after hacker sitting in a dorm room making an if you’re a company selling cloud services when you have these big repositories internet connection to the database, but your or a global organization that is a consumer either because they are clusters or they dealing with your legitimate customer. The of them, you will find applications storing are multi-tenant databases, so it's a more inside user trying to abuse the access you data from lots of different customers in interesting target with a more valuable have given them inside the system to get ac- one place. reward. As the target becomes more in- cess to other peoples data and there you see teresting obviously the security require- the tie-in very clearly between the database Example ments need to get more stringent in order application and the operating system that Salesforce.com customer data sits in a to protect that target. runs it. database with a whole bunch of other company’s customer data and it's all being Fact Attack the db to Attack the o/s to served up by the salesforce application. Most organizations will experience more Attach the db? Security requirements on that system (and then 1 breach every 12 months. We all know that Linux is the premier choice by the way, they use Linux) are much more As a database user, I become a poten- for a secure operating system platform, but stringent because the cost of a breach isn’t tial attacker trying to take and get access to that reputation causes people to take a just one customers data, but the data from a the other tenant’s data in a system because relaxed stance when addressing security. number of different customers (outside) and chances are, my competitor’s information The environment also changes when you they know that makes them very attractive is on the same system because they are drop your favorite database on top of that to attackers. consumers of the same service that I am. operating system. The majority of today's �� �� � �� �� �� �� �� � ����� ������� ���������� ���������� ������� ������ ��������� ����������� ������������� ��������� ���������� �������������� ���������� �� �� � �� �� ��� � Figure 1. Circle red raw www.lpmagazine.org/en 45
  • 3. securityCORNER Database Security in Linux Environments: Standards & Practices databases are so complicated and intricate Then import it into my local instance of the policy wherever possible. Remember, it’s it's almost like running another operating database which will let me see all the other everyone’s business at risk. The big credit system entirely. Vulnerabilities in the tenants’ data. card breaches that we have seen over the database expose the underlying operating As an owner of data you should become last year or two, the Heartland Payment system (regardless or vendor) as do the more concerned about the safety of your data Systems, TJX, DSW Shoes – all of them miss-configurations in the database, all of when you store it in a multi-tenant situation. were apparently done by the same group of which can turn back around and expose the Be on the lookout for competitive business people using the same attack vectors. database. situations where you can potentially have a situation where you have all you competitors Tip Example storing their information in the same data- SQL injection attacks happen when an Functionality in the database that lets a da- base as well. application constructs SQL statements tabase user read and write operating system directly from user input (or) when the files directly in Oracle (default privilege Example application uses stored procedures to connect granted to everyone) is called the PRIVI- What if you’re a credit card processor to the cluster. People frequently think that the LIDGE TO EXECUTE THE UTL FILE. It and you are processing transactions for use of SSL or IPSec will protect them (they lets you read/write files in the operating sys- competing merchants? Think of all those are just looking at the wrong layer of the OSI tem through the database, so if I can do that restrictions, those controls that your model.) Popular countermeasures are: as a user I can now do other stuff like open customers are going to want to have to up the database backup file and pull out all keep there data segregated from one- • Constraining user input (copy) the other data (raw data file format). another. Look to deploy very stringent • Parameterized SQL for data access • Least privileged account to access the database • Type-safe SQL in combination with dy- namic SQL What you will see is that the SQL injection attack method will continue to be used and will be used to inject vulnerabilities in appli- cations to directly interact with the database in order to leverage database miss-configura- tions and vulnerabilities. To directly interact with the operating system underneath the database, and then leverage that operating system access to install things like sniffer software that could monitor the network and watch actual credit card transactions being validated by credit card providers on the network. That goes from an attack where you're hitting a web application and maybe Figure 2. Alert could deface an application to your hitting the database. It’s here that you can gain access to customer information like credit card numbers and names that you could use to make fraudulent purchases. Even attacks where you pick up the actual credit card validation traffic where now you have all the information that you need to print fake credit cards which is really the ultra scary situation. Warning It's the chain of vulnerabilities that gets to the core operating system that was actually secure in the beginning, but all bets are off when you start attacking it as the database user (which is a privileged operating system user) on most systems. It's important to pay Figure 3. Dashboard careful attention to what folks are doing with 46 LINUX+DVD 1/2010
  • 4. securityCORNER Database Security in Linux Environments: Standards & Practices there database, since it becomes a matter of Step Three: Assess settings. Having a policy/approach to how the weakest link regardless of the security – 3 pillar approach your going to secure your database and then operating system platform. going out and measuring your databases First Pillar: Vulnerabilities against that policy ensures they are config- Fact Does your database have vulnerabilities that ured properly and securely – if it's critical. SQL Injection is a simple attack method and can really expose you? If you don’t have those security settings continues to be devastatingly effective. Vulnerabilities to look out for are ones turned on, you're leaving yourself open to From the attacker perspective there like: attacks. really is no good reason to move beyond it until it ceases to be such a successful attack • Denial of service attacks, where some- Third Pillar: Entitlement Review vector. The severity of this situation is only one can stop the database from running Who has access to what? Who can really see multiplied as the popularity of virtualization or responding from queries, the critical data in the database and how did /multi-tenant architectures continues to • Buffer overflow vulnerabilities, where they get that access? grow. someone can take control of the data- base server and take all the data. Fact Fact • Privilege escalation vulnerabilities, Privilege models in today’s databases have The Heartland Payment Systems (Princeton, where a user can either get access to grown in complexity. N.J.-based provider of credit and debit card data that they shouldn’t have access to It's very difficult to look at a database processing services) 2008/2009 data breach or in more extreme cases where they and actually know who can see the data. Are displaced TJX Companies January 2007 give themselves the ability to make there conflicting privileges in the database? breach in the record books as the largest ever themselves the system administrator and breach with over 100 million cards being take ownership of the database and all Example compromised. the data in it. The privilege to add a new check to the SQL injection attack is so effective be- • Weak passwords queue for processing and the privilege to cause there are millions of web applications delete those checks from the register. loaded with vulnerabilities, and people are Second Pillar: Configuration It's very plausible that someone can just not fixing them. From a systems per- Looking at the database from a configuration write/process checks and then delete them spective, these risks are so critical, because standpoint. afterwards making it easy to steal money they exist right at the location where the data Make sure that the security features – take time to look at those entitlements in is being stored. That is where database secu- in the database are turned on and set up the database at a detailed level. This is a key rity really comes into focus. properly. Many people are unaware of the pillar of database assessment. fact that today's databases are jam packed That assessment is going to give you Database Standards & Practices with security features that are frequently a bunch of findings. So you're going to Today's Linux security practitioner, tasked overlooked. find some vulnerabilities that you will with the security of the most valuable corpo- Very often the database vendors ship need to fix. You're going to find some rate assets, should take a lifecycle approach. their products with a fairly wide open and configuration settings that will need to insecure configuration by default which change. You're going to find some access Step One: Discover forces administrators turn on the security controls that are too loose and need to be Before you can secure anything, you need to know what you have. A detailed inven- tory of your database environment is key. Keep in mind that the environment is con- stantly changing, so this part will need to be done continuously to keep up with the changes in a dynamic environment – par- ticularly if you are in a heavily virtualized environment. Step Two: Classify Classify your databases. Ok, so you found an Oracle database, that’s cool, but what does that mean? What is it holding? Is it the roster of the company softball team? Or is it the da- tabase that handles my cash transactions? Or the next place that I’m going to drill for oil? Classify the databases by business value. It's a critical step in the lifecycle to really help you focus on what’s important. Figure 4. PolicyEditor www.lpmagazine.org/en 47
  • 5. securityCORNER Database Security in Linux Environments: Standards & Practices tightened up. Now you need to prioritize Fact You have segregation of duties and the tasks which lead us to our next step. Organizations operating with an unstruc- violations that you cant get yourself out of tured remediation policy have learned that – everyone has at least one. The database Step Four: Prioritize this phase takes the most time and cost the administrator, a back office employee, You know the value of each of the data- most money. It is a leading contributor to who can see and modify any front office bases (since you went through and classi- the erosion of 5x9’s (Availability) in high data in the database you need to monitor fied them); you know the vulnerabilities of demand environments. what they are doing to make sure they are the misconfigurations that you have. Now not abusing the access they've been given based on the risk posed by those vulner- Step Six: Compensating Control access to. abilities, those misconfigurations, those Once you fix what you can, you need to It's a continuous cycle because the inappropriate access controls combined monitor what you can’t. database environment is changing. The with the business value of the database (you vulnerabilities that are out there (and that should apply weights/values to everything) • Monitor for someone exploiting the vul- are known) are constantly changing. The and build a priority list of what you need to nerability that you can’t apply the patch threat vectors are changing all the time, so fix first. This will lead you to think about to. we need to constantly be cycling through some interesting math to calculate total net • Monitor somebody taking advantage of this lifecycle in a continuous way to ensure new exposure cost (a topic I will cover in granted access in a case where you can't that we always manage risk and keep it another article) revoke it. to a minimal level. In addition to being • Monitor those things that the security compliant with the regulatory environment Step Five: Fix it features in the database would prevent that is wrapped around so many of these Let's be honest – for many reasons technical from happening. databases (just take a look at PCI, Sarbanes- and not so technical, you're not going to be • Monitor for people making things hap- Oxley, PCI, DSS, DISA-STIG, FISMA, and able to fix everything. Did someone say the pen. MITS for example.) political layer? (OSI/Model layer 8.) Many careers have been damaged due to arguments about this phase. People have needlessly ar- gued about remediation and approaches to wide scale/automated patch management with little thought as to reason, purpose or extenuating circumstances. Truth is that in many cases, it will simply be because an ap- plication doesn’t support the latest patch or some unreasonable change will be required to do so and you can’t button up that privi- lege escalation vulnerability. Fact The nature of remediation is changing and it's only a small part of the picture. Resources • Common Vulnerabilities and exposures database online http:// cve.mitre.org/ • Secure Code Against SQL Injection http://msdn.microsoft.com/en-us/ library/ms998271.aspx • Application Security http:// www.appsecinc.com • DbProtect (tools the experts use) http://www.appsecinc.com/products/ dbprotect/index.shtml • InterviewTomorrow (Helping Americans get back to work) Free job posting website http:// interviewtomorrow.com Figure 5. Report ApplicationInventory 48 LINUX+DVD 1/2010
  • 6. securityCORNER Database Security in Linux Environments: Standards & Practices The Tool of Choice DbProtect is the recipient of: The 2009 BAT- The Database Security industry is An excellent tool to secure these complex KA PRODUCT AWARD FOR DATABASE evolving (thanks to you, the Linux/Database databases environments is DbProtect. SECURITY. Security Engineer/Administrator) to the point It’s perfect for asset management, policy For the auditor and IT advisor market where forward thinking is required, no longer management, vulnerability management, they have AppDetectivePro (6.2 as of this asked for from product managers. Places audit and threat management, and analytics/ writing) that is laptop based. It receives regu- like Application Security are successfully reporting. lar updates and has been doing so since 2003. delivering on this request every day. They DbProtect will go out and do database Impressive! I also like the sheer number of are integrating the lifecycle approach discovery; database assessment (so it scans checks (in excess of 2000 to date). (discover, classify, assess, prioritize, fix and for vulnerabilities, misconfigurations, and monitor) into the tools and helping solve user rights); help you develop a remedia- Conclusion very complex database security problems tion plan writing fix scripts and since it has More often than not when you mention from a truly holistic perspective. Take time a database monitoring capability. It will tell Database Security to someone they will out to evaluate DbProtect and I know you you who has access to what data and when,point you in the direction of a 120 page will be impressed. Go forward and secure who is making what changes, and who is try- whitepaper that’s really nothing more those databases. I'll see you next time. Now ing to exploit a known vulnerability in one then a pseudo exercise in the use of com- where did I put that ream of paper? of your databases. I like DbProtect for three plex technical/business vocabulary. Can key reasons: I get a man page over here please? You end up being the guy in the office who has • Management console to search for paper because you used ev- • Distributed Scanning & Monitoring of erything in the printer, or they tell you to databases (agentless) download some cool tool that has a great • Reporting interface. Thanks to Josh Shaul and Thom VanHorn for the interview and excellent background infor- mation Eric T.S.Gonzales, John B. Ottman, Arron C. Newman, Peter Schwartz, John Colton, Rob Chapdelaine, Dave McNa- mara, Mariya Lynch, and all the other great folks at Application Security. About the Author Richard C. Batka has held various management and engineering positions with Microsoft, Symantec, PricewaterhouseCooper, Thomson Reuters, and JPMorgan Chase. He has spent the last 17 years devoted to the complex issues of enterprise application development, security, infrastructure, data management and regulatory compliance. A graduate of New York University he holds numerous industry certifications. Currently, Mr.Batka is the CEO of a privately funded consulting service firm in New York that provides strategy and engineering services internationally to a select group of clients. Mr. Batka holds no financial interest in Application Security. Mr. Batka can be reached at rbusa1@gmail.com. Figure 6. Report NIST www.lpmagazine.org/en 49