Professional Documents
Culture Documents
Database Security
Database Security
Database Security
Contents
1. Goal
2. Message
3. Database Security Threats
4. Control of Threats
5. Summary
2
Database Security
Goals
Main Message
Database system security is more than securing the
database:
Secure database
Secure DBMS
“INFORMATION”
5
Database Security
Security
7
Database Security Threats(Top 10)
1. Excessive and Unused Privileges
2. Privilege Abuse
3. SQL Injection
4. Malware
5. Weak Audit Trail
6. Storage Media Exposure
7. Exploitation of Vulnerabilities and Misconfigured Databases
8. Unmanaged Sensitive Data
9. Denial of Service
10. Limited Security Expertise and Education
8
Database Security Threats(Top 10)
9
Database Security Threats(Top 10)
Actual Scenario:
For example, a bank employee whose job requires the ability to
change only accountholder contact information may take advantage
of excessive database privileges and increase the account balance
of a colleague’s savings account. Further, when someone leaves an
organization, often his or her access rights to sensitive data do not
change. And, if these workers depart on bad terms, they can use
their old privileges to steal high value data or inflict damage.
10
Database Security Threats(Top 10)
11
Database Security Threats(Top 10)
2. Privilege Abuse
12
Database Security Threats(Top 10)
Actual Scenario:
Consider an internal healthcare application used to view
individual patient records via a custom Web interface. The Web
application normally limits users to viewing an individual patient’s
healthcare history—multiple patient records cannot be viewed
simultaneously and electronic copies are not allowed.
13
Database Security Threats(Top 10)
Actual Scenario:
However, a rogue user might be able to circumvent these restrictions
by connecting to the database using an alternative client such as MS-
Excel. Using Excel and their legitimate login credentials, the user
could retrieve and save all patient records to their laptop.
Once patient records reach a client machine, the data then becomes
susceptible to a wide variety of possible breach scenarios.
14
Database Security Threats(Top 10)
3. SQL Injection
15
Database Security Threats(Top 10)
16
Database Security Threats(Top 10)
3. SQL Injection (cont.)
17
Database Security Threats(Top 10)
3. SQL Injection (cont.) Attack
Definition:
- inserting malicious SQL code through an application interface
• Often through web application, but possible with any interface
Typical Scenario:
• Three-tier application (web interface, application, database)
• Overall application tracks own usernames and passwords in
database (advantage: can manage users in real time)
• Web interface accepts username and password, passes these to
application layer as parameters
18
Database Security Threats(Top 10)
4. Malware
19
Database Security Threats(Top 10)
20
Database Security Threats(Top 10)
22
Database Security Threats(Top 10)
23
Database Security Threats(Top 10)
24
Database Security Threats(Top 10)
25
Database Security Threats(Top 10)
26
Database Security Threats(Top 10)
27
Database Security Threats(Top 10)
28
Database Security Threats(Top 10)
9. Denial of Service
29
Database Security Threats(Top 10)
31
32
Database Security Threats Control
34
Database Security Threats Control
35
Database Security Threats Control
36
Database Security Threats Control
38
Database Security Threats Control
39
Database Security Threats Control
40
Database Security Threats Control
41
Database Security Threats Control
42
Database Security Threats Control
Scan databases for both granted and privileged user rights and
extract details such as the actual access right (e.g. SELECT,
DELETE, CONNECT, etc), who granted them, who received those
rights, and objects to which rights have been granted.
44
Database Security Threats Control
This allows you to focus your analysis on the access rights that
represent the highest business risk
45
Database Security Threats Control
Identify users that have too many privileges and users who don’t
use their privileges. This helps determine if user access rights are
appropriately defined, find separation of duties issues, and remove
excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after
sensitive data stores.
47
Database Security Threats Control
48
Database Security Threats Control
Monitor all database access activity and usage patterns in real time to
detect data leakage, unauthorized SQL transactions, and protocol and
system attacks. When attempts to access unauthorized data occur,
generate alerts or terminate the user session. Use a solution that
leverages policies—both pre-defined and custom—that inspect
database traffic to identify patterns that correspond to known attacks,
such as DoS attacks, and unauthorized activities. Security policies are
useful for not only detecting excessive privilege abuse by malicious,
compromised, or dormant users, but also for preventing most of the
other top ten database threats.
49
Database Security Threats Control
50
Database Security Threats Control
Because Web applications are the most common vector for initiating
a SQL injection attack; the first line of defense is to use a Web
Application Firewall (WAF). A WAF will recognize and block SQL
injection attack patterns that originate from Web applications.
51
Database Security Threats Control
Database Audit & Protection (DAP) solutions can audit and monitor
the activities of your most highly privileged users—database and
system administrators.
These users have been granted the highest levels of access to your
databases; they require this access in order to perform their jobs.
Should they abuse their privileges or become compromised by
malware, the risks of data theft and damage to your organization
increases.
53
Database Security Threats Control
DAP solutions can audit and monitor the activities of your most
highly privileged users—database and system administrators.
These users have been granted the highest levels of access to your
databases; they require this access in order to perform their jobs.
Should they abuse their privileges or become compromised by
malware, the risks of data theft and damage to your organization
increases.
54
Database Security Threats Control
55
Database Security Threats Control
56
Database Security Threats Control
57
Database Security Threats Control
4. Auditing
Automate Auditing with a DAP Platform
58
Database Security Threats Control
4. Auditing (cont.)
Automate Auditing with a DAP Platform
Separation of Duties:
59
Database Security Threats Control
4. Auditing (cont.)
Automate Auditing with a DAP Platform
Cross-Platform Auditing
60
Database Security Threats Control
4. Auditing (cont.)
Automate Auditing with a DAP Platform
Performance
61
Database Security Threats Control
4. Auditing (cont.)
Capture Detailed Transactions
62
Database Security Threats Control
4. Auditing (cont.)
Generate Reports for Compliance and Forensics
63
Database Security Threats Control
5. Data Protection
Archive External Data
64
Database Security Threats Control
6. Non-Technical Security(cont.)
Cultivate Experienced Security Professionals
Ongoing education and training are also important for growing deeper
security knowledge and skills. Consider outside IT security and
specialists to help with implementation, conduct security assessments
and penetration tests, and provide training and support for your
administrators.
66
Database Security Threats Control
6. Non-Technical Security(cont.)
Educate Your Workforce
67
Database Security Threats Control
7. Others
7. Others (cont.)
standard privilege.
2. Physically separate production from development boxes
3. Change DBMS default port
4. Remove default database accounts
5. Remove default tables (like table test)
69
70
71
Summary
72
Summary
73
References
• http://en.wikipedia.org/wiki/Database_security
• http://www.imperva.com/docs/WP_TopTen_Database_Threats.pdf
• http://www.techopedia.com/definition/1245/structured-query-languag
e-sql
• http://docs.oracle.com/cd/B19306_01/network.102/b14266/reqthret.
htm
• http://en.wikipedia.org/wiki/Database
• http://en.wikipedia.org/wiki/Security
74
Thank you for Watching
The End
75