Upload
mervyn-rogers
View
213
Download
0
Embed Size (px)
Citation preview
Protecting a Critical Resource
Banking/Financial RecordsMedical Records
InventoryCustomer Information
Personnel RecordsStudent Records
Threats to Data
CopyDestroyModify
“Securing the Database may be the single biggest action an organization can take to protect its
assets.” – David Knox
Results of an “Incident”
Loss of reputationLoss of $$$
Lawsuits (more loss of $)
TJX – 45M credit/debit cards,$256M as of 8/2007
-Boston Globe Online
Big Picture
• Physical security• Network security• Operating System Security• Application Security• DBMS (yes, these have vulnerabilities too)
Access Control
Data Control Language – DCL
GRANT priv ON object TO user [WITH GRANT OPTION]
REVOKE priv ON object FROM user
Examples
Table Level Privileges:
GRANT INSERT, UPDATE ON Students TO fred
GRANT DELETE ON Students TO sam WITH GRANT OPTION
GRANT ALL ON Students TO barney
REVOKE INSERT ON Students FROM fred
Oracle Virtual Private Database (VPD)
Provides row-level security
Presents partial view of tables based on policies
VPD - Examples
Restrict user to only see courses from CSE
User:SELECT * FROM Courses;
Executed:SELECT * FROM CoursesWHERE department = ‘CSE’;
source – Oracle Database 10g Top 20 DBA Features
VPD – Examples – Selective Columns
Restrict user to only see students with GPA above 3.0
SELECT * FROM Students; --Will return rows 1 and 3
SELECT COUNT(*) FROM Students; --Will return 2
source – Oracle Database 10g Top 20 DBA Features
ID Name GPA
100 Jones 3.1
101 Smith 2.6
102 Smart 4.0
VPD – Examples – Column Masking
Restrict user to only see GPA values above 3.0
SELECT * FROM Students;
source – Oracle Database 10g Top 20 DBA Features
ID Name GPA100 Jones 3.1101 Smith 2.6102 Smart 4.0
ID Name GPA
100 Jones 3.1
101 Smith <null>
102 Smart 4.0
Oracle Label Security
Access based on:data sensitivity labels
user label authorizations
Provides multi-level security capability
Oracle Label Security
Data Sensitivity Labels have 3 components
Level – required
Compartment – optional
Group - optional
A policy can have up to 999 levels and 9,999 groups and compartments-Source Oracle Label Security Best Practices White Paper
Oracle Label Security - Example
-Source Oracle Label Security Best Practices White Paper
ID SSN DL_Num Lname Pol1_sec_lab
100 123-45-6789 09234554 Miller Sensitive:PII:HR
101 234-56-6887 10854834 Arnold Private:PII:HR
Inference
Simple example (from Viega & McGraw)
SELECT AVG(income) FROM customersWHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72);
Followed by:SELECT AVG(income) FROM customersWHERE state = “VA”;
Good Practices
Use viewsUse stored procedures
Keep up to date on patchesLimit privileges
Have a security policy and follow itEncrypt sensitive data
Do audits/monitor employeesRegular security assessments
Enforce strong passwords
Future
• More data to protect
• More sophisticated attacks
• More emphasis on security education (hopefully)
Bibliography
• Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers. Apress.
• Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc.• Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation
Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip• Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill.• Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's
Handbook: Defending Database Servers. Wiley.• Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and
Procedures. Addison-Wesley Professional.• Needham, P. (2008). Oracle Label Security Best Practices. Oracle.• Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from
http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html• Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall.• Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.