Data Platform Security. Vinod Kumar Technology Evangelist www.extremeexperts.com http://blogs.sqlxml.org/vinodkumar

Similar documents
Top 10 Database. Misconfigurations.

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Database Security & Auditing

Passing PCI Compliance How to Address the Application Security Mandates

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

What is Web Security? Motivation

Computer System Security Updates

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Securing Database Servers. Database security for enterprise information systems and security professionals

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

Adobe Systems Incorporated

Hacking Database for Owning your Data

Evolving Optical Transport Network Security

Thick Client Application Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

External Supplier Control Requirements

Cloud Security:Threats & Mitgations

Where every interaction matters.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

June 2006 Tiger Teams! The new face of Penetration Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Web App Security Audit Services

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Attack Vector Detail Report Atlassian

Global Partner Management Notice

05.0 Application Development

Virtualization System Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

The Top Web Application Attacks: Are you vulnerable?

Understanding and evaluating risk to information assets in your software projects

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Web Engineering Web Application Security Issues

8070.S000 Application Security

QuickBooks Online: Security & Infrastructure

Java Web Application Security

Protecting Your Organisation from Targeted Cyber Intrusion

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Implementing Database Security and Auditing

Risk Assessment and Cloud Strategy Development: Getting it Right this Time!

Ethical Hacking as a Professional Penetration Testing Technique

Internal Penetration Test

Barracuda Web Site Firewall Ensures PCI DSS Compliance

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Beyond the Noise: More Complex Issues with Incident Response

Rational AppScan & Ounce Products

SAST, DAST and Vulnerability Assessments, = 4

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Report

Essential IT Security Testing

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Sitefinity Security and Best Practices

Integrigy Corporate Overview

Columbia University Web Security Standards and Practices. Objective and Scope

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Oracle Database Security Myths

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

The monsters under the bed are real World Tour

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

IBM. Vulnerability scanning and best practices

Web application testing

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web application security: automated scanning versus manual penetration testing.

Application Security Testing

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Quelle sécurité dans une banque? " Sécurité des transactions électroniques sur Internet et KYC"

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Strategic Information Security. Attacking and Defending Web Services

Web Application Security

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Locking down a Hitachi ID Suite server

Keyword: Cloud computing, service model, deployment model, network layer security.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Smart (and safe) Lighting:

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Simple Steps to Securing Your SSL VPN

CONTENTS. PCI DSS Compliance Guide

Table of Contents. Page 2/13

Designing Security for Microsoft SQL Server 2005

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

How to complete the Secure Internet Site Declaration (SISD) form

How to Build a Trusted Application. John Dickson, CISSP

Network and Host-based Vulnerability Assessment

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Penetration Test Report

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Making Database Security an IT Security Priority

Network Security Landscape

Transcription:

Data Platform Security Vinod Kumar Technology Evangelist www.extremeexperts.com http://blogs.sqlxml.org/vinodkumar

Agenda Problem Statement Security for Enterprise Security Defaults - Vulnerabilities Configurations - Vulnerabilities Securing Databases - Practices

Tip for the Day!!!

OWASP Top 10 Web Security Vulnerabilities 1. Unvalidated input 2. Broken access control 3. Broken account/session management 4. Cross-site scripting (XSS) flaws 5. Buffer overflows 6. (SQL) Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial-of-service 10.Insecure configuration management

Growing Problem: S/W Security Survivability: the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures and accidents. Lipson, Howard and Fisher, 1999 Survivability challenge Previous focus primarily on S/W failure, human error and natural disaster Primary security measure was physical Keep external bad guys away Protection against insiders primarily via legal protection and data isolation Industry shifts Shift from mediated access to direct application access Vendors, customers and partners Shift from central administration to distributed administration Shift from survivability focus largely ignoring security to security as the prime concern

Evolving Database Threat Environment A decade ago Databases were physically secure They were housed in central data centers not distributed External access was mediated through customer service representatives, purchasing managers, etc. Security issues were rarely reported Now increasingly databases are externally accessible Suppliers are directly connected Customers are directly connected Customers and partners are directly sharing data Data is most valuable resource in application stack Value increases with greater integration and aggregation Opportunities exist for data theft, modification or destruction Database security is a growing problem

Database Security: Shifting Ground Most applications of value have persistent data Data valuable to company, organization or even individual typically also has value to others Information is becoming the most valuable asset in many industries; e.g., Charles Schwab and Wal-Mart both identify management of information assets as key competitive advantage Even ephemeral data has significant value, when trends analyzed and understood Decreased storage and data management costs enable ephemeral data Competitive pressure demands ephemeral data Where there is value, there are bad guys And professional services guys, and press guys, and industry analysts

Examples of bad things

Loss of backup

SAN drive swapped out

Pod slurping

Examples of bad things

Some more Incidents as examples Company/Organization # of Affected Customers Date of Initial Disclosure Department of Energy s nuclear weapons 1500 22-May-06 Georgetown University 41,000 5-Mar-06 Misc retail debit card compromise (OfficeMax?) 200,000 9-Feb-06 Dept of Agriculture 350,000 15-Feb-06 Card Systems 40,000,000 17-Jun-05 Citigroup 3,900,000 6-Jun-05 DSW Shoe Warehouse 1,400,000 8-Mar-05 Bank of America 1,200,000 25-Feb-05 LexisNexis 310,000 9-Mar-05 Ameritrade 200,000 19-Apr-05 ChoicePoint 145,000 15-Feb-05 Etc, etc, etc. # of customers affected ~50,000,000+ Source: Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/chrondatabreaches.htm

Top 5 Issues in Enterprise Security Attackers have gone pro Want personal data they can sell Personal data like credit card and social security numbers are relatively easy to monetize Attacks are moving to the source Why pull a single credit card via compromising the network? It's relatively hard with a meager pay off. Instead, take over the corporate database and get them ALL The perimeter provides little defense Insiders don't go through the firewall thus perimeters provide no protection from this growing source of risk Everyone is watching Everyone is very-much clued in to the increased threats against personal data. Any mistakes are likely to be very public

CSI/FBI Computer Security Survey Source: http://www.gocsi.com/

Attack Sophistication vs. Intruder Technical Knowledge High Low Copyright: CERT, 2000 Intruder Knowledge Attack Sophistication disabling audits self-replicating code password guessing back doors sweepers exploiting known vulnerabilities password cracking packet spoofing burglaries sniffers hijacking sessions stealth / advanced scanning techniques Staged denial of service attack distributed attack tools www attacks 1980 1990 2000 GUI Cross site scripting automated probes/scans network mgmt. diagnostics Attackers Tools

How Expensive to repair $ Plan Analyze Design Develop Accept

Outsider vs. Insider Attack Most security schemes address outsider attack Have password to database? Can update anything Bypassing all application level security measures More people with access more danger Application program has database password Great deal of trust in people who manage databases Risk of compromise greater with value of data Happened with auto-rickshaw registration in New Delhi 18

How would you react? Email from your IT department Time for the annual password change Please reply with your new password Must be exactly 8 characters Must not contain special characters (e.g. $ @) Please let us know if you have any questions or concerns, Regards, Network Security & Operations

Attitude towards the Users

World of Default Passwords!!!

Database Vulnerabilities Default Passwords Oracle Defaults (Over 200 of them) - User Account: internal / Password: oracle - User Account: system / Password: manager - User Account: sys / Password: change_on_install - User Account: dbsnmp / Password: dbsnmp IBM DB2 Defaults - User Account: db2admin / Password: db2admin - User Account: db2as / Password: ibmdb2 - User Account: dlfm / Password: ibmdb2

Database Vulnerabilities Default Passwords MySQL Defaults - User Account: root / Password: null - User Account: admin / Password: admin - User Account: myusername / Password: mypassword Sybase Defaults - User Account: SA / Password: null Microsoft SQL Server Defaults (Till SQL 2000) - User Account: SA / Password: null

Misconfigurations & Resource Privileges Misconfigurations Can Make a Database Vulnerable Oracle External Procedure Service Default HTTP Applications Privilege to Execute UTL_FILE Microsoft SQL Server Standard SQL Server Authentication Allowed Permissions granted on xp_cmdshell and xp_regread Sybase Permission granted on xp_cmdshell IBM DB2 MySQL CREATE_NOT_FENCED privilege granted This privilege allows logins to create stored procedures Permissions on User Table (mysql.user)

How are search engines used for attacks? First thing an attacker needs is information Where to attack What a site is vulnerable to Search engine is a large repository of information Every web page in your application Every domain on the Internet Search engines provide an attacker: Ability to search for attack points on the Internet Ability to search for an attack point in a specific website Ability to look for specific URLs or files

Securing Databases - Practices

Secure Installation Physical security Protect all related systems, media, backups, etc Never place database unprotected on public net Or on unprotected private net Firewall protected S/W mediating database access Install on NTFS file system This allows securing the files appropriately Do not install on a domain controller Choose weak service account Do not choose LocalSystem, box admin or domain admin Cracked database won t get access to rest of enterprise Latest code is most secure code

Configuration Options Authentication mode Use Integrated Security More secure protocols (Kerberos and NTLM) Kerberos allows for delegation Allows for password policy enforcements Typically does not require application to store passwords If using Mixed mode (Standard SQL Authentication) Use SSL to encrypt network traffic Use strong passwords Never use blank passwords Login auditing Audit failed login attempts at the very least Disallow ad hoc queries Choose static ports for named instances

Secure Operation Understand the security model Only configure and run needed features Smallest possible administrator groups Don t put all enterprise/box administrators in one group Changing service accounts Use Enterprise Manager KB article Q283811 Disallow direct catalog updates Know encryption nuances and options!!!

Application Best Practices Use weak access accounts Only capable of actions needed to run application Use different account for administration Use Windows auth rather than SQL Auth Easier to secure No password storage required If using SQL auth, use SSL Turn on encryption for sensitive data Use roles for permissions and ownership Ease of management Objects owned by roles, need not be dropped/renamed when user dropped Do not grant permissions to public Don t show developer quality error messages to users Can reveal information to attackers in multiphase attacks

SQL Injection Why SQL injection works? Connection made in context of higherprivileged account Application accepts arbitrary user input Mitigating SQL injection Validate all user input Define set of valid input, accept only that Reject all invalid input Avoid using dynamic SQL in stored procs Run applications in minimally privileged contexts Never run as sysadmin

Summary Look to secure both Physically and Logically the applications data Know all the paths the databases would be accessed Turn Off by Default This must be true for your application too Reduce remote access to database Be on the latest patch and control direct access into database

Resources Security Awareness Toolkit Security Considerations for SQL Server Securing Data in Hosted Applications Building Secure ASP.NET Applications: Data Access Security Operating System Vulnerability Scorecard SQL Server 2005 Security Best Practices - Operational and Administrative Tasks SQL Server 2005 Deployment Guidance for Web Hosting Environments CIS security lockdown guide for SQL Server 2005

Questions? www.extremeexperts.com http://blogs.sqlxml.org/vinodkumar

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information