Data = cash so databases are banks.

1. Database Theft

2. A simple, easy to use, online, B2B procurement portal for
purchasing products and services to secure your data.

3. According to …
In 2011 reported database thefts increased
37% from the previous year.
May 20012

4. Why ?

6. Supply & Demand
2001
Name, Address DOB = £2.00
Credit card # = £2.00
Expiry date = £ 3.00
Security Code = £3.00 2005
Total = £10.00 Name, Address DOB = £1.00
Credit card # = £1.00
Expiry date = £ 1.00
2010
Security Code = £2.00
Name, Address DOB = £.25
Total = £5.00
Credit card # = £.25
Expiry date = £ .25
Security Code = £.25
Total = £1.00

9. Cocktail Party Chat Up Line
#1
In one week, the average person living in Britain
has 3,254 pieces of personal information stored
about him or her in databases.*
*Evening Standard Survey August 2008

10. We live in
societies that
collect data for
data’s sake.

11. Cocktail Party Chat Up Line
#2
The average UK citizen is in over 750 databases.*
*UK Information Commissioner's' Report: “What Price Privacy?” 2009

12. Our Births, Marriages &
Deaths

13. Our Family

14. Our Ancestors

15. Our Preferences

16. Get a Life...

17. Our Credit

18. Our Friends

19. Our Enemies

20. Our Love Lives

21. Our Web Lives

22. Our Retirement

23. Our Deaths

24. Your identity data
is big business.

25. How Do You Find One?

26. Tool of Choice
• Examines:
– Every domain on the Internet
– Every web page in your
application ever (cached)
• Can locate:
– Unsecured databases
– Unsecured websites, URLs
– Unsecured files & folders

27. Example:
• Oracle HTTP Servers
– Provides functionality to query database using an HTTP
form
– Accessed using the URL /isqlplus
– By default runs on any Oracle HTTP server installed with
Oracle Applications Server or Oracle Database Server
• Easily identified by Google search:
– Look for Oracle HTTP servers using the “allinurl”
advanced search feature

28. Using Advanced Search

29. Search Results

30. Default
Username/Password

31. You’re In

32. Then Execute Any Query

33. The Biggest Threat?
FBI/Computer Security Institute 2008:
85% of all offenders prosecuted for cyber crimes were
employees of the company attacked

35. How To Steal a Database
Removable media: PDAs, USB flash drives, iPods – digital cameras,
gaming consoles, write-able CDs DVDs etc.
Unauthorised connections: wireless, Bluetooth, infrared mobile
connections, modems, peer-to-peer, etc.
Unauthorised output devices: printers, faxes, photo copiers, etc
Unauthorised applications: MSN chat, web mail, malware, trojans,
key loggers, etc.
Unauthorised applications use: file, print, save as, print screen,
cut & paste, file sharing, search, import/export, print, rename etc.

36. Driving Forces
Demand for Pervasive Access
Uncertain Economic Conditions
 From any place…
 Restructuring, downsizing, mergers,
 By anyone… acquisitions…
 Via any application…  Increase in disgruntled employees
 Increase in remote & 3rd party  Increased understanding that data = cash
connections
Result: increase in database thefts
Result: increase of privileged users
Compliance Requirements  Compliance programs must be:
 Data apps must meet:  Transparent
 Confidentiality  Repeatable
 Integrity  Demonstrable
 Availability
Result: compliance demands increase in privileged users

37. Our Research
• Analysed 200,000+ hours of user activity
• Monitored database access for: “open”, “copy”,
“paste”, “save as”, “convert”, “send”, “print”, “attach”
and file transfer activity
• Carried out over 24 months
• Identified the who, what where & when
• Entitled “Inside Out”

38. Who?

39. How?

40. Summary Findings
• 68% theft linked to mobile rather than fixed desktop systems.
• IT and Customer Services Departments highest number thefts.
• 98% male
• 79% incidents occurred on Fridays between 3 and 5PM.
• Applications most favoured to remove data were identified as web mail,
instant messaging (IM) and social networking web sites.
• The top 4 theft vectors were identified as mobile devices, web mail,
removable media and corporate email.
• All instances identified could have been prevented. Existing corporate
security policies were not implemented, monitored or enforced.

41. 5 Factors Leading to
Compromise
1. Ignorance
2. Poor password management
3. Rampant account sharing
4. Unfettered access to data
5. Excessive portability of data

42. Start: Find Your Database
Data
• Network?
• End Users
• Remote Users
• 3rd Parties?
• Contractors
• Other locations: printers,
photocopiers, scanners,
faxes, audio recordings…

43. Laptop / Desktop
Server
CD / DVD
Piggybacking
USB iPod
Dumpster (Skip) Diving
Social Engineering Memory Stick
Contractors
Road Apple PCMCIA
Eavesdropping Memory Card Readers
Bluetooth
Endpoint
Communication Infrared
Databases
Firewire
File Systems
Serial / Parallel Ports
File Servers
NAS Data-At-Rest Virtual Machine
SANs / iSCSI Storage Screen Scrapers
Voice Mail Data Loss Trojans
Other Threat Vectors
Video Surveillance Key Loggers
Phishing / Spear Phishing
E-Mail
HTTP/S Printers
SSH Backup Tapes / CD / DVD
FTP Laptop / Desktop / Server
Data-In-Motion
IM Fax
VoIP
Physical Photocopier
P2P Mobile Phone / PDA
Blogs Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports

44. Get a Grip
• Do you have a Database Security Policy?
• Can you monitor all DB access?
– Who did what, from where, and when…
– What was accessed?
– Did it violate the data permissions policy?
– Was it a month-end report or theft of millions of records?
• Are your systems hardened?
– Tamper-resistant
– Tamper-evident
– Compliant with segregation of duties

45. Apply the vulnerability management
lifecycle...
• Determine risk
• Establish inventory
• Prioritize based on-
• Identify vulnerabilities
- Vulnerabilities
• Identify privileged users
- Threat
• Define Policies
- Asset
classification
• Monitor: Users,
Access, Activity,
Misuse, Policy • Eliminate high-priority
Violations vulnerabilities
• Track & Audit • Establish controls
Changes & eliminate root cause
• Baseline compliance • Demonstrate progress
• Monitor
Vulnerabilities &

46. Top 10 Best Practices
1. Access and Authentication Auditing
• Determine who accessed which systems, when, and how
2. User and Administrator Auditing
• Determine what activities were performed in the database by both
users and administrators
3. Security Activity Alerting
• Identify and flag any suspicious, unusual or abnormal access to
sensitive data or critical systems
4. Vulnerability Assessment and Threat Monitoring
• Assess your database applications for known vulnerabilities
• Alert in real-time users attempting to exploit these vulnerabilities
• Alert in real time any other suspicious, unusual or other “abnormal”
access

47. Best Practices
5. Database Activity Monitoring
• Determine who accessed which systems, when, and how
• Determine what they did (both users and administrators)
• Understand where the threat / risk originates and deploy the appropriate
solution to defend against such threats
6. Change Auditing
 Establish a baseline policy for database; configuration, schema, users,
privileges and structure, then track deviations from that baseline.
7. Data classification scheme (locate, mark, define handling storage
requirements)
8. Database access included in information security policies
9. Information & awareness (Appropriate use agreements)

48. Best Practices
10. Delete any/all data associated with me
PLEASE !

49. 26 Dover Street
London
United Kingdom
W1S 4LY
+44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)