Data Base Security Management

Lecture 2
Mudassar Mahmood Mirza
Anatomy of buffer overflow vulnerabilities

Buffer overflows are most common in languages such

as C or C++, where arrays and pointers are the bread
and butter of programming (and certainly, all of the
major databases are written in C/C++).
Both of these code fragments are perfectly correct from
a syntactic perspective and will not cause any problems
for C and C++ compilers. However, these programs
have an undefined result from a C/C++ language
perspective, meaning that they may work sometimes
and usually will wreak havoc within the program.
why overflows are such a big security problem ?

you need to remind yourself of how the operating

system manages memory on behalf of a process. Any
program needs memory to perform its tasks, and
memory is usually divided into three main types:
Memory Allocation for a Process
1. Memory that is fixed for the program such as the code
itself, static data, and read-only data

2. The heap, which is used when a program dynamically

allocates memory using malloc or using new

3. The stack, which is used when calling methods and

functions
Memory Allocation for a process
Database Security within the General Security
Landscape and a Defense-in-Depth Strategy
Overview
 A database is not an island. Most often it is a server deployed as a
network node that provides persistence and transactional services to
applications. It is a networked service that waits for remote
connections, authenticates connection requests, receives requests for
data or operations on data, and services them. Similar to other
servers on the network like: web, Email, and naming server.
 Our major concern in the scene is to ensure DB security, we’ll
discuss about the measure that we can take to ensure a secured
DBMS.
Things to Remember
Any set of techniques that you use to secure your
database will be more effective if they are aligned with
and integrated with other security methods and
processes employed within your organization..
Security must be done throughout the organization and
needs to address all infrastructure and applications.
As a trivial example, there is no point in investing too
much in database security if the database server sits in
an insecure location where anyone can remove and take
the disk.
What to Do
You should invest in encryption of data-at-rest and
encrypt the file system being used by your database. If
this is not a primary concern, or if your organization
already employs an encryption solution that takes care of
all files and file systems, then this technique may not be
required or may not be worth the added cost and trouble.
Integration with other security initiatives and products
can minimize the amount of work you may need to do
both in implementing, and, more importantly, in
maintaining whatever security techniques you choose to
employ.
Alignment and Integration
Alignment and integration with enterprise security
starts with getting a broad view of security categories
and the main security technologies that may be
employed within your organization.
Take a closer look on, what Intrusion Detection
Systems and Intrusion Prevention Systems (IDS/IPS)
do, how firewalls work, how people handle incidents,
and patch management, then read on.
Defense-in-depth
 There is a battle between hackers and security officials.
 There is no such thing as a perfect security layer, method, or
product.
 Any system has bugs and limitations. Any system can be
configured badly. And most importantly, any system can be
cracked.
 A single hole found in a security system allows an attacker to
breach that security system and get to the protected assets.
 Attackers can invest a lot of time in looking for a weakness
in a security system.
 They can decompile code, inspect packets, and so on
Zero-day attacks
 Zero-day attacks are attacks that occur before patches are
available or before security signatures identifying the attack
(that can be used to stop it) are available.
 News of vulnerabilities travels fast among hackers and can be
utilized by them much faster than it can be used by those
responsible for security. When a problem or vulnerability is
identified and published in a repository such as CERT or CVE,
an attacker can immediately start to work on a way to exploit the
vulnerability.
 Fixes have to be created and tested by the vendor.
 In many cases fixes have to be installed and tested on test or
development servers before they can go into a production
environment.
Defense-in-depth
 Macro Measure
database security needs to be one part of a broad security
strategy that involves network security technologies, host
security, security processes, and procedures.
a good database security layer is the only way to effectively
secure the database; technologies such as firewalls,
IDS/IPS, an the like are not enough.
 Micro Measure
(within this concept of a database security layer), you
should also design for defense-in-depth. Regardless of the
database vendor you use, there are many security features
within the database. You should use these features
The security software landscape
More than 700 security software companies deal with
one aspect or another in the broad category of
information security. It is impossible (not necessary
and not very interesting) to review what these
companies do and what they address. More interesting
is to quickly look at a grouping of technology
segments into layers—each layer securing the
corporate entity from different threats. The glue that
binds all of these layers is the corporate security policy
that defines the rules, procedures, and processes that
aim to protect against and respond to security threats.
The security software landscape
 Authentication, Authorization, and Administration
 Commonly known as the 3As, authentication, authorization, and
administration refers to any layer of security that determines who is
attempting to access the resource and whether that entity has the authority
to access the resource. Administration software focuses on centralizing the
management and administration of permissions and privileges.
 Firewalls
 Firewalls are focused on hardening the perimeter of the corporate network
and protecting critical junctures such as the connection to the Internet,
extranets, and even segmenting the corporate network into multiple
protection domains.
 Virtual private networks (VPNs)
 VPNs are often viewed as extensions to firewalls (and are often sold by
the firewall vendors) that provide secure remote access to the corporate
network.
The security software landscape
Intrusion detection and prevention
 Intrusion detection and prevention help you address threats within
the perimeter as well as within the internal network and are based
on a deeper inspection of the communication streams and on
patterns of attacks
Vulnerability assessment and patch management
Security management
Antivirus
Cutting across categories
Break
Perimeter security, firewalls, intrusion
detection, and intrusion prevention
Perimeter security is a concept that was initially
created in the mid-1990s and pertains to the notion that
an organization’s network must be hardened from the
outside world.
Place firewalls as the gatekeepers for any
communication that crosses this boundary and
applying stringent rules and policies to limit the harm
that can come from the external, untrusted network.
Perimeter security, firewalls, intrusion
detection, and intrusion prevention
Firewalls
 Packet filter
 Application proxies

Intrusion detection systems (IDS)

 Collect information from a variety of system sources Analyze that
information for patterns reflecting misuse or unusual activity
Alert you when the system determines that such an activity occurs
Report on the outcome of the decision process.
Intrusion prevention systems (IPS)
 IPSs have learned from the mistakes made by IDSs, have added
functionality, and have changed guidelines for configuration in an
effort to overcome the problems they experienced as IDS
vendors.
Types of IPS
 Host-based IPSs
 Host-based IPSs are usually focused on stopping buffer overflow
attacks, changing registry values, overwriting shared libraries and
DLLs, and so on.

Network-based IPSs
 Network-based IPSs are deployed on the network and inspect
packets. They differ from firewalls in that they use deep packet
inspection technologies.
 Deep packet inspection
 Deep packet inspection is a general description of any technology
that looks further into the packets beyond the TCP/IP level.
Securing the core
 This has been the result of several factors, including the “porous
perimeter” (the realization that with e-business and various other
technologies that have been massively adopted, there really is no such
thing as a perimeter), the fact that the most damage occurs from attacks
that are initiated from insiders, and more.
 One approach to securing the core is to use the same products that are
used to secure the perimeter within your internal network.
 In the same way, IDS/IPS systems can be used within the internal
network.
 IDS sensors can be deployed internally to monitor intrusions from
insiders or outsiders who have managed to breach the perimeter.
 But most important, pushing into the core is usually associated with more
granular access control rules, deep packet inspection, and advanced
technologies such as application security and database security products.
Application security
Primary initiative in securing the core involves
application security—and more specifically Web
application security.
The Web application model is inherently insecure. For
example, Web applications run most of their
processing on the server and the browser merely
presents a page, collects information from the user, and
communicates this data (and action request) back to
the server.
Application security
On the deployment side, application security gateways
and application firewalls help secure application
endpoints, perform URL filtering, and protect against
denial-of-service attacks.
A Web application must be accessible from the
worldwide Internet, and the traffic on port 80 or 443.
Application security is first and foremost about
securing application data.
Public key infrastructure (PKI)
 Cryptography is perhaps one of the most well-known techniques within
the security landscape and is often viewed by many as synonymous with
security.
 Cryptography became practical for everyday worldwide usage with the
invention of public key cryptography algorithms (rather than symmetric
key algorithms).
 This is perhaps the single most important breakthrough in the world of
security, which owes a lot to three researchers named Rivest, Shamir, and
Adelman (from which emerged the name of the RSA algorithm and the
name for the main vendor for PKI—RSA Security).
 With symmetric algorithms, the same key that is used to encrypt data is
also used to decrypt the data. With public key algorithms, a pair of keys is
used: a public key that is normally known to everybody is used to encrypt
the data, and a private key that is known only to one party is used to
decrypt the data.
Vulnerability management
Vulnerability management is a broad term.
Why are there so many vulnerabilities?

It is important to understand what causes

vulnerabilities. Based on a taxonomy created by the
Gartner Group, software vulnerabilities fall into two
broad classes with two subcategories in each:
Software defects.
 Design flaws
 Coding errors

Configuration errors
 Unnecessary (and dangerous) services
 Access administration errors
Software defects
 Software defects.
 Software defects are built into the code during development and
include design flaws and coding mistakes. Gartner estimates that
35% of successful attacks exploit these types of errors.
Design flaws
o involve design decisions that create an inherently insecure
system.
Coding errors
o include both bugs as well as features that were put in not by
design but through oversight.
o Coding errors include buffer overflows, race conditions,
back doors into systems, and even nonrandom random-
number generators.
Configuration Errors
 Configuration errors
o If software defects account for 35% of vulnerabilities,
configuration errors account for a whopping 65% of
vulnerabilities. This means that the biggest bang for the buck
in terms of avoiding vulnerabilities is an investment in
configuration management, assessments of configurations,
and repeatable (safe) configurations.
Unnecessary (and dangerous) services
o Systems are often configured to bring up services and allow
connections that are not required. It is usually easier to install
a system with its default configuration rather than define
precisely what is and is not required. Vendors always prefer to
have an all-enabling starting configuration because it avoids
problems that can be interpreted as “the system not working.”
Configuration Errors
Access administration errors
 When access control includes configuration errors, entire security
models fall apart. Because most complex systems have elaborate
access control schemes that are based on groups, roles,
permissions, delegation, and more, there are many errors in
access control configuration.
Vulnerability scanners
Vulnerability scanners (also called vulnerability
assessment products) scan systems and try to locate
exposures and vulnerabilities.
Scanners also come in many types, including host-
based assessments, network-based assessments, target-
based assessments, and any combination of these.
Monitoring and baselining
Many vulnerabilities are caused by mistakes and
configuration errors. Once companies set policies and
define compliance targets, they need to continuously
monitor compliance. This is hard to do unless you
define a baseline against which can be continuously
compared.