ISACA DBSEC v1 PDF

Cyber Security Team
Database Security
A threat from within
Strictly Private
and Confidential
June 2015
Database Security A threat from within June 2015
PwC
Table of Contents
Section Overview Page
1 Introduction: Threats to DB Security 1
2 Architecture & Vocabulary 8
3 Access Control & Application Security 14
4 Data Anonymization 21
5 Authentication 24
6 Governance, Risk and Compliance 27
7 Database Vulnerability Assessment 29
8 Database Audit & Protection 32
9 Database Security in the Cloud 37
10 Questions and Answers 40

Section 1
Introduction: Threats to DB Security

PwC 1
Section 1 Introduction: Threats to DB Security
Databases: an attractive target
96% of records breached are from

databases
Database records stolen

in early-2014
May:
March: eBay
(145M)
Credentials Korean
Telecom
Email addresses February:
(12M)
Kickstarter
Credit cards information (5.6M)
Social security numbers January:
Medical records Snapchat

(4.5M)
etc
Source: Verizon - Data breach investigations report 2015

PwC 2
Top 10 Database Threats
Excessive privileges 1 2 SQL injections

Unauthorized access & abuse 19% of web app attacks
Malware 3 4 Weak audit trail

Compromised Hosts Unable to detect
Backup exposure 5 6 Weak authentications

Often unprotected media Bruteforce, stolen credentials
DB vulnerabilities & 7 8 Unmanaged

misconfiguration Sensitive data
Denial of Service 9 10 Limited security

expertise & education

PwC 3
Top 10 Database Threats
Excessive privileges 1 2 SQL injections

Unauthorized access & abuse 19% of web app attacks
But whos to
Malware 3 blame? 4 Weak audit trail
Compromised Hosts Unable to detect
Backup exposure 5 6 Weak authentications

Often unprotected media Bruteforce, stolen credentials
DB vulnerabilities & 7 8 Unmanaged

misconfiguration Sensitive data
Denial of Service 9 10 Limited security

expertise & education

PwC 4
Who are the stakeholders (threats) of Database Security?
CISO Auditors IT Security Business You ?
DBAs End Users
Developers Storage/Backup Admins
Network Admins
System Admins
PwC Testers 5
Oracle Security History

1992
Strong
authentication
Oracle Label
(PKI, Kerberos,
7 8i 9i
Security
RADIUS) Fine Grained
Global roles
Native Network Auditing
Encryption Virtual Private
Database
Database Native
Auditing
Activity Separation of
Secure Backup Monitoring & Duty
10g 11g 12c

Transparent Data Database New Audit
Encryption Firewall Framework
Oracle Audit & Privilege Analysis Advanced
Database Vault Sensitive data Security Options
Discovery are embedded
2015
PwC 6
Native Security provided by Oracle and the others
Virtual Private Label Based

Database Access Control
Materialized Materialized Dynamic Materialised Materialised Materialised
Views Query Tables Views only Views Views Views
Audit via Audit via
Audit Audit Audit Audit
Module Module
RBAC (Roles) RBAC (Roles) No Roles RBAC (Roles) RBAC (Roles) RBAC (Roles)
Transparent Transparent Manual Manual Transparent Transparent

Encryption Encryption Encryption Encryption Encryption Encryption
Anonymization No No No No
Data Masking
(optional) Anonymization Anonymization Anonymization Anonymization
Synonyms Synonyms No Synonyms Synonyms Synonyms No Synonyms
Oracle IBM DB2 MySQL PostgreSQL SQL Server Sybase

PwC 7
Section 2
Architecture & Vocabulary

PwC 8
Section 2 Architecture & Vocabulary
Oracle Architecture
Memory (SGA)
Instance (SID)
Background Processes
Database
Datafiles, Online Redo logs,
Controlfiles, Backup files,
Parameter Files
PwC 9
Logical vs Physical
Database
Schema Tablespace Datafile
Segment
Extent
Database Bloc O.S. Bloc

PwC 10
Logical Structures
Tables Constraints Indexes Views
Procedures
Synonyms Profiles Sequences & Functions
Triggers Packages

PwC 11
Dictionary & Catalog

TBS USERS TBS SYSTEM
Dictionary
Tables Information about the database itself (Metadata)
Tables SYS
Indexes
Constraints
Catalog
Views on the dictionary
Views Views SYSTEM

PwC 12
Structured Query Language - SQL

SQL is a special-purpose programming language designed for managing data
held in a database (RDBMS).
Data Definition Language

Define the structure of tables and other
objects
CREATE , ALTER, DROP or TRUNCATE
Data Manipulation Language

Use and manipulate the data
SELECT, INSERT, UPDATE or DELETE
Data Control Language

Define permissions for users/schemas
GRANT or REVOKE
PwC 13
Section 3
Access Control & Application Security

PwC 14
Section 3 Access Control & Application Security
Strategy to Secure Data
Classify
Data/Users
STRATEGY
TO SECURE
DATA
Map Anticipate
Controls Threats

PwC 15
Role Based Access Control (RBAC)

privileges roles
Public Business Users
Internal
DB2 DB3 Developers
DB1
Confidential
Managers
Databases
Top Secret
Secu. Admins
Data Roles &

Classification Responsibilities

PwC 16
Data Classification against the Triad
CONFIDENTIALITY INTEGRITY
Classification against their contents Impact when modifying data
Secret/Confidential/Internal/Public High/Medium/Low
AVAILABILITY
What Availability is required?
90%? 99.5%?
PwC 17
Misconfiguration Risk with Privileges
App. Owner
App. Table
App. Table
~~~~
App. Table
~~~~
~~~~ App. Table
~~~~
~~~~
~~~~
Thomas ~~~~~~~~
~~~~
~~~~
~~~~
ANY ~~~~
With
Admin/Grant
!
Option
!
Ana Mike

PwC 18
Misconfiguration Risk with roles
Insert Select
Delete
Update Insert
Business User Select Select Select
DB
Application Role = DBA Access !!

PwC 19
Misconfiguration Risk with Profile
Password Lifetime
Password Complexity
Failed Login Attempts
CPU per Session
Lambda
Connect Time

Beware to default or Unlimited value

PwC 20
Section 4
Data Anonymization

PwC 21
Section 4 Data Anonymization
Data Anonymization
Business Senior External Developer Junior

user DBA provider DBA
Production Testing
NAME SSN SALARY NOTES Anonymize
Copy NAME SSN SALARY NOTES
Dupont 203-55-1478 40,000 - JaOXnRtx

Dupont 123-45-6789
203-55-1478 40,000 redacted
-
Will be Will be
Schmitt 325-65-1469 60,000 GBerilQ
Schmitt 170-96-1765
325-65-1469 60,000 redacted
promoted promoted
Data encryption Data masking

Repeatable: an input always Delete or replace with a
gives the same result. constant value.
Data scrambling
Replace with a random
value of same format.
PwC 22
Section 4 Data Anonymization
Data Masking in Production
Views to hide rows and/or column

Synonyms to replace views name by the original table one (or used to
hide the use of Database Link)
Virtual Private Databases to segregate data from different customers

PwC 23
Section 5
Authentication

PwC 24
Section 5 Authentication
Authentication
# root
Strong Authentication OS LEVEL
Accountability
Least Privileges
Non Repudiation
OS USER
# oracle STRONG AUTHENTICATION
Monitoring & Blocking
Users DB LEVEL
High Priv. Accounts sys (dba)
Database
LDAP USER
DB USER
Data Leakage

PwC 25
Section 5 Authentication
Oracle Encryption
KEY VAULT
Database
Wallet
OR TDE
Secure
Backup
Data
HSM
DBA Pump
()
PwC 26
Section 6
Governance, Risk and Compliance

PwC 27
Section 6 Governance, Risk and Compliance Identity & Access
Management
Security Data Operational

Security,
Governance, Risk
Appli. Monitoring &
& Compliance
Controls (Audit)
Host
Internal Network
Perimeter & Cloud
Physical
Plan, Policies & Procedures,

Baselines, Awareness

PwC 28
Section 7
Database Vulnerability Assessment

PwC 29
Section 7 Database Vulnerability Assessment
Database Vulnerability Assessment
Suspicious admin Unusual hour

logins activities
Missing patches Weak passwords Accounts

sharing
Configuration Misconfigured
changes privileges

PwC 30
Section 7 Database Vulnerability Assessment
ODAT: penetration testing for Oracle Database
Accounts & passwords

guessing
4 HTTP requests
http://badguy.com/
2
5
TCP port scanning
3 ~~~
Columns
~~~
scanning
1 SID: ORCL
6
7
SID scanning
Systems commands &
File upload, download Remote shell access
& deletion
Source: https://github.com/quentinhardy/odat

PwC 31
Section 8
Database Audit & Protection

PwC 32
Section 8 Database Audit & Protection
Audit Trail & Fine Grained Auditing
Audit Audit table

Audit Trail table
Fast & Simple
Non-selective
OS file
Audit
events
Fine Grained Audit
Very flexible
Complex
~~~
System log
~~~
~~~
~~~
Interoperability issues
Performance issues
Audit Trail can be accessed and altered!

PwC 33
1- Oracle Audit Vault & Database Firewall
Audit Vault centralizes audit logs from the databases, the OS, Active Directory
It allows easy reporting and custom alerts
Cooperate with Database Firewall, which filters request made to the database
Is it not impacting the performance?

Source: Oracle Audit Vault documentation

PwC 34
2- IBM Infosphere Guardium
Switch
Span monitoring
? S-TAP
Is it safe? F-TAP
Local traffic Change of (ip, port)
Collector
Change of (ip, port)
! Policies
Aggregator
Real-time alerts Reports Post-mortem reports

PwC 35
Other players in the market

PwC 36
Section 9
Database Security in the Cloud

PwC 37
Section 9 Database Security in the Cloud
Databases in the Cloud

Container database
Consolidation dbs into a single container

Multi-tenancy
Elasticity
Pluggable databases
Segregation of data
Database protection
Auditing & Policies

monitoring
! ! ! Cloud Provider Yellow App

DBA DBA
Apps
Apps
Apps Alerts
Database Vault

PwC 38
Thank you!
Section 10
Questions and Answers

PwC 40
Section 10 Questions and Answers
Multitenancy in the Database Source: Oracle Multitenant documentation
Oracle Multitenant:
Consolidate several databases into a single
container:
Share resources & ease maintenance
Preserve segregation of data
Databases are pluggable
A Cloud infrastructure for Databases which

provides:
Elasticity & cost reduction
Flexibility
Segregation

PwC 41
Section 10 Questions and Answers
Database protection Source: Oracle Database Vault documentation
Database Vault:
Realm-based authorization
Preserve segregation of duties
Privileged accounts cannot access sensitive
data or data from other databases
Restriction according to Business Hours
Security Layer on the top of the DBAs

PwC 42

ISACA DBSEC v1 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ISACA DBSEC v1 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Cyber Security Team

A threat from within

Section Overview Page

1 Introduction: Threats to DB Security 1

2 Architecture & Vocabulary 8

3 Access Control & Application Security 14

6 Governance, Risk and Compliance 27

7 Database Vulnerability Assessment 29

8 Database Audit & Protection 32

9 Database Security in the Cloud 37

10 Questions and Answers 40

Database Security A threat from within June 2015

Databases: an attractive target

96% of records breached are from

Database records stolen

Medical records Snapchat

Database Security A threat from within June 2015

Top 10 Database Threats

Excessive privileges 1 2 SQL injections

Malware 3 4 Weak audit trail

Backup exposure 5 6 Weak authentications

DB vulnerabilities & 7 8 Unmanaged

Denial of Service 9 10 Limited security

Database Security A threat from within June 2015

Top 10 Database Threats

Excessive privileges 1 2 SQL injections

Backup exposure 5 6 Weak authentications

DB vulnerabilities & 7 8 Unmanaged

Denial of Service 9 10 Limited security

Database Security A threat from within June 2015

Who are the stakeholders (threats) of Database Security?

CISO Auditors IT Security Business You ?

DBAs End Users

Developers Storage/Backup Admins

Oracle Security History

10g 11g 12c

Native Security provided by Oracle and the others

Virtual Private Label Based

Transparent Transparent Manual Manual Transparent Transparent

Synonyms Synonyms No Synonyms Synonyms Synonyms No Synonyms

Oracle IBM DB2 MySQL PostgreSQL SQL Server Sybase

Database Security A threat from within June 2015

Database Security A threat from within June 2015

Schema Tablespace Datafile

Database Bloc O.S. Bloc

Database Security A threat from within June 2015

Tables Constraints Indexes Views

Database Security A threat from within June 2015

Dictionary & Catalog

Views Views SYSTEM

Database Security A threat from within June 2015

Structured Query Language - SQL

Data Definition Language

Data Manipulation Language

SELECT, INSERT, UPDATE or DELETE

Data Control Language

Database Security A threat from within June 2015

Strategy to Secure Data

Database Security A threat from within June 2015

Role Based Access Control (RBAC)

Public Business Users

Data Roles &

Database Security A threat from within June 2015