SlideShare a Scribd company logo

Building a database security program

Download as PPTX, PDF
M
matt_presson

This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.

Technology
1 of 25
BUILDING A DATABASE SECURITY PROGRAM Matt Presson @matt_presson Sr. Information Security Analyst, Leading Multi-National Insurance Brokerage
WHO AM I?  Sr. Information Security Analyst  Focus mainly on Application Security and related issues  Recently focused on designing a database security program
OBJECTIVE  Why database security is important  The process of developing the program  What to watch out for  NOT giving a blueprint!
WHY DATABASE SECURITY?
BECAUSE WE ARE FAILING!
WHY DATABASE SECURITY?  It stores your most sensitive data  Traditional controls are not adapted to new attacks  Firewalls  IDS, IPS  AV, HIDS and HIPS  Full Disk Encryption  Breaches are still happening!
WHY DATABASE SECURITY?
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
PLANNING  Determine stakeholders  People with a vested interest in keeping data safe  Not just a part of the security department  Critical business leaders  Compliance/Audit organization  Application support managers  Determine your goals and areas of focus  Address current business issues and concerns Planning  Unique to each organization Determine Stakeholders Goals & Focus Areas Standards & Policies
PLANNING  Standards and Policies  Build configurations  Password complexity  Access control  Permissions management  Data classification Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
PLANNING  Data Classification  Different levels of assurance for different data types  Keep it SIMPLE!  Example (security viewpoint):  Confidential – e.g. HR data, Financials, etc.  Internal – e.g. Org Charts  Public – Released earnings info, Company tweets, etc. Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
DISCOVERY AND ASSESSMENT  Focus at the application layer  Gather a manageable list of business critical apps  What are your most important systems?  What applications have the largest impact on your ability to do business?  What systems do our auditors/regulators care about most? Discover and Assess Secure Monitor Access Secure Infrastructure
SECURE ACCESS  Minimize the number of accounts  Get a list of accounts from DBA  Group the accounts by usage, e.g. Applications, DBAs, Individuals (normal and admin)  Reduce the number of admin accounts  Talk to the person – determine what the real need is  Minimize account permissions  Can you use a view? Discover and Assess  What about a stored procedure? Secure Monitor Access Secure Infrastructure
SECURE ACCESS  Control where accounts access from  Are web and application servers ok?  Should DBAs have access directly from their workstations?  Should employees have access from their workstations?  Do you need terminal servers or bastion hosts?  Should a database be accessible Discover and Assess from the Internet? Secure Monitor Access Secure Infrastructure
SECURE INFRASTRUCTURE  Ensure you are up-to-date on OS patches  Free / Commercial scanners  Windows Update  *nix distro repositories  Don’t forget about the DB software itself!  MySQL authentication bypass – CVE-2012-2122  Oracle TNS Poisoning – CVE-2012-1675  SQL Server 2003 Local Administrator Discover and Assess group Secure Monitor Access Secure Infrastructure
MONITORING  Watch what your employees are doing  Built-in transaction logs or auditing solutions  Third-party tools  Database triggers  Have different levels of monitoring  Failed logins for everyone  All activity by privileged accounts  Individual account activity Discover and Assess outside of “the norm” Monitor Secure Access Secure Infrastructure
MONITORING  Watch for specific events  Access outside of the normal activity period  Failed login attempts  Returning too much sensitive data  Abnormally high number of requests  SQL injection attempts Discover and Assess Secure Monitor Access Secure Infrastructure
IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
ONGOING MANAGEMENT  Periodically audit completed systems  Work with your DBAs  Collaborate with internal audit  Keep your documentation current  Review updated vendor documents  Discuss upcoming migration plans with technology teams Ongoing Management Periodic Audits Review / Update Standards Review / Update Policies
SUMMARY  We have to protect the data  Engage with the business  Determine their concerns  Address their issues  Become a business partner/enabler  Secure your most critical systems first  Don’t forget about the infrastructure  Monitor, monitor, monitor  Stay current
QUESTIONS?
APPENDIX 1 – STANDARDS AND POLICIES  Resources  Database Vendor  NIST  Government Agencies, e.g. NSA  Standards Bodies, e.g. SANS, IANS  International CERTs  Existing company documentation

Recommended

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
Nicola_Milone
 
TA security
TA securityTA security
TA security
kesavars
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Brochure it asset_remote_manager_en
Brochure it asset_remote_manager_enBrochure it asset_remote_manager_en
Brochure it asset_remote_manager_en
Dexon Software
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
SafeNet
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Bob Rhubart
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud final
OracleIDM
 

Recommended

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
Nicola_Milone
 
TA security
TA securityTA security
TA security
kesavars
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Brochure it asset_remote_manager_en
Brochure it asset_remote_manager_enBrochure it asset_remote_manager_en
Brochure it asset_remote_manager_en
Dexon Software
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
SafeNet
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Bob Rhubart
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud final
OracleIDM
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
OracleIDM
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Private Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Bob Rhubart
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
Bulent Buyukkahraman
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
Mindtree Ltd.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
Teemu Tiainen
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
Axxera Siem
Axxera SiemAxxera Siem
Axxera Siem
akshayvreddy
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11
mcini
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
Bob Rhubart
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-final
OracleIDM
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessments
Cary Sholer
 
Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controls
FITSFSd
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
Wilkins Consulting, LLC
 
Database security
Database securityDatabase security
Database security
keerthusandeepreddy
 

More Related Content

What's hot

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
OracleIDM
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Private Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Bob Rhubart
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
Bulent Buyukkahraman
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
Mindtree Ltd.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
Teemu Tiainen
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
Axxera Siem
Axxera SiemAxxera Siem
Axxera Siem
akshayvreddy
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11
mcini
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
Bob Rhubart
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-final
OracleIDM
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessments
Cary Sholer
 

What's hot (19)

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution Presentation
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Axxera Siem
Axxera SiemAxxera Siem
Axxera Siem
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-final
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessments
 

Viewers also liked

Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controls
FITSFSd
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
Wilkins Consulting, LLC
 
Database security
Database securityDatabase security
Database security
keerthusandeepreddy
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
Distil Networks
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
Motty Ben Atia
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
exponential-inc
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it matters
digitallibrary
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
Yiannis Verginadis
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Spiceworks
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Spiceworks
 
Box.net overview
Box.net overviewBox.net overview
Box.net overview
Eric McDuffee
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
Infopulse
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small Businesses
Fundera
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
David J Rosenthal
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small Business
BrendanRose
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection Challenges Of Global Data Collection
Challenges Of Global Data Collection
ResearchShare
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
cisoplatform
 
Small business data security
Small business data securitySmall business data security
Small business data security
David Usher
 

Viewers also liked (19)

Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controls
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
 
Database security
Database securityDatabase security
Database security
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it matters
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
Box.net overview
Box.net overviewBox.net overview
Box.net overview
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small Businesses
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small Business
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection Challenges Of Global Data Collection
Challenges Of Global Data Collection
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
 
Small business data security
Small business data securitySmall business data security
Small business data security
 

Similar to Building a database security program

Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Service
sheehab2
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
Gregs BI Presentation
Gregs BI PresentationGregs BI Presentation
Gregs BI Presentation
flyjock1
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
NEMEA Security Services
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0
Novell
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009
Mark Frydenberg
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Information awareness program
Information awareness programInformation awareness program
Information awareness program
khattar31
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
AdityaChawan4
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
laurahees
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
IBM Sverige
 
Fact V4.0 Brochure
Fact V4.0 BrochureFact V4.0 Brochure
Fact V4.0 Brochure
guillaume123
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 

Similar to Building a database security program (20)

Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Service
 
Ta Security
Ta SecurityTa Security
Ta Security
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
Gregs BI Presentation
Gregs BI PresentationGregs BI Presentation
Gregs BI Presentation
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Information awareness program
Information awareness programInformation awareness program
Information awareness program
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
Fact V4.0 Brochure
Fact V4.0 BrochureFact V4.0 Brochure
Fact V4.0 Brochure
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Building a database security program

  • 1. BUILDING A DATABASE SECURITY PROGRAM Matt Presson @matt_presson Sr. Information Security Analyst, Leading Multi-National Insurance Brokerage
  • 2. WHO AM I?  Sr. Information Security Analyst  Focus mainly on Application Security and related issues  Recently focused on designing a database security program
  • 3. OBJECTIVE  Why database security is important  The process of developing the program  What to watch out for  NOT giving a blueprint!
  • 5. BECAUSE WE ARE FAILING!
  • 6. WHY DATABASE SECURITY?  It stores your most sensitive data  Traditional controls are not adapted to new attacks  Firewalls  IDS, IPS  AV, HIDS and HIPS  Full Disk Encryption  Breaches are still happening!
  • 8. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 9. PLANNING  Determine stakeholders  People with a vested interest in keeping data safe  Not just a part of the security department  Critical business leaders  Compliance/Audit organization  Application support managers  Determine your goals and areas of focus  Address current business issues and concerns Planning  Unique to each organization Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 10. PLANNING  Standards and Policies  Build configurations  Password complexity  Access control  Permissions management  Data classification Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 11. PLANNING  Data Classification  Different levels of assurance for different data types  Keep it SIMPLE!  Example (security viewpoint):  Confidential – e.g. HR data, Financials, etc.  Internal – e.g. Org Charts  Public – Released earnings info, Company tweets, etc. Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 12. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 13. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  • 14. DISCOVERY AND ASSESSMENT  Focus at the application layer  Gather a manageable list of business critical apps  What are your most important systems?  What applications have the largest impact on your ability to do business?  What systems do our auditors/regulators care about most? Discover and Assess Secure Monitor Access Secure Infrastructure
  • 15. SECURE ACCESS  Minimize the number of accounts  Get a list of accounts from DBA  Group the accounts by usage, e.g. Applications, DBAs, Individuals (normal and admin)  Reduce the number of admin accounts  Talk to the person – determine what the real need is  Minimize account permissions  Can you use a view? Discover and Assess  What about a stored procedure? Secure Monitor Access Secure Infrastructure
  • 16. SECURE ACCESS  Control where accounts access from  Are web and application servers ok?  Should DBAs have access directly from their workstations?  Should employees have access from their workstations?  Do you need terminal servers or bastion hosts?  Should a database be accessible Discover and Assess from the Internet? Secure Monitor Access Secure Infrastructure
  • 17. SECURE INFRASTRUCTURE  Ensure you are up-to-date on OS patches  Free / Commercial scanners  Windows Update  *nix distro repositories  Don’t forget about the DB software itself!  MySQL authentication bypass – CVE-2012-2122  Oracle TNS Poisoning – CVE-2012-1675  SQL Server 2003 Local Administrator Discover and Assess group Secure Monitor Access Secure Infrastructure
  • 18. MONITORING  Watch what your employees are doing  Built-in transaction logs or auditing solutions  Third-party tools  Database triggers  Have different levels of monitoring  Failed logins for everyone  All activity by privileged accounts  Individual account activity Discover and Assess outside of “the norm” Monitor Secure Access Secure Infrastructure
  • 19. MONITORING  Watch for specific events  Access outside of the normal activity period  Failed login attempts  Returning too much sensitive data  Abnormally high number of requests  SQL injection attempts Discover and Assess Secure Monitor Access Secure Infrastructure
  • 20. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  • 21. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 22. ONGOING MANAGEMENT  Periodically audit completed systems  Work with your DBAs  Collaborate with internal audit  Keep your documentation current  Review updated vendor documents  Discuss upcoming migration plans with technology teams Ongoing Management Periodic Audits Review / Update Standards Review / Update Policies
  • 23. SUMMARY  We have to protect the data  Engage with the business  Determine their concerns  Address their issues  Become a business partner/enabler  Secure your most critical systems first  Don’t forget about the infrastructure  Monitor, monitor, monitor  Stay current
  • 25. APPENDIX 1 – STANDARDS AND POLICIES  Resources  Database Vendor  NIST  Government Agencies, e.g. NSA  Standards Bodies, e.g. SANS, IANS  International CERTs  Existing company documentation