cyber security team database security security team pwc database security • a threat from within...
TRANSCRIPT
Database Security
A threat from within
Strictly Privateand Confidential
June 2015
Cyber Security Team
PwCJune 2015Database Security • A threat from within
1 Introduction: Threats to DB Security 1
2 Architecture & Vocabulary 8
3 Access Control & Application Security 14
4 Data Anonymization 21
5 Authentication 24
6 Governance, Risk and Compliance 27
7 Database Vulnerability Assessment 29
8 Database Audit & Protection 32
9 Database Security in the Cloud 37
10 Questions and Answers 40
PageSection Overview
Table of Contents
PwCJune 2015
Introduction: Threats to DB SecuritySection 1
Database Security • A threat from within1
PwCJune 2015
Databases: an attractive target
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within2
January:
Snapchat(4.5M)
February:
Kickstarter(5.6M)
March:
KoreanTelecom(12M)
May:
eBay(145M)
Database records stolenin early-2014
• Credentials• Email addresses• Credit cards information• Social security numbers• Medical records• etc…
Source: Verizon - Data breach investigations report 2015
96% of records breached are fromdatabases…
PwCJune 2015
Top 10 Database Threats
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within3
Limited securityexpertise & education
10Denial of Service 9
UnmanagedSensitive data
8DB vulnerabilities &misconfiguration
7
Weak authenticationsBruteforce, stolen credentials6Backup exposure
Often unprotected media5
Weak audit trailUnable to detect
4MalwareCompromised Hosts
3
SQL injections19% of web app attacks
2Excessive privilegesUnauthorized access & abuse
1
PwCJune 2015
Top 10 Database Threats
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within4
Limited securityexpertise & education
10Denial of Service 9
UnmanagedSensitive data
8DB vulnerabilities &misconfiguration
7
Weak authenticationsBruteforce, stolen credentials6Backup exposure
Often unprotected media5
Weak audit trailUnable to detect
4MalwareCompromised Hosts
3
SQL injections19% of web app attacks
2Excessive privilegesUnauthorized access & abuse
1
But who’s toblame?
PwCJune 2015
Who are the stakeholders (threats) of Database Security?
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within5
Developers
Network Admins
Testers
System Admins
Storage/Backup Admins
End UsersDBAs
CISO Auditors IT Security Business You ?
PwCJune 2015
•Strongauthentication(PKI, Kerberos,RADIUS)
•Native NetworkEncryption
•Database NativeAuditing
7•Oracle LabelSecurity
•Global roles•Virtual PrivateDatabase
8i Fine GrainedAuditing9i
Oracle Security History
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within6
•Secure Backup•Transparent DataEncryption
•Oracle Audit &Database Vault
10g•ActivityMonitoring &DatabaseFirewall
•Privilege Analysis•Sensitive dataDiscovery
11g•Separation ofDuty
•New AuditFramework
•AdvancedSecurity Optionsare embedded
12c
1992
2015
PwCJune 2015
Native Security provided by Oracle and the others
Section 1 – Introduction: Threats to DB Security
Database Security • A threat from within7
Virtual PrivateDatabase
MaterializedViews
Synonyms
Data Masking
TransparentEncryption
RBAC (Roles)
Audit
DynamicViews only
No Synonyms
NoAnonymization
ManualEncryption
No Roles
Audit viaModule
MaterialisedViews
Synonyms
NoAnonymization
TransparentEncryption
RBAC (Roles)
Audit
MaterialisedViews
No Synonyms
NoAnonymization
TransparentEncryption
RBAC (Roles)
Audit
MaterialisedViews
Synonyms
NoAnonymization
ManualEncryption
RBAC (Roles)
Audit viaModule
Oracle MySQL PostgreSQL SQL Server Sybase
Label BasedAccess Control
MaterializedQuery Tables
Synonyms
Anonymization(optional)
TransparentEncryption
RBAC (Roles)
Audit
IBM DB2
PwCJune 2015
Architecture & VocabularySection 2
Database Security • A threat from within8
PwCJune 2015
Oracle Architecture
Section 2 – Architecture & Vocabulary
Database Security • A threat from within9
Memory (SGA)
Background Processes
Instance (SID)
DatabaseDatafiles, Online Redo logs,Controlfiles, Backup files,
Parameter Files
PwCJune 2015
Logical vs Physical
Section 2 – Architecture & Vocabulary
Database Security • A threat from within10
Database Bloc
Database
Tablespace
Segment
Extent
Datafile
O.S. Bloc
Schema
PwCJune 2015
Logical Structures
Section 2 – Architecture & Vocabulary
Database Security • A threat from within11
Tables Constraints Indexes Views
Synonyms Profiles SequencesProcedures& Functions
Triggers Packages
PwCJune 2015
Dictionary & Catalog
Section 2 – Architecture & Vocabulary
Database Security • A threat from within12
Tables
TBS USERS TBS SYSTEM
Dictionary
Tables
Information about the database itself (Metadata)
SYS
Catalog
Views
Views on the dictionary
SYSTEM
Indexes
Constraints
Views
PwCJune 2015
Structured Query Language - SQL
Section 2 – Architecture & Vocabulary
Database Security • A threat from within13
SQL is a special-purpose programming language designed for managing dataheld in a database (RDBMS).
Data Definition LanguageDefine the structure of tables and otherobjects
CREATE , ALTER, DROP or TRUNCATE
Data Manipulation LanguageUse and manipulate the data
SELECT, INSERT, UPDATE or DELETE
Data Control LanguageDefine permissions for users/schemas
GRANT or REVOKE
PwCJune 2015
Access Control & Application SecuritySection 3
Database Security • A threat from within14
PwCJune 2015
Strategy to Secure Data
Section 3 – Access Control & Application Security
Database Security • A threat from within15
ClassifyData/Users
AnticipateAnticipateThreats
MapControls
STRATEGYTO SECURE
DATA
PwCJune 2015
Role Based Access Control (RBAC)
Section 3 – Access Control & Application Security
Database Security • A threat from within16
DB2 DB3DB1
Public
Internal
Confidential
Top Secret
Business Users
Developers
Secu. Admins
Managers
Databases
DataClassification
Roles &Responsibilities
rolesprivileges
PwCJune 2015
Data Classification against the Triad
Section 3 – Access Control & Application Security
Database Security • A threat from within17
Classification against their contentsSecret/Confidential/Internal/Public
Impact when modifying dataHigh/Medium/Low
What Availability is required?90%? 99.5%?
INTEGRITY
AVAILABILITY
CONFIDENTIALITY
PwCJune 2015
Misconfiguration Risk with Privileges
Section 3 – Access Control & Application Security
Database Security • A threat from within18
Thomas
Ana
App. Owner
Mike
WithAdmin/Grant
Option
ANY
~~~~~~~~~~~~
App. Table
!
!
~~~~~~~~~~~~
App. Table
~~~~~~~~~~~~
App. Table
~~~~~~~~~~~~
App. Table
PwCJune 2015
Misconfiguration Risk with roles
Section 3 – Access Control & Application Security
Database Security • A threat from within19
Select
InsertUpdateSelect Delete
SelectSelect
Insert
Business User
DB
Application Role = DBA Access !!
PwCJune 2015
Misconfiguration Risk with Profile
Section 3 – Access Control & Application Security
Database Security • A threat from within20
Lambda
• Password Lifetime• Password Complexity• Failed Login Attempts• CPU per Session• Connect Time• …
Beware to ‘default’ or ‘Unlimited’ value…
PwCJune 2015
Data AnonymizationSection 4
Database Security • A threat from within21
PwCJune 2015
Data Anonymization
Section 4 – Data Anonymization
Database Security • A threat from within22
Businessuser
SeniorDBA
Developer JuniorDBA
Externalprovider
NAME SSN SALARY NOTES
Dupont 203-55-1478 40,000 -
Schmitt 325-65-1469 60,000Will be
promoted
ProductionNAME SSN SALARY NOTES
Dupont 203-55-1478 40,000 -
Schmitt 325-65-1469 60,000Will be
promoted
Testing
redacted
redacted
170-96-1765
123-45-6789
GBerilQ
JaOXnRtx
!
Data maskingDelete or replace with aconstant value.
Data scramblingReplace with a randomvalue of same format.
Data encryptionRepeatable: an input alwaysgives the same result.
CopyAnonymize
PwCJune 2015
Data Masking in Production
Section 4 – Data Anonymization
Database Security • A threat from within23
Views to hide rows and/or columnSynonyms to replace view’s name by the original table one (or used tohide the use of Database Link)Virtual Private Databases to segregate data from different customers
PwCJune 2015
AuthenticationSection 5
Database Security • A threat from within24
PwCJune 2015
Authentication
Section 5 – Authentication
Database Security • A threat from within25
OS LEVEL
DB LEVEL
# oracle
sys (dba)
# root
Database
DB USER
OS USER
LDAP USER
STRONG AUTHENTICATION
Strong AuthenticationAccountabilityLeast PrivilegesNon Repudiation
Monitoring & BlockingUsersHigh Priv. Accounts
Data Leakage
PwCJune 2015
Oracle Encryption
Section 5 – Authentication
Database Security • A threat from within26
Database
TDE
KEY VAULT
Wallet
OR
HSM
SecureBackup
DataPump
(…)
DBA
PwCJune 2015
Governance, Risk and ComplianceSection 6
Database Security • A threat from within27
PwCJune 2015
Section 6 – Governance, Risk and Compliance
Database Security • A threat from within28
Data
Appli.
Host
Internal Network
Perimeter & Cloud
Physical
Plan, Policies & Procedures,Baselines, Awareness
SecurityGovernance, Risk
& Compliance
OperationalSecurity,
Monitoring &Controls (Audit)
Identity & AccessManagement
PwCJune 2015
Database Vulnerability AssessmentSection 7
Database Security • A threat from within29
PwCJune 2015
Database Vulnerability Assessment
Section 7 – Database Vulnerability Assessment
Database Security • A threat from within30
Weak passwords
Misconfiguredprivileges
Missing patches
Configurationchanges
Accountssharing
Unusual houractivities
Suspicious adminlogins
PwCJune 2015
ODAT: penetration testing for Oracle Database
Section 7 – Database Vulnerability Assessment
Database Security • A threat from within31
Source: https://github.com/quentinhardy/odat
SID scanning
1
2
Accounts & passwordsguessing
File upload, download& deletion
6
SID: ORCL
http://badguy.com/
~~~~~~
3 Columnsscanning
4 HTTP requests
5TCP port scanning
7
Systems commands &Remote shell access
PwCJune 2015
Database Audit & ProtectionSection 8
Database Security • A threat from within32
PwCJune 2015
Audit Trail & Fine Grained Auditing
Section 8 – Database Audit & Protection
Database Security • A threat from within33
Auditevents
~~~~~~~~~~~~
Audittable
Audit table
OS file
System log
Interoperability issuesPerformance issues
Audit Trail can be accessed and altered!
Audit TrailFast & SimpleNon-selective
Fine Grained AuditVery flexible
Complex
PwCJune 2015
• Audit Vault centralizes audit logs from the databases, the OS, Active Directory…
• It allows easy reporting and custom alerts
• Cooperate with Database Firewall, which filters request made to the database
1- Oracle Audit Vault & Database Firewall
Section 8 – Database Audit & Protection
Database Security • A threat from within34
Source: Oracle Audit Vault documentation
Is it not impacting the performance?
PwCJune 2015
2- IBM Infosphere Guardium
Section 8 – Database Audit & Protection
Database Security • A threat from within35
?Span monitoring
Change of (ip, port)Local traffic
Change of (ip, port)
Switch
Aggregator
Collector
S-TAP
F-TAPIs it safe?
Policies
Real-time alerts Post-mortem reportsReports
!
PwCJune 2015
Other players in the market
Section 8 – Database Audit & Protection
Database Security • A threat from within36
PwCJune 2015
Database Security in the CloudSection 9
Database Security • A threat from within37
PwCJune 2015
Container database
Databases in the Cloud
Section 9 – Database Security in the Cloud
Database Security • A threat from within38
Database protection
Auditing &monitoring
Policies
! !! Yellow AppDBA
Cloud ProviderDBA
AlertsAppsAppsApps
Database Vault
• Consolidation dbs into a single container• Multi-tenancy• Elasticity• Pluggable databases• Segregation of data
Thank you!
PwCJune 2015
Questions and AnswersSection 10
Database Security • A threat from within40
PwCJune 2015
Oracle Multitenant:
Consolidate several databases into a singlecontainer:
• Share resources & ease maintenance
• Preserve segregation of data
• Databases are pluggable
A Cloud infrastructure for Databases whichprovides:
• Elasticity & cost reduction
• Flexibility
• Segregation
Multitenancy in the Database
Section 10 – Questions and Answers
Database Security • A threat from within41
Source: Oracle Multitenant documentation
PwCJune 2015
Database protection
Section 10 – Questions and Answers
Database Security • A threat from within42
Database Vault:
Realm-based authorization
• Preserve segregation of duties
• Privileged accounts cannot access sensitivedata or data from other databases
• Restriction according to Business Hours
• Security Layer on the top of the DBAs
Source: Oracle Database Vault documentation