What? Me, Worry? I've Already Been Hacked. Haven't You?

Similar documents
SQL Injection. The ability to inject SQL commands into the database engine through an existing application

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Securing and Accelerating Databases In Minutes using GreenSQL

SECURING APACHE : THE BASICS - III

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Security and Control Issues within Relational Databases

Database security issues PETRA BILIĆ ALEXANDER SPARBER

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

The New PCI Requirement: Application Firewall vs. Code Review

Top 10 Database. Misconfigurations.

McAfee Database Security. Dan Sarel, VP Database Security Products

Protecting Sensitive Data Reducing Risk with Oracle Database Security

A Decision Maker s Guide to Securing an IT Infrastructure

Data Breaches and Web Servers: The Giant Sucking Sound

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

CMP3002 Advanced Web Technology

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

SQL Injection January 23, 2013

The Top Web Application Attacks: Are you vulnerable?

Analysis of SQL injection prevention using a proxy server

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Where every interaction matters.

Oracle Corporation

ICTN Enterprise Database Security Issues and Solutions

2012 Data Breach Investigations Report

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

How To Protect A Web Application From Attack From A Trusted Environment

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

IP Application Security Manager and. VMware vcloud Air

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

An Anatomy of a web hack: SQL injection explained

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

IJMIE Volume 2, Issue 9 ISSN:

Web Application Security

Why The Security You Bought Yesterday, Won t Save You Today

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

5 Simple Steps to Secure Database Development

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Securing SharePoint 101. Rob Rachwald Imperva

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Rational AppScan & Ounce Products

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Oracle Audit Vault and Database Firewall

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

WordPress Security Scan Configuration

Lecture 15 - Web Security

Last update: February 23, 2004

Web Application Security 101

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Database Security Guide

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

10 Things Every Web Application Firewall Should Provide Share this ebook

Complete Database Security. Thomas Kyte

MySQL Security: Best Practices

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Security

Comprehensive Approach to Database Security

Hacking Database for Owning your Data

74% 96 Action Items. Compliance

Is your business prepared for Cyber Risks in 2016

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Passing PCI Compliance How to Address the Application Security Mandates

Guidelines for Web applications protection with dedicated Web Application Firewall

Application Security Best Practices. Wally LEE Principal Consultant

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Basic & Advanced Administration for Citrix NetScaler 9.2

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How to Audit the Top Ten E-Business Suite Security Risks

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

GFI White Paper PCI-DSS compliance and GFI Software products

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Web App Security Audit Services

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Transcription:

What? Me, Worry? I've Already Been Hacked. Haven't You? David Maman Co-Founder, CTO GreenSQL Session ID: Session Classification: DSP-F43 General Interest

#1 Global Security Challenge Sophisticated attacks: - executed by financially-motivated cybercriminals, state- sponsored espionage groups, hacktivists and insiders/privileged users Information theft In 2011 174M Records Exposed in the USA. The average cost of a data breach $214 per record (Source: DataLossDB, Ponemon Institute, 2010, Verizon - 2012 Data Breach Investigations Report). Compliance - 96% of victims subject to PCI Dss had not achieved compliance (Source: Verizon - 2012 Data Breach Investigations Report) FBI - Organized data theft bigger criminal industry than drug trading (source FBI) 2011 database servers accounted for 96% of all records breached. (Source: Verizon - 2012 Data Breach Investigations Report)

It s not getting any better Jun 2012 - Amazon s Zappos.com - data breach exposed personal information of 24 million customers. (Amazon acquired Zappos for more than $1 billion.) Feb 2012 - University of North Carolina, 350,000 records, exposed Social Security numbers and financial information online March 2012 - VISA and MasterCard alerted banks about a recent breach at a Global Payment Systems. 7 million records, including 1.5 million credit cards April 2012 - South Carolina Health and Human Services 228,435 records of patient records, including Medicaid ID numbers

It s not getting any better May 2012 University of Nebraska breach - 654,000 Social Security numbers, addresses, grades, financial aid information for current and former NU students May 2012 University of Nebraska Breach Highlights Education In Crosshairs Database containing 654,000 exposed June 2012 - LinkedIn reported a breach of at least 6.5 Million passwords. July 2012 KT Mobile(South Korea) 8.7 million customer records stolen Sep 2012 - Saudi Arabia's national oil company Most of the databases Nov 2012 - Adobe 150,000 User Accounts Exposed

Motivation for Database Security

User connections Automated connections Who uses the Database? App Integration Interconnect Data Integration Data load/unload Replication Testing Reporting servers ETL Financial data HR data Backup Database Private data Customer data Monitoring High privileged users Administrators Casual users Application Users

Threats.. External users File Server 2 Internal users 3 Administrators and Developers 1 Firewall Types of threats: Load Balancer 1.SQL Injection, stolen password, brut-force 2.Weak passwords, brut-force 3.Data and audit log tampering 4.Vulnerabilities, password exposed 5.Weak AAA and database security 6.Tapes stolen/lost Web Server & WAF 4 App Server ERP 5 Database 6 Backups Insider threats a concern: 80% of threats come from insiders 75% of internal threats are undetected 25% of enterprises detected security breaches 60% of data loss/corruption caused by human error

Information Theft Hackers have become professional Business models finance them Pricelist SQL Injection attacks are becoming increasingly sophisticated and difficult to prevent SQL Injections discovered in close source apps It uses stealth techniques to go unnoticed for as long as possible Database attacks are getting to be more and more valuable for hackers and Crime organizations

Attackability Attacks System s Surface How to reduce the ways attackers can penetrate surface

Windows Attack Vectors Open sockets Open RPC endpoints Open named pipes Services Services running by default Services running as SYSTEM Active Web handlers Active ISAPI Filters Dynamic Web pages Executable vdirs Enabled accounts Enabled accounts in admin group Null Sessions to pipes and shares Guest account enabled Weak ACLs in FS Weak ACLs in Registry Weak ACLs on shares VBScript enabled Jscript enabled ActiveX enabled Third party application

What is SQL Injection? SQL Injections attacks goes directly after your most valuable asset The Database Uses the same connectivity as legitimate web and other application usage Network and OS security won't help Many systems and close source applications vulnerable, even among the big names Extremely easy to learn / attempt Endless amount of information is available

How common is SQL Injection? It is probably the most common vulnerability today! SQL Injections discovered in Close source applications! It is a flaw in "web application" development, it is not a database or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo templates are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough Some pen tests at the wild shows over 65% of clients turn out to be vulnerable to some sort SQL Injection attacks.

What is SQL? "Users" Table Column data returned UserName FirstName LastName Password CJONES Cynthia Jones XXXXXX BSMITH Bill Smith YYYYYY SKING Susan King ZZZZZZZ RSMITH Rob Smith AAAAA SELECT UserName, Password FROM Users Table containing data WHERE LastName = 'Smith' Criteria rows must meet UserName Password BSMITH YYYYYY RSMITH AAAAA Query Results

The Trick SQL statements created by concatenating SQL code fragments with user-supplied values What if user-supplied values were constructed to contain SQL code fragments that changed the meaning of the statement? What if we could turn it into a statement that matched records without matching on the username and password, as was intended?

Vulnerable Applications Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more

SQL Injection Characters ' or " character String Indicators -- or # single-line comment /* */ multiple-line comment + addition, concatenate (or space in url) (double pipe) concatenate % wildcard attribute indicator?param1=foo&param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10 time delay

SQL Injection Methodology 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence

SQL Injection results Bypass login page DOS - Deny of service Install web shell Iframe injection Access system files Install db backdoor Theft of sensitive information / credit cards Additional step of the attack: Attack additional servers and computers on the LAN

The Database Layers Applications Database SQL Database Grammar Database Application protocol layer (TDS, MySQL) Connections Layer

WAF vs. Database security Web Application Firewall solutions are providing security to the Web Application layer HTTP traffic is inspected and enforced by the Web Application Firewall. Over the HTTP traffic you can only try and detect signatures for SQL injection attacks. WAF is a very important part of your security! Database Firewall analyses SQL! A true database architecture and policy is enforced inside the Database Firewall!

What do I need to do.. Security Stops SQL Injection attacks Separation Of Duties Database firewall Intrusion detection/prevention Virtual Patching Performance Protection from denial of service Reduce Network Connections Increasing Database efficiency Increase user experience Auditing DAM (Database Activity Monitoring) Advanced Auditing Before/After Up to a column level policy PCI-DSS,SOX,HIPPA reports Email/SYSLOG Alerts Masking Up to a column level masking Mask per user, IP or application Hide sensitive data (Credit Card/ Salaries/ Medical Information/ Other)

SQL Injection prevention GreenSQL Take: SQL injection/attacks preventions Enforcing Database Firewall! Enforcing Separation of Duties! Enforcing Risk Based polices! Enforcing Masking on sensitive information! Enforcing Learning Mode with SQL Injection query grouping! Enforcing Auditing to Administrative commands and Auditing to sensitive information access!

Database in the Cloud As everything else, the database is migrating to the cloud Installed on a dedicated VPS with the application server. Installed on a dedicated server inside the private cloud serving application servers Database as a service (Microsoft SQL Azure, etc) All Database needs protection, even more when using a cloud service!

Thank You! David Maman dmaman@greensql.com For more information please visit http://www.greensql.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information