Defending the Database Techniques and best practices



Similar documents
Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Database Security & Auditing

IT Security & Compliance. On Time. On Budget. On Demand.

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

SANS Top 20 Critical Controls for Effective Cyber Defense

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

QRadar SIEM 6.3 Datasheet

Network Test Labs (NTL) Software Testing Services for igaming

How To Ensure Financial Compliance

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Enterprise Security Solutions

Securing SharePoint 101. Rob Rachwald Imperva

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Continuous Network Monitoring

Securing OS Legacy Systems Alexander Rau

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI DSS Overview and Solutions. Anwar McEntee

The Value of Vulnerability Management*

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Guardium Change Auditing System (CAS)

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Current IBAT Endorsed Services

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Protecting Your Organisation from Targeted Cyber Intrusion

Self-Service SOX Auditing With S3 Control

SECURITY. Risk & Compliance Services

Making Database Security an IT Security Priority

Avoiding the Top 5 Vulnerability Management Mistakes

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Top 10 Database. Misconfigurations.

The Business Case for Security Information Management

Enforcive / Enterprise Security

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

March

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cisco Security Optimization Service

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

PCI DSS Reporting WHITEPAPER

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

THE TOP 4 CONTROLS.

CORE Security and GLBA

PCI DSS Top 10 Reports March 2011

Security Controls What Works. Southside Virginia Community College: Security Awareness

8 Steps to Holistic Database Security

CyberArk Privileged Threat Analytics. Solution Brief

Nine Network Considerations in the New HIPAA Landscape

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How To Achieve Pca Compliance With Redhat Enterprise Linux

Preemptive security solutions for healthcare

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Cybersecurity: What CFO s Need to Know

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Defending Against Data Beaches: Internal Controls for Cybersecurity

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

AUTOMATED PENETRATION TESTING PRODUCTS

Comprehensive Approach to Database Security

VENDOR MANAGEMENT. General Overview

Scalability in Log Management

Overcoming PCI Compliance Challenges

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Caretower s SIEM Managed Security Services

Auditing Data Access Without Bringing Your Database To Its Knees

PCI Requirements Coverage Summary Table

Global Partner Management Notice

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015

IT Risk Management: Guide to Software Risk Assessments and Audits

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

BIG SHIFT TO CLOUD-BASED SECURITY

Total Protection for Compliance: Unified IT Policy Auditing

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Securing the Cloud Infrastructure

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Passing PCI Compliance How to Address the Application Security Mandates

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

LOG MANAGEMENT: BEST PRACTICES

Feature. Log Management: A Pragmatic Approach to PCI DSS

Transcription:

ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target organizations Security and Compliance Common control frameworks Business benefits Addressing audit requirements Defending the Database Techniques and best practices 2

Database Security Threats Continue to Increase The database security landscape has changed: Corporations increasingly grant access to a growing number of users: employees, contractors, suppliers, partners and 3 rd party vendors to name a few Attackers have gone pro Attacks are moving to the database where records can be harvested en mass Perimeter security measures are necessary but not sufficient Once the perimeter is pierced, enterprises often have little-to-no protection at the database application layer Poor access control and excess permissions continue to provide attack vectors for hackers, crackers and malicious or careless insiders 3 To Make Matters Worse - Threats Are Very Real CA SB 1386 goes into effect -Source: http://etiolated.org/statistics What s the source of the breach? ~1/3 laptops / hard drives, most incidental ~1/3 database breach ~1/3 we ll never know -Source: AppSecInc analysis of media coverage 4

The Target Organizations Everyone is at Risk Target industries included: Banking, finance, retail, government, education, manufacturing, telecommunications, entertainment, media, nonprofits, insurance, pharmaceuticals, healthcare and transportation every leading sector Source: Data Loss DB 2008 Report; www.datalossdb.org 5 Changing Landscape Yields Greater Risks The evolving threat From notoriety to profit motive The productivity machine Business enhancements = risk Security costs growing 3x faster than IT budgets Point product approaches no longer scale Accelerated growth of IP-aware networks Accelerates IT risk Rapid growth in data Data is the new currency Compliance mandates Driving costs and spending 6

Common compliance control frameworks Compliance Requirements Sarbanes-Oxley PCI HIPAA FISMA GLBA Basel II California SB 1386 NERC/FERC Massachusetts Data Protection Law TARP? IT frameworks for security control CoBiT COSO ERM NIST 800-53 ISO 17799 7 Why combine compliance and database security? Security best practices at the database level must address risk from inside and outside threats. Risk mitigation begins with: Assessing risk Addressing known vulnerabilities Benchmarking progress against goals Continuous monitoring in real-time Key benefit of combining compliance and database security: Successful, predictable audit performance 8

Mapping Compliance Initiatives to Controls and Standards PCI Sarbanes-Oxley FISMA GLBA ISO 17799 CoBIT NIST 800-53 Organizational security framework Configuration/Change management Government/DOD requirements 9 Business benefits of database compliance Documentation of known vulnerabilities and database risks Defined roles and responsibilities for individuals who have access to the database Means to review user activity and user entitlement Improved threat intelligence System of alerts on suspicious activity Ability to keep policies up-to-date and to streamline management review Operational efficiencies 10

Payoffs of control frameworks in IT Organizations are striving to become more efficient: Manual controls Detective tools Comprehensive testing Unpredictable costs Automated controls Preventative tools Targeted testing Managed costs Reduce ongoing operating costs Better align IT with business needs Lower audit, compliance, and security costs Improve resource management 11 Performance gains from compliance initiatives Organizations that leverage a security framework in their compliance efforts experience: Increased detection of security breaches via automated controls Reduction of data loss from security breaches Operational efficiencies Reduction of unplanned work More servers per system administrator Source: IT Controls Performance Study, IT Process Institute (www.itpi.org), 2006 12

What auditors ask and how to answer What auditors ask Has the organization assessed the environment? Is enough information being captured? Does the audit trail establish user accountability? Is the audit process independent? Does the organization have a plan in place to maintain and constantly improve compliance efforts? Have risks been addressed? Are there policies and controls in place that address and meet standards and compliance? Is the scope and detail of the audit trail sufficient? What monitoring is in place for ongoing assessment? Is there a way to identify changes to the data? How do you prepare to answer Assess the environment. Identify protected data sources Prioritize efforts through risk assessment and gap analysis. Fix and remediate known issues. Monitor systems through ongoing compliance analysis and documentation 13 1: ASSESS the environment Identify systems and processes that store, create, view, change, transmit or destroy data Review existing system documentation and process flows Create process flows if none exist Results: List of systems and processes that use relevant information List of business units and departments that use information New process flow documentation A means to identify key controls 14

2: PRIORITIZE how to address risks Conduct Risk Assessment dealing with confidentiality, availability and integrity of information Survey of IT, business staff and users of information Identify threats and vulnerabilities to the information Identify Controls Establish Risk Profile (High, Medium, or Low) based on threats, vulnerabilities and controls Conduct Gap Analysis against the relevant standards Results: Risk Assessment Report Gap Analysis Report Remediation Recommendations 15 3: FIX and remediate existing issues Address the gaps identified in Step 2 Identified problems must be remedied, mitigated, or transferred to another entity Example: Organizations that are not capable of correctly securing PCI data have begun to shift functions (like credit card processing) to third parties to avoid compliance issues. Conduct Gap Analysis against the relevant standards Results: Improved security and data risk management Compliance 16

4: MONITOR for ongoing compliance Full ongoing analysis against the relevant standards Repeatable Demonstrable Automated Results: Proactive policy protections Comprehensive reporting and analysis Real-time intelligence, information and alerts 17 Database Security Best Practices

Develop a Risk Framework Assess Security Posture Assess database security risks Determine impact Establish and prioritize work Measure Impact Document risks and controls Align business and IT goals Develop business case Deal with Impact Direct costs Indirect Costs Cross-departmental buy-in RISK What s likely to happen Opportunity level Expertise required business Expertise required - technical Establish Controls Facilitate accountability Establish reporting framework Implement access controls Integrate policies and procedures 19 How to Protect Against Attacks Set a good password policy: Use strong passwords or passphrases. Keep up to date with security patches: Try to install patches as fast as you can. Database vulnerabilities are serious and sometimes a database server can be easily compromised with just a simple query. Always test patches for some time on non-production databases Protect access to the database server: Allow connections only from trusted hosts and block non used ports and outbound connections. Establish exceptions for special instances like replication, linked databases, etc. Disable all non used functionality: Excess functionality can lead to vulnerabilities Use selective encryption: At network level: use SSL, database proprietary protocols. At file level for backups, laptops, etc. 20

Periodically Audit Database Systems Check for object and system permissions: Check views, stored procedures, tables, etc. permissions. Check file, folder, registry, etc. permissions. Changes on permissions could mean a compromise or mis-configuration. Look for new database installations: Third party products can install database servers and this new installed servers could be installed with blank or weak passwords, un-patched, mis-configured, etc. Detect new database installations and secure or remove them. Search for users with DBA privileges: This helps to detect intrusions, elevation of privileges, etc. Audit database configuration and settings: If security configurations or settings are changed for instance by a system upgrade, patch, etc. your databases could be open to attack. If they change and there wasn't a system upgrade then it could mean a compromise. Check database system objects against changes: If you detect a change in a system object and you haven't applied a fix or upgrade to your database server it could mean that a rootkit is present. 21 Summary Database risks are real and increasing Organizations must address vulnerabilities to minimize risk Good things happen when compliance efforts are grounded in the database where data lives Leverage compliance initiatives to better mitigate risk and protect data where it resides in the database Use regular audits and assessments to continue to demonstrate compliance 22

Resources White papers: http:///techdocs/whitepapers/research.shtml SQL Server Forensics Arrest the Threat: Best Practices for Monitoring Privileged Database Users Hunting Flaws in Microsoft SQL Server Security alerts: /resources/mailinglist.html Other database resources: Oracle Project Lockdown www.oracle.com/technology/pub/articles/project_lockdown/index.html Security Checklistwww.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf SANS Institute (SysAdmin, Audit, Network, Security) Oracle Database Checklist www.sans.org/score/checklists/oracle_database_checklist.doc Microsoft SQL Server 2005 Security Best Practices www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.mspx SQLSecurity.com SQLSecurity Checklist 23 Thank you! Questions? Application Security, Inc. 1-866-9APPSEC (1-866-927-7732) Sales@appsecinc.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information