Worldwide Trends in Database Threats and Database Security jacob@sentrigo.com



Similar documents
The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

McAfee Database Security. Dan Sarel, VP Database Security Products

Practical Guide to Database Security & Compliance

Hedgehog: Host-Based Database Activity Monitoring & Prevention

Global Partner Management Notice

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Metasploit The Elixir of Network Security

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Netzwerkvirtualisierung? Aber mit Sicherheit!

Database Security, Virtualization and Cloud Computing

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

White Paper. Technical Overview of McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

Database Security in Virtualization and Cloud Computing Environments

Securely maintaining sensitive financial and

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

A Decision Maker s Guide to Securing an IT Infrastructure

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

White Paper. McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

GFI White Paper PCI-DSS compliance and GFI Software products

Defending the Database Techniques and best practices

PCI v2.0 Compliance for Wireless LAN

PCI Wireless Compliance with AirTight WIPS

Real-Time Database Protection and. Overview IBM Corporation

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

PCI Compliance: Protection Against Data Breaches

Achieving Database Compliance with Sarbanes-Oxley Using Sentrigo Hedgehog

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Vulnerability Assessment & Compliance

Database Security & Auditing

Enterprise Computing Solutions

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

Making Database Security an IT Security Priority

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Yuan Fan Arcsight. Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection

External Penetration Assessment and Database Access Review

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Avoiding the Top 5 Vulnerability Management Mistakes

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Oracle Database Security Myths

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

Hacking Oracle myths and facts. Michał Jerzy Kostrzewa EECIS Director Database Technologies

Auditing Data Access Without Bringing Your Database To Its Knees

Compliance Guide: PCI DSS

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Privileged Session Management Suite: Solution Overview

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

About SecuPi. Your business runs on applications We secure them. Tel Aviv, Founded

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

Trend Micro. Advanced Security Built for the Cloud

Facilitating Efficient Data Management by Craig S. Mullins

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

IPLocks Vulnerability Assessment: A Database Assessment Solution

8 Steps to Holistic Database Security

Securing Database Servers. Database security for enterprise information systems and security professionals

MySQL Security: Best Practices

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Data Security for the Hospitality

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Reining in the Effects of Uncontrolled Change

Designing & Building an Information Security Program. To protect our critical assets

Meeting PCI Data Security Standards with

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Transcription:

Worldwide Trends in Database Threats and Database Security jacob@sentrigo.com

The basics No-one is going to say to a DBA: "Congratulations, no-one stole data from us this year. Here s a 10% pay raise" Instead they say: "Great, we reduced the number of days the database was down for maintenance by 5%" Source: Anonymous contributor to the "Eye on Oracle" blog 2

What happened in the last 3 years? February 2005: ChoicePoint Breach Credit history information Classic social engineering attack Result: 163k consumer records stolen, $15M in penalties and charges, security audits until 2026... December 2005: Guidance Software Inc. Breach 3,800 Credit cards, names and more of professionals from NSA, FBI, CIA... Probably SQL injection attack via the web Also in 2005 - -- University of Southern California, Boston College, California State University, Chico and the University of Georgia, Lexis Nexis, PayMaxx, San Jose medical, DSW all suffered high profile data breaches 3

This Year July 2005 January 2007: TJX 45.7M+ credit/debit card records stolen Sophisticated attack (WiFi -> Internal Network -> DB) Result: data sold to data brokers and used in many scams, TJX faces lawsuits and losses of $25M until May 07 (will grow considerably) July 2007 Fidelity National Information Services Bank and credit data of 2.3M customers Stolen by a DBA And many more breaches not only in the U.S. (e.g. Home Office breach in the U.K.) Many breaches are unknown or not made public Many breaches remain undetected 4

What else happened during these years? Regulations kicking in: SB 1386 Sarbanes Oxley PCI-DSS SAS 70 and more Bad guys are getting more "professional" Perimeter firewalls are doing a better job at protecting databases from external threats Outsourcing IT is the norm Many databases get closer to the Internet Database vendors begin to ackgnowledge vulnerabilities 5

Vulnerabilities abound The most widely used, diverse and complicated DBMS Oracle is the center of attention as regards DBMS security threats CVE (Common Vulnerabilities and Exposures, an independent security website) lists the no. of vulnerabilities for DBMSs as follows: 6 No. of vulnerabilities reported since Jan 2006

Oracle database CVEs (Common Vulnerabilities and Exposures) Total Number of CVEs from 2003 (accumulated) 7

What are the attack trends we predict? Internet attacks on databases will have less impact: Better perimeter protection in place Customer awareness to risks higher Insider attacks on databases have always happened but now have higher exposure Exposure will lead to more attacks Like network based attacks, benevolent hackers will be replaced by criminals Loyalty of insiders cannot be counted on Attacks will become more sophisticated We are still in initial stages of evolution Last Black Hat showed that more sophiticated attacks are possible and vicious 8

Database security products Most are firewalls on steroids: Take the firewall paradigm, apply it to database Based on finding the SQL within network protocol and applying policy to it Yet another appliance to worry about Targeted at security professionals, not DBAs Some add agents to compensate for major blind spots Will end up integrating into perimeter products Many homegrown solutions that focus on compliance rather than real security 9

Another word about compliance Important for many reasons Often a lot of interpretation is involved But it is not security you can be 100% compliant with any or all regulations but still exposed Securing your database, requires a deep understanding of your environment 10

Hedgehog: Real Database Security A host-based software solution that monitors all DB transactions in real time Prevents improper use by privileged users as well as intruders from the outside Preset and administrator-defined rules Minimal impact on performance uses less than 5% of a single CPU Full audit trail 11

Hedgehog Logical Architecture SIM/SEM tools Alerts Hedgehog JavaEE Server (software) Network Hedgehog Console Web-based GUI Sensor Sensor Sensor DB DB DB -Proprietary- 12

Thank You! 13

How about the bad guys? Exploits for Oracle 10g only Only exploits that are already patched presented here, and this is a good site Source: red database security 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information