Tool of Choice• Examines: – Every domain on the Internet – Every web page in your application ever (cached)• Can locate: – Unsecured databases – Unsecured websites, URLs – Unsecured files & folders
Example:• Oracle HTTP Servers – Provides functionality to query database using an HTTP form – Accessed using the URL /isqlplus – By default runs on any Oracle HTTP server installed with Oracle Applications Server or Oracle Database Server• Easily identified by Google search: – Look for Oracle HTTP servers using the “allinurl” advanced search feature
The Biggest Threat? FBI/Computer Security Institute 2008: 85% of all offenders prosecuted for cyber crimes were employees of the company attacked
How To Steal a DatabaseRemovable media: PDAs, USB flash drives, iPods – digital cameras,gaming consoles, write-able CDs DVDs etc.Unauthorised connections: wireless, Bluetooth, infrared mobileconnections, modems, peer-to-peer, etc.Unauthorised output devices: printers, faxes, photo copiers, etcUnauthorised applications: MSN chat, web mail, malware, trojans,key loggers, etc.Unauthorised applications use: file, print, save as, print screen,cut & paste, file sharing, search, import/export, print, rename etc.
Driving ForcesDemand for Pervasive Access Uncertain Economic Conditions From any place… Restructuring, downsizing, mergers, By anyone… acquisitions… Via any application… Increase in disgruntled employees Increase in remote & 3rd party Increased understanding that data = cash connections Result: increase in database theftsResult: increase of privileged users Compliance Requirements Compliance programs must be: Data apps must meet: Transparent Confidentiality Repeatable Integrity Demonstrable Availability Result: compliance demands increase in privileged users
Our Research• Analysed 200,000+ hours of user activity• Monitored database access for: “open”, “copy”, “paste”, “save as”, “convert”, “send”, “print”, “attach” and file transfer activity• Carried out over 24 months• Identified the who, what where & when• Entitled “Inside Out”
Summary Findings• 68% theft linked to mobile rather than fixed desktop systems.• IT and Customer Services Departments highest number thefts.• 98% male• 79% incidents occurred on Fridays between 3 and 5PM.• Applications most favoured to remove data were identified as web mail, instant messaging (IM) and social networking web sites.• The top 4 theft vectors were identified as mobile devices, web mail, removable media and corporate email.• All instances identified could have been prevented. Existing corporate security policies were not implemented, monitored or enforced.
5 Factors Leading toCompromise1. Ignorance2. Poor password management3. Rampant account sharing4. Unfettered access to data5. Excessive portability of data
Start: Find Your DatabaseData• Network?• End Users• Remote Users• 3rd Parties?• Contractors• Other locations: printers, photocopiers, scanners, faxes, audio recordings…
Laptop / Desktop Server CD / DVD Piggybacking USB iPodDumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
Get a Grip• Do you have a Database Security Policy?• Can you monitor all DB access? – Who did what, from where, and when… – What was accessed? – Did it violate the data permissions policy? – Was it a month-end report or theft of millions of records?• Are your systems hardened? – Tamper-resistant – Tamper-evident – Compliant with segregation of duties
Top 10 Best Practices1. Access and Authentication Auditing • Determine who accessed which systems, when, and how2. User and Administrator Auditing • Determine what activities were performed in the database by both users and administrators3. Security Activity Alerting • Identify and flag any suspicious, unusual or abnormal access to sensitive data or critical systems4. Vulnerability Assessment and Threat Monitoring • Assess your database applications for known vulnerabilities • Alert in real-time users attempting to exploit these vulnerabilities • Alert in real time any other suspicious, unusual or other “abnormal” access
Best Practices5. Database Activity Monitoring • Determine who accessed which systems, when, and how • Determine what they did (both users and administrators) • Understand where the threat / risk originates and deploy the appropriate solution to defend against such threats6. Change Auditing Establish a baseline policy for database; configuration, schema, users, privileges and structure, then track deviations from that baseline. 7. Data classification scheme (locate, mark, define handling storage requirements) 8. Database access included in information security policies 9. Information & awareness (Appropriate use agreements)
Best Practices10. Delete any/all data associated with me PLEASE !
26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)