Database Security: What Gets Overlooked?

The program will begin shortly. Please listen to the webinar through your computer with the speakers turned on.

Cal Slemp, Managing Director, Protiviti James Hulscher, Senior Manager, Protiviti

Some Reminders . . .

ASKING QUESTIONS Click on the “ASK A QUESTION” link at the top of your screen. Please provide your email address for a swift reply.

Q&A There will be a Q&A session at the end of the presentation

COPY OF SLIDES After the webinar, all attendees will be able to access the recording and the presentation slides

POLLING QUESTIONS/VOTES Participation is voluntary. Results will be included in the slides.

NEED HELP? If you need help during the webinar, click “RATE THIS” “Not hearing audio? Click here for help”

Today’s Presenters

Cal Slemp – Global Protiviti leader for IT Security & Privacy

– 30+ years of experience in information technology risk & strategy consulting

– Deep expertise in the pharmaceutical, manufacturing, consumer packaged goods and retail industries

James Hulscher – 15 years of experience in IT

– Manufacturing, education, health care, insurance, and financial services

– Completing Ph.D. in Information Assurance with specialization in security

Why Is Database Security Critical?

Highly valuable asset – DATA

Vulnerable

Support business critical operations

Data breach requirements

Data leveraged for further attacks

As strong as your weakest link

Database attacks steadily increase

Security Breaches Continue to Worsen

2011 Yet another record-breaking year for security breaches

Database Security – Types of Attacks

Attacks on organizational data infrastructure are becoming increasingly complex

Database Security – Tools and Resources

Increased malware availability

Rapidly advancing capability

Organizational resources and pace are outstripped

Database Security – Who’s Responsible for the Data?

The Challenge:

A proactive, evolving, and privacy-focused strategy and methodology

Who in the organization is responsible for data security and privacy?

Everyone!

– Security Team(s)

– DBAs/Architects

– Developers/Application Support

– Network and Systems Administrators

– End Users

– Vendors (Extranets)

Database Security – Significant Loss

$7.2 Million

The Evolution of Data Security – Data As the Target

The Evolution of Data Security – Organized Attacks

Typically, an organized group of malicious users, not just an individual, and typically globally.

The Evolution of Data Security – Regulatory Requirements

Compliance and regulatory requirements for organizations have significantly increased

IT Auditors must understand the avenues to the data and the impacts of weak or missing controls

More than just network penetration tests, vulnerability scans, database penetration tests

The Evolution of Data Security – Consumer Awareness

Consumer awareness of data theft =

Financial Loss

Reputation Damage

The Evolution of Data Security – A Paradigm Shift

Comprehensive view of securing data, and the systems within the enterprise

Why the Data?

Data leakage can provide the information for a much more sophisticated attack on an organization

Ultimately, the data will lead to some type of gain

Understanding Database Logging

Native Logging (Vendor Provided) – How did the user get to the DB?

– How/when/who created the user?

Database Monitoring

Identifies: – Unauthorized changes to data structure

– Illicit activity (e.g. mass data extract)

Provides audit trails for compliance requirements

Database Monitoring

Prevention and early detection for quick reaction

What Types of Changes Take Place Within a Database?

DML is Data Manipulation Language – Insert

– Select

– Update

– Delete

DML attack via SQL Injection

DCL is Data Control Language – Grant – Grant rights to an object or entire database

– Revoke – Remove access rights to an object or database

Why is DCL critical to DB functions? – A malicious user can grant/revoke rights to users, schemas, and applications that connect to a DB.

Methodology : Outside-In

Technologies

Security Appliances

Controls

Audit and systematic reviews of: – Database activity

– DML/DCL changes from external sources

Types of access control

Encryption

Methodology : Inside-Out

Internal attacks are likely, due to – Abuse of privileged and super user accounts

– End users allowing code/malware to enter: email, social media, thumb drives

– Abuse of data by organizational partners or service providers

Methodology: Inside-Out

Develop and encrypt data that can only be used by applications.

Background check

Financial monitoring

Criminal monitoring

Incident Preparation and Response

3rd Party audits – Deep database penetration tests

– Reviews of database logs

– Manual testing of applications

Let’s Review Some Examples

SQL Injections – How they work at a high level

SQL Example 1

SQL Injection. Web-based application communicating with a backend database.

“OLE DB Provider…ODBC SQL Driver [SQL Server} Error xxxxxxx error converting “ABC” into a column of data type int”

SQL Example 2

Using http or a webpage once a footprint has been detected.

http://ABCBank/index.asp?username=admin;password=1’ OR 1=1;--

What Is a Stored Procedure?

Stored Procedures – the solution for preventing SQL Injections?

SQL Example 3

Allowing direct SQL sessions to your database – telnet session

– T-SQL

– PL/SQL

Example: SELECT userNAME from users where userNAME=‘ ‘; shutdown with nowait; --’ and userpass=‘ ‘

Unification

An example – DBO (Privileged Account) with no rights to write data to the server

– Server admin creates DBO account for DBA

– Consistency in password procedures?

Further Unification Evaluation – Real World Examples

Another example – Install of 3rd-party app requires admin rights

– Password change may impact maintenance and support

– Additional risks

Database Auditing

Database systems are both the most overlooked and the most crucial areas in need of securing

Database security requirements in: – HIPPA - Dodd-Frank - US Patriot Act (AML)

– HITECH - ISO 27000 - Various Industry

– SOX - PCI – DSS

– GLBA - EU Data Protection Directive

Auditing Database Errors

Architecture reviews – applications and middleware

Principles for Developing a Database Audit Strategy

Protect the audit trail

Audit mainstream activities

Audit critical actions

Archive audit records

Controls are Critical

Document – Storage management architecture

Audit – At random times

– Especially after migrations, upgrades, and during implementation

Database Improvements Will Enable Compliance

Example – Configuration Parameters

Tools and Resources

Commercial Tools: – Acunetix – website vulnerability scanning tool

– Nessus – vulnerability assessment scanning tool

Freely Available: – BackTrack5 – Numerous vulnerability assessment tools

– Havij – Find SQL Injection vulnerabilities

2012 and the Continued Evolution

Data protection requirements will increase

More mobile devices

Social media = more ways to share data Know your data

Contact Information

For more information about our approach to database security, including database logging and database monitoring, please contact

Jim Hulscher

Powerful Insights. Proven Delivery. ®

601 Carlson Parkway Suite 1120 Minnetonka, MN 55305 USA Direct: 952.249.2219 james.hulscher@protiviti.com

Database Security: What Gets Overlooked?

Documents

Norman Bryson, Looking at the Overlooked

12 Often Overlooked Tax Deductions

HIV Database WorkshopHelp " Tips at the top of the page are often overlooked Ranges, operators, wildcards, logical groupings " Mouse-over provides brief descriptions; click field names

Ornithine: the overlooked molecule in the regulation of ... · PDF fileOrnithine: The Overlooked Molecule in the Regulation of ... et al. 2005, No¨lke et al. 2008 ... the overlooked

DisclaimerThis is why they can’t see the value in Snapchat and it’s why it so often gets overlooked for other methods. But now reconsider that objection for a moment. Because actually,

Overlooked & Undercounted 2021

5 Overlooked Channels to Distribute Infographic

The Overlooked Marketing Edge

EMU Overlooked

TW notes that cannot be overlooked!

optimizer gets your data, fast How a database · How a database optimizer gets your data, fast Vicențiu Ciorbaru Software Developer Team Lead @ MariaDB Foundation Percona Live Europe

Top 10 Overlooked Tax Breaks

Contexts in Progress: Addressing Overlooked Resources

Women & Brain Drain : The Overlooked Solution

How Top of the Funnel Optimization Often Gets Overlooked

Under cover and overlooked

The Overlooked Gap in Financial Advice

PI World 2020 Lab - Microsoft...%System% - Gets the name of the AF Server the attribute is on ii. %Database% - Gets the name of the database the attribute is on iii. %ElementPath%

"BOLD" magazine: Overlooked edition

Chapter 4 Including Everyone: Who Sometimes Gets Overlooked in School?