cyber security team database security security team pwc database security • a threat from within...

Database Security

A threat from within

Strictly Privateand Confidential

June 2015

Cyber Security Team

PwCJune 2015Database Security • A threat from within

1 Introduction: Threats to DB Security 1

2 Architecture & Vocabulary 8

3 Access Control & Application Security 14

4 Data Anonymization 21

5 Authentication 24

6 Governance, Risk and Compliance 27

7 Database Vulnerability Assessment 29

8 Database Audit & Protection 32

9 Database Security in the Cloud 37

10 Questions and Answers 40

PageSection Overview

Table of Contents

PwCJune 2015

Introduction: Threats to DB SecuritySection 1

Database Security • A threat from within1

PwCJune 2015

Databases: an attractive target

Section 1 – Introduction: Threats to DB Security


January:

Snapchat(4.5M)

February:

Kickstarter(5.6M)

March:

KoreanTelecom(12M)

May:

eBay(145M)

Database records stolenin early-2014

• Credentials• Email addresses• Credit cards information• Social security numbers• Medical records• etc…

Source: Verizon - Data breach investigations report 2015

96% of records breached are fromdatabases…

PwCJune 2015

Top 10 Database Threats



Limited securityexpertise & education

10Denial of Service 9

UnmanagedSensitive data

8DB vulnerabilities &misconfiguration

7

Weak authenticationsBruteforce, stolen credentials6Backup exposure

Often unprotected media5

Weak audit trailUnable to detect

4MalwareCompromised Hosts

3

SQL injections19% of web app attacks

2Excessive privilegesUnauthorized access & abuse

1

PwCJune 2015

Top 10 Database Threats



Limited securityexpertise & education

10Denial of Service 9

UnmanagedSensitive data

8DB vulnerabilities &misconfiguration

7

Weak authenticationsBruteforce, stolen credentials6Backup exposure

Often unprotected media5

Weak audit trailUnable to detect

4MalwareCompromised Hosts

3

SQL injections19% of web app attacks

2Excessive privilegesUnauthorized access & abuse

1

But who’s toblame?

PwCJune 2015

Who are the stakeholders (threats) of Database Security?



Developers

Network Admins

Testers

System Admins

Storage/Backup Admins

End UsersDBAs

CISO Auditors IT Security Business You ?

PwCJune 2015

•Strongauthentication(PKI, Kerberos,RADIUS)

•Native NetworkEncryption

•Database NativeAuditing

7•Oracle LabelSecurity

•Global roles•Virtual PrivateDatabase

8i Fine GrainedAuditing9i

Oracle Security History



•Secure Backup•Transparent DataEncryption

•Oracle Audit &Database Vault

10g•ActivityMonitoring &DatabaseFirewall

•Privilege Analysis•Sensitive dataDiscovery

11g•Separation ofDuty

•New AuditFramework

•AdvancedSecurity Optionsare embedded

12c

1992

2015

PwCJune 2015

Native Security provided by Oracle and the others



Virtual PrivateDatabase

MaterializedViews

Synonyms

Data Masking

TransparentEncryption

RBAC (Roles)

Audit

DynamicViews only

No Synonyms

NoAnonymization

ManualEncryption

No Roles

Audit viaModule

MaterialisedViews

Synonyms

NoAnonymization


RBAC (Roles)

Audit

MaterialisedViews

No Synonyms

NoAnonymization


RBAC (Roles)

Audit

MaterialisedViews

Synonyms

NoAnonymization

ManualEncryption

RBAC (Roles)

Audit viaModule

Oracle MySQL PostgreSQL SQL Server Sybase

Label BasedAccess Control

MaterializedQuery Tables

Synonyms

Anonymization(optional)


RBAC (Roles)

Audit

IBM DB2

PwCJune 2015

Architecture & VocabularySection 2


PwCJune 2015

Oracle Architecture

Section 2 – Architecture & Vocabulary


Memory (SGA)

Background Processes

Instance (SID)

DatabaseDatafiles, Online Redo logs,Controlfiles, Backup files,

Parameter Files

PwCJune 2015

Logical vs Physical



Database Bloc

Database

Tablespace

Segment

Extent

Datafile

O.S. Bloc

Schema

PwCJune 2015

Logical Structures



Tables Constraints Indexes Views

Synonyms Profiles SequencesProcedures& Functions

Triggers Packages

PwCJune 2015

Dictionary & Catalog



Tables

TBS USERS TBS SYSTEM

Dictionary

Tables

Information about the database itself (Metadata)

SYS

Catalog

Views

Views on the dictionary

SYSTEM

Indexes

Constraints

Views

PwCJune 2015

Structured Query Language - SQL



SQL is a special-purpose programming language designed for managing dataheld in a database (RDBMS).

Data Definition LanguageDefine the structure of tables and otherobjects

CREATE , ALTER, DROP or TRUNCATE

Data Manipulation LanguageUse and manipulate the data

SELECT, INSERT, UPDATE or DELETE

Data Control LanguageDefine permissions for users/schemas

GRANT or REVOKE

PwCJune 2015

Access Control & Application SecuritySection 3


PwCJune 2015

Strategy to Secure Data

Section 3 – Access Control & Application Security


ClassifyData/Users

AnticipateAnticipateThreats

MapControls

STRATEGYTO SECURE

DATA

PwCJune 2015

Role Based Access Control (RBAC)



DB2 DB3DB1

Public

Internal

Confidential

Top Secret

Business Users

Developers

Secu. Admins

Managers

Databases

DataClassification

Roles &Responsibilities

rolesprivileges

PwCJune 2015

Data Classification against the Triad



Classification against their contentsSecret/Confidential/Internal/Public

Impact when modifying dataHigh/Medium/Low

What Availability is required?90%? 99.5%?

INTEGRITY

AVAILABILITY

CONFIDENTIALITY

PwCJune 2015

Misconfiguration Risk with Privileges



Thomas

Ana

App. Owner

Mike

WithAdmin/Grant

Option

ANY

~~~~~~~~~~~~

App. Table

!

!

~~~~~~~~~~~~

App. Table

~~~~~~~~~~~~

App. Table

~~~~~~~~~~~~

App. Table

PwCJune 2015

Misconfiguration Risk with roles



Select

InsertUpdateSelect Delete

SelectSelect

Insert

Business User

DB

Application Role = DBA Access !!

PwCJune 2015

Misconfiguration Risk with Profile



Lambda

• Password Lifetime• Password Complexity• Failed Login Attempts• CPU per Session• Connect Time• …

Beware to ‘default’ or ‘Unlimited’ value…

PwCJune 2015

Data AnonymizationSection 4


PwCJune 2015

Data Anonymization

Section 4 – Data Anonymization


Businessuser

SeniorDBA

Developer JuniorDBA

Externalprovider

NAME SSN SALARY NOTES

Dupont 203-55-1478 40,000 -

Schmitt 325-65-1469 60,000Will be

promoted

ProductionNAME SSN SALARY NOTES

Dupont 203-55-1478 40,000 -

Schmitt 325-65-1469 60,000Will be

promoted

Testing

redacted

redacted

170-96-1765

123-45-6789

GBerilQ

JaOXnRtx

!

Data maskingDelete or replace with aconstant value.

Data scramblingReplace with a randomvalue of same format.

Data encryptionRepeatable: an input alwaysgives the same result.

CopyAnonymize

PwCJune 2015

Data Masking in Production

Section 4 – Data Anonymization


Views to hide rows and/or columnSynonyms to replace view’s name by the original table one (or used tohide the use of Database Link)Virtual Private Databases to segregate data from different customers

PwCJune 2015

AuthenticationSection 5


PwCJune 2015

Authentication

Section 5 – Authentication


OS LEVEL

DB LEVEL

# oracle

sys (dba)

# root

Database

DB USER

OS USER

LDAP USER

STRONG AUTHENTICATION

Strong AuthenticationAccountabilityLeast PrivilegesNon Repudiation

Monitoring & BlockingUsersHigh Priv. Accounts

Data Leakage

PwCJune 2015

Oracle Encryption

Section 5 – Authentication


Database

TDE

KEY VAULT

Wallet

OR

HSM

SecureBackup

DataPump

(…)

DBA

PwCJune 2015

Governance, Risk and ComplianceSection 6


PwCJune 2015

Section 6 – Governance, Risk and Compliance


Data

Appli.

Host

Internal Network

Perimeter & Cloud

Physical

Plan, Policies & Procedures,Baselines, Awareness

SecurityGovernance, Risk

& Compliance

OperationalSecurity,

Monitoring &Controls (Audit)

Identity & AccessManagement

PwCJune 2015

Database Vulnerability AssessmentSection 7


PwCJune 2015

Database Vulnerability Assessment

Section 7 – Database Vulnerability Assessment


Weak passwords

Misconfiguredprivileges

Missing patches

Configurationchanges

Accountssharing

Unusual houractivities

Suspicious adminlogins

PwCJune 2015

ODAT: penetration testing for Oracle Database

Section 7 – Database Vulnerability Assessment


Source: https://github.com/quentinhardy/odat

SID scanning

1

2

Accounts & passwordsguessing

File upload, download& deletion

6

SID: ORCL

http://badguy.com/

~~~~~~

3 Columnsscanning

4 HTTP requests

5TCP port scanning

7

Systems commands &Remote shell access

PwCJune 2015

Database Audit & ProtectionSection 8


PwCJune 2015

Audit Trail & Fine Grained Auditing

Section 8 – Database Audit & Protection


Auditevents

~~~~~~~~~~~~

Audittable

Audit table

OS file

System log

Interoperability issuesPerformance issues

Audit Trail can be accessed and altered!

Audit TrailFast & SimpleNon-selective

Fine Grained AuditVery flexible

Complex

PwCJune 2015

• Audit Vault centralizes audit logs from the databases, the OS, Active Directory…

• It allows easy reporting and custom alerts

• Cooperate with Database Firewall, which filters request made to the database

1- Oracle Audit Vault & Database Firewall



Source: Oracle Audit Vault documentation

Is it not impacting the performance?

PwCJune 2015

2- IBM Infosphere Guardium



?Span monitoring

Change of (ip, port)Local traffic

Change of (ip, port)

Switch

Aggregator

Collector

S-TAP

F-TAPIs it safe?

Policies

Real-time alerts Post-mortem reportsReports

!

PwCJune 2015

Other players in the market



PwCJune 2015

Database Security in the CloudSection 9


PwCJune 2015

Container database

Databases in the Cloud

Section 9 – Database Security in the Cloud


Database protection

Auditing &monitoring

Policies

! !! Yellow AppDBA

Cloud ProviderDBA

AlertsAppsAppsApps

Database Vault

• Consolidation dbs into a single container• Multi-tenancy• Elasticity• Pluggable databases• Segregation of data

Thank you!

PwCJune 2015

Questions and AnswersSection 10


PwCJune 2015

Oracle Multitenant:

Consolidate several databases into a singlecontainer:

• Share resources & ease maintenance

• Preserve segregation of data

• Databases are pluggable

A Cloud infrastructure for Databases whichprovides:

• Elasticity & cost reduction

• Flexibility

• Segregation

Multitenancy in the Database

Section 10 – Questions and Answers


Source: Oracle Multitenant documentation

PwCJune 2015

Database protection

Section 10 – Questions and Answers


Database Vault:

Realm-based authorization

• Preserve segregation of duties

• Privileged accounts cannot access sensitivedata or data from other databases

• Restriction according to Business Hours

• Security Layer on the top of the DBAs

Source: Oracle Database Vault documentation

cyber security team database security security team pwc database security • a threat from within...

Documents