6. Supply & Demand
2001
Name, Address DOB = £2.00
Credit card # = £2.00
Expiry date = £ 3.00
Security Code = £3.00 2005
Total = £10.00 Name, Address DOB = £1.00
Credit card # = £1.00
Expiry date = £ 1.00
2010
Security Code = £2.00
Name, Address DOB = £.25
Total = £5.00
Credit card # = £.25
Expiry date = £ .25
Security Code = £.25
Total = £1.00
7.
8.
9. Cocktail Party Chat Up Line
#1
In one week, the average person living in Britain
has 3,254 pieces of personal information stored
about him or her in databases.*
*Evening Standard Survey August 2008
10. We live in
societies that
collect data for
data’s sake.
11. Cocktail Party Chat Up Line
#2
The average UK citizen is in over 750 databases.*
*UK Information Commissioner's' Report: “What Price Privacy?” 2009
26. Tool of Choice
• Examines:
– Every domain on the Internet
– Every web page in your
application ever (cached)
• Can locate:
– Unsecured databases
– Unsecured websites, URLs
– Unsecured files & folders
27. Example:
• Oracle HTTP Servers
– Provides functionality to query database using an HTTP
form
– Accessed using the URL /isqlplus
– By default runs on any Oracle HTTP server installed with
Oracle Applications Server or Oracle Database Server
• Easily identified by Google search:
– Look for Oracle HTTP servers using the “allinurl”
advanced search feature
33. The Biggest Threat?
FBI/Computer Security Institute 2008:
85% of all offenders prosecuted for cyber crimes were
employees of the company attacked
34.
35. How To Steal a Database
Removable media: PDAs, USB flash drives, iPods – digital cameras,
gaming consoles, write-able CDs DVDs etc.
Unauthorised connections: wireless, Bluetooth, infrared mobile
connections, modems, peer-to-peer, etc.
Unauthorised output devices: printers, faxes, photo copiers, etc
Unauthorised applications: MSN chat, web mail, malware, trojans,
key loggers, etc.
Unauthorised applications use: file, print, save as, print screen,
cut & paste, file sharing, search, import/export, print, rename etc.
36. Driving Forces
Demand for Pervasive Access
Uncertain Economic Conditions
From any place…
Restructuring, downsizing, mergers,
By anyone… acquisitions…
Via any application… Increase in disgruntled employees
Increase in remote & 3rd party Increased understanding that data = cash
connections
Result: increase in database thefts
Result: increase of privileged users
Compliance Requirements Compliance programs must be:
Data apps must meet: Transparent
Confidentiality Repeatable
Integrity Demonstrable
Availability
Result: compliance demands increase in privileged users
37. Our Research
• Analysed 200,000+ hours of user activity
• Monitored database access for: “open”, “copy”,
“paste”, “save as”, “convert”, “send”, “print”, “attach”
and file transfer activity
• Carried out over 24 months
• Identified the who, what where & when
• Entitled “Inside Out”
40. Summary Findings
• 68% theft linked to mobile rather than fixed desktop systems.
• IT and Customer Services Departments highest number thefts.
• 98% male
• 79% incidents occurred on Fridays between 3 and 5PM.
• Applications most favoured to remove data were identified as web mail,
instant messaging (IM) and social networking web sites.
• The top 4 theft vectors were identified as mobile devices, web mail,
removable media and corporate email.
• All instances identified could have been prevented. Existing corporate
security policies were not implemented, monitored or enforced.
41. 5 Factors Leading to
Compromise
1. Ignorance
2. Poor password management
3. Rampant account sharing
4. Unfettered access to data
5. Excessive portability of data
42. Start: Find Your Database
Data
• Network?
• End Users
• Remote Users
• 3rd Parties?
• Contractors
• Other locations: printers,
photocopiers, scanners,
faxes, audio recordings…
43. Laptop / Desktop
Server
CD / DVD
Piggybacking
USB iPod
Dumpster (Skip) Diving
Social Engineering Memory Stick
Contractors
Road Apple PCMCIA
Eavesdropping Memory Card Readers
Bluetooth
Endpoint
Communication Infrared
Databases
Firewire
File Systems
Serial / Parallel Ports
File Servers
NAS Data-At-Rest Virtual Machine
SANs / iSCSI Storage Screen Scrapers
Voice Mail Data Loss Trojans
Other Threat Vectors
Video Surveillance Key Loggers
Phishing / Spear Phishing
E-Mail
HTTP/S Printers
SSH Backup Tapes / CD / DVD
FTP Laptop / Desktop / Server
Data-In-Motion
IM Fax
VoIP
Physical Photocopier
P2P Mobile Phone / PDA
Blogs Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports
44. Get a Grip
• Do you have a Database Security Policy?
• Can you monitor all DB access?
– Who did what, from where, and when…
– What was accessed?
– Did it violate the data permissions policy?
– Was it a month-end report or theft of millions of records?
• Are your systems hardened?
– Tamper-resistant
– Tamper-evident
– Compliant with segregation of duties
46. Top 10 Best Practices
1. Access and Authentication Auditing
• Determine who accessed which systems, when, and how
2. User and Administrator Auditing
• Determine what activities were performed in the database by both
users and administrators
3. Security Activity Alerting
• Identify and flag any suspicious, unusual or abnormal access to
sensitive data or critical systems
4. Vulnerability Assessment and Threat Monitoring
• Assess your database applications for known vulnerabilities
• Alert in real-time users attempting to exploit these vulnerabilities
• Alert in real time any other suspicious, unusual or other “abnormal”
access
47. Best Practices
5. Database Activity Monitoring
• Determine who accessed which systems, when, and how
• Determine what they did (both users and administrators)
• Understand where the threat / risk originates and deploy the appropriate
solution to defend against such threats
6. Change Auditing
Establish a baseline policy for database; configuration, schema, users,
privileges and structure, then track deviations from that baseline.
7. Data classification scheme (locate, mark, define handling storage
requirements)
8. Database access included in information security policies
9. Information & awareness (Appropriate use agreements)