Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Factory: Database Security: Oxymoron?

1,004 views

Published on

Data = cash so databases are banks.

Published in: Technology
  • Be the first to comment

Risk Factory: Database Security: Oxymoron?

  1. 1. Database Theft
  2. 2. A simple, easy to use, online, B2B procurement portal forpurchasing products and services to secure your data.
  3. 3. According to … In 2011 reported database thefts increased 37% from the previous year. May 20012
  4. 4. Why ?
  5. 5. Supply & Demand 2001Name, Address DOB = £2.00Credit card # = £2.00Expiry date = £ 3.00Security Code = £3.00 2005 Total = £10.00 Name, Address DOB = £1.00 Credit card # = £1.00 Expiry date = £ 1.00 2010 Security Code = £2.00 Name, Address DOB = £.25 Total = £5.00 Credit card # = £.25 Expiry date = £ .25 Security Code = £.25 Total = £1.00
  6. 6. Cocktail Party Chat Up Line#1 In one week, the average person living in Britain has 3,254 pieces of personal information stored about him or her in databases.* *Evening Standard Survey August 2008
  7. 7. We live in societies thatcollect data for data’s sake.
  8. 8. Cocktail Party Chat Up Line#2The average UK citizen is in over 750 databases.* *UK Information Commissioners Report: “What Price Privacy?” 2009
  9. 9. Our Births, Marriages &Deaths
  10. 10. Our Family
  11. 11. Our Ancestors
  12. 12. Our Preferences
  13. 13. Get a Life...
  14. 14. Our Credit
  15. 15. Our Friends
  16. 16. Our Enemies
  17. 17. Our Love Lives
  18. 18. Our Web Lives
  19. 19. Our Retirement
  20. 20. Our Deaths
  21. 21. Your identity data is big business.
  22. 22. How Do You Find One?
  23. 23. Tool of Choice• Examines: – Every domain on the Internet – Every web page in your application ever (cached)• Can locate: – Unsecured databases – Unsecured websites, URLs – Unsecured files & folders
  24. 24. Example:• Oracle HTTP Servers – Provides functionality to query database using an HTTP form – Accessed using the URL /isqlplus – By default runs on any Oracle HTTP server installed with Oracle Applications Server or Oracle Database Server• Easily identified by Google search: – Look for Oracle HTTP servers using the “allinurl” advanced search feature
  25. 25. Using Advanced Search
  26. 26. Search Results
  27. 27. DefaultUsername/Password
  28. 28. You’re In
  29. 29. Then Execute Any Query
  30. 30. The Biggest Threat? FBI/Computer Security Institute 2008: 85% of all offenders prosecuted for cyber crimes were employees of the company attacked
  31. 31. How To Steal a DatabaseRemovable media: PDAs, USB flash drives, iPods – digital cameras,gaming consoles, write-able CDs DVDs etc.Unauthorised connections: wireless, Bluetooth, infrared mobileconnections, modems, peer-to-peer, etc.Unauthorised output devices: printers, faxes, photo copiers, etcUnauthorised applications: MSN chat, web mail, malware, trojans,key loggers, etc.Unauthorised applications use: file, print, save as, print screen,cut & paste, file sharing, search, import/export, print, rename etc.
  32. 32. Driving ForcesDemand for Pervasive Access Uncertain Economic Conditions From any place…  Restructuring, downsizing, mergers, By anyone… acquisitions… Via any application…  Increase in disgruntled employees Increase in remote & 3rd party  Increased understanding that data = cash connections Result: increase in database theftsResult: increase of privileged users Compliance Requirements  Compliance programs must be:  Data apps must meet:  Transparent  Confidentiality  Repeatable  Integrity  Demonstrable  Availability Result: compliance demands increase in privileged users
  33. 33. Our Research• Analysed 200,000+ hours of user activity• Monitored database access for: “open”, “copy”, “paste”, “save as”, “convert”, “send”, “print”, “attach” and file transfer activity• Carried out over 24 months• Identified the who, what where & when• Entitled “Inside Out”
  34. 34. Who?
  35. 35. How?
  36. 36. Summary Findings• 68% theft linked to mobile rather than fixed desktop systems.• IT and Customer Services Departments highest number thefts.• 98% male• 79% incidents occurred on Fridays between 3 and 5PM.• Applications most favoured to remove data were identified as web mail, instant messaging (IM) and social networking web sites.• The top 4 theft vectors were identified as mobile devices, web mail, removable media and corporate email.• All instances identified could have been prevented. Existing corporate security policies were not implemented, monitored or enforced.
  37. 37. 5 Factors Leading toCompromise1. Ignorance2. Poor password management3. Rampant account sharing4. Unfettered access to data5. Excessive portability of data
  38. 38. Start: Find Your DatabaseData• Network?• End Users• Remote Users• 3rd Parties?• Contractors• Other locations: printers, photocopiers, scanners, faxes, audio recordings…
  39. 39. Laptop / Desktop Server CD / DVD Piggybacking USB iPodDumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
  40. 40. Get a Grip• Do you have a Database Security Policy?• Can you monitor all DB access? – Who did what, from where, and when… – What was accessed? – Did it violate the data permissions policy? – Was it a month-end report or theft of millions of records?• Are your systems hardened? – Tamper-resistant – Tamper-evident – Compliant with segregation of duties
  41. 41. Apply the vulnerability managementlifecycle... • Determine risk• Establish inventory • Prioritize based on-• Identify vulnerabilities - Vulnerabilities• Identify privileged users - Threat• Define Policies - Asset classification• Monitor: Users, Access, Activity, Misuse, Policy • Eliminate high-priority Violations vulnerabilities• Track & Audit • Establish controls Changes & eliminate root cause• Baseline compliance • Demonstrate progress• Monitor Vulnerabilities &
  42. 42. Top 10 Best Practices1. Access and Authentication Auditing • Determine who accessed which systems, when, and how2. User and Administrator Auditing • Determine what activities were performed in the database by both users and administrators3. Security Activity Alerting • Identify and flag any suspicious, unusual or abnormal access to sensitive data or critical systems4. Vulnerability Assessment and Threat Monitoring • Assess your database applications for known vulnerabilities • Alert in real-time users attempting to exploit these vulnerabilities • Alert in real time any other suspicious, unusual or other “abnormal” access
  43. 43. Best Practices5. Database Activity Monitoring • Determine who accessed which systems, when, and how • Determine what they did (both users and administrators) • Understand where the threat / risk originates and deploy the appropriate solution to defend against such threats6. Change Auditing  Establish a baseline policy for database; configuration, schema, users, privileges and structure, then track deviations from that baseline. 7. Data classification scheme (locate, mark, define handling storage requirements) 8. Database access included in information security policies 9. Information & awareness (Appropriate use agreements)
  44. 44. Best Practices10. Delete any/all data associated with me PLEASE !
  45. 45. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)

×