The document discusses database security and compliance. It provides examples of how privileges like ANY privileges in Oracle or UTL_FILE access can be exploited by attackers to gain administrator access. It also discusses how auditing slows database performance. The document recommends using database activity monitoring instead of native auditing for better security, compliance, independence of audit trails, and less performance impact. It introduces IBM Guardium as a solution that addresses the full security lifecycle from monitoring to remediation.

1. Database Security and Compliance
Ron Ben-Natan, IBM Distinguished Engineer
CTO for Data Security, Compliance and Optimization
© 2012 IBM Corporation

2. Database Security in the Forefront
7 Steps
• Data loss prevention • Hardening
• Compliance requirements • Assessing
• Mature best practices • Classifying
• Monitoring
• Auditing
• Enforcing
• Encrypting
2

3. Which types of information assets are compromised?
3

4. The “Unknown” Factor
4

5. Requirements/Initiatives
Discovery & Classification
SOX
PCI
DPD
Basel II
GLBA
Security ...
Breaches
Sep. of duties
...
Assessing
Scoping
Database Data Auditing
Discovery Classification Scope
&
Technical
Infrastructure Requirements Protecting
Hosts
Databases
Applications
5

6. Example 1 - ANY System Privileges
• Oracle has over 100 system privileges
• Nearly every ANY system privilege can be used by an attacker
to assume DBA privileges:
 EXECUTE ANY PROCEDURE
 There are many procedures within the SYS schema that run with definer rights – so if I can run
them I can assign myself privileges
 exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true);
 exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’);
 exec sys.ltadm.executesql(‘grant dba to ronb’);
 CREATE ANY VIEW
 I’ll create a procedure that gives me DBA privileges running with invoker rights
 I’ll create a view in the SYSTEM schema that will run the procedure
 I’ll convince a DBA to access the view
 CREATE ANY TRIGGER
 I’ll create a procedure that grants me DBA, running with invoker rights
 Pick a user with DBA privileges
 Pick a table within that user schema for which PUBLIC has some privileges (e.g. SELECT)
 I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the procedure
 I’ll access the object (since I’m using a PUBLIC privilege)
 I now have DBA privileges! (the trigger runs as the schema owner)
6

7. Example 2 – UTL_FILE
file_name := utl_file.fopen(<dir>,<file name>, ‘w’);
utl_file.put_line(file_name, ‘abcdefgh’, true);
utl_file.fclose(file_name);
The ability to write files to the OS is a very dangerous thing
 Runs with the database instance owner privileges
 Can be used to delete audit files
 Can be used to delete or corrupt a data file – including the SYSTEM tablespace
 Can use it to change config files
 Can use it to write a .rhosts file to allow access to the OS
 Can use it to write to .cshrc or .login for the oracle OS account
 Can use it to write a login.sql or glogin.sql file to cause a SQL command to be
called with privileges of a DBA
7

8. Assessing & Securing
Assessing
Vulnerability
Assessment
Change
Tracking
Scope
& Configuration
Technical Assessment Security Secure Proven
CAS Config
Requirements Recommendations Configuration
Compliance
Behavioral
Assessment
8

9. Complexity
“Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve
Mission Impossible-like scenarios. Quite the opposite, in fact.”
9

10. Example 3 - Passwords
• Spida –
– Microsoft SQL Server
– Empty sa password
– Xp_cmdshell
– Propagation
– Made it to 4th place in SANS “Top Ten”
• APPS/APPS
weblogic.jdbc.connectionPool.eng= <ias-resources> Provider=SQLOLEDB;
url=jdbc:weblogic:oracle, <jdbc> Data Source=192.168.1.32;
driver=weblogic.jdbc.oci.Driver, <database>ORCL</database> Initial Catalog=Northwind;
loginDelaySecs=2, <datasource>ORCL</datasource> User ID=sa;
initialCapacity=50, <username>scott</username> Password=sapwd;
capacityIncrement=10, <password>tiger</password>
maxCapacity=100, <driver-type>ORACLE_OCI</driver-type>
props=user=scott,password=tiger,server=ORCL </jdbc>
</ias-resources>
10

11. Example 4 - Buffer Overflow Attacks
Sapphire worm/SQL Slammer
“Zero-day attack”
11

12. Monitoring & Auditing
Investigation
Support
Monitoring & Auditing
Data Access
Investigation
Audit
Auditing Trails
Policy
Scope
&
Technical Privileged
Requirements User Application
Monitoring & Monitoring
Auditing
Audit
Compliance
12

13. Compliance – Many Regulations – Internal & External
13

14. Breach Discovery
14

15. 15

16. More Oracle Performance tests
• Sun E6500
• 28 CPUs, 28 GB
• 100 concurrent connections
– Each doing inserts (real application table, with indexes etc.)
– 100 ms delay between each insert
16

17. Before Any Auditing
Throughout – Approximately 19,000 inserts per minute
last pid: 21715; load averages: 7.27, 4.66, 3.41 10:29:02
271 processes: 269 sleeping, 2 on cpu
CPU states: 66.3% idle, 25.3% user, 2.6% kernel, 5.8% iowait, 0.0% swap
Memory: 26G real, 20G free, 4885M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
15044 oracle10 12 49 0 2137M 965M sleep 1:17 0.34% oracle
20904 oracle10 1 59 0 2123M 970M sleep 0:15 0.31% oracle
20773 oracle10 1 39 0 2124M 971M sleep 0:16 0.31% oracle
20932 oracle10 1 59 0 2123M 970M sleep 0:14 0.31% oracle
21008 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle
20946 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle
20789 oracle10 1 59 0 2123M 970M sleep 0:16 0.30% oracle
20873 oracle10 1 59 0 2123M 971M sleep 0:15 0.30% oracle
20958 oracle10 1 54 0 2123M 971M sleep 0:13 0.30% oracle
21004 oracle10 1 59 0 2123M 970M sleep 0:13 0.30% oracle
20795 oracle10 1 59 0 2123M 970M sleep 0:15 0.30% oracle
21002 oracle10 1 59 0 2123M 971M sleep 0:13 0.30% oracle
20867 oracle10 1 53 0 2124M 972M sleep 0:15 0.29% oracle
17

18. Oracle with Standard Auditing
• Throughout – Approximately 13,000 inserts per minute
– 30% drop in throughput
• Load average almost double
last pid: 7622; load averages: 14.51, 9.90, 8.72 11:32:32
271 processes: 269 sleeping, 2 on cpu
CPU states: 28.2% idle, 66.5% user, 3.0% kernel, 2.3% iowait, 0.0% swap
Memory: 26G real, 19G free, 4930M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
4036 oracle10 1 59 0 2124M 1239M sleep 1:13 0.65% oracle
4082 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle
4086 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle
4055 oracle10 1 55 0 2124M 1239M sleep 1:13 0.64% oracle
4034 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle
4139 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle
4174 oracle10 1 53 0 2124M 1239M sleep 1:11 0.64% oracle
4162 oracle10 1 59 0 2124M 1239M sleep 1:11 0.64% oracle
3927 oracle10 1 35 0 2124M 1239M sleep 1:09 0.64% oracle
4078 oracle10 1 51 0 2124M 1239M sleep 1:09 0.63% oracle
4010 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle
3947 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle
3939 oracle10 1 23 0 2124M 1239M sleep 1:13 0.61% oracle
4119 oracle10 1 59 0 2124M 1239M sleep 1:10 0.61% oracle
4020 oracle10 1 41 0 2124M 1239M sleep 1:11 0.60% oracle
18

19. Database Activity Monitoring - DAM
• Other reasons to look beyond native Auditing
– Heterogeneous support
– Easier to deploy and manage
– IPC interception to avoid impact to the database
– Functionality/Maturity
• Security and Auditing
– Assessments
– Policies
– Change management
– Audit (as opposed to auditing)
• Automation
• Compliance packages
– Independence of the audit trail
– Separation of duties
– Allows security functions such as prevention and redaction
19

20. Protecting
Violations &
Incidents
Security Monitoring & Data Protection
Remidiation
Monitoring & Data Access Data Extrusion Privileged
Scope
Anomaly Protecttion Protection User Access
&
Detection Control
Technical
Requirements
Access
Compliance
20

21. IBM Guardium - Addressing the Full Lifecycle
21

22. Scalable Multi-Tier Architecture
IBM System z
Data Center 2
Development, Tes Collector
t & Training
Host-Based Probe Central Policy
(S-TAP) Manager & Audit
Optim Repository
Collector
Data-Level Access Control
(S-GATE)
Data Center 1 Integration with
LDAP/AD, IAM, Change
Management,
SIEM, Archiving, etc.
22
22

23. Thank you!
23