Cyber Security Team Database Security Security Team PwC Database Security • A threat from within...

Database Security

A threat from within

Strictly Privateand Confidential

June 2015

Cyber Security Team

PwCJune 2015Database Security • A threat from within

1 Introduction: Threats to DB Security 1

2 Architecture & Vocabulary 8

3 Access Control & Application Security 14

4 Data Anonymization 21

5 Authentication 24

6 Governance, Risk and Compliance 27

7 Database Vulnerability Assessment 29

8 Database Audit & Protection 32

9 Database Security in the Cloud 37

10 Questions and Answers 40

PageSection Overview

Table of Contents

PwCJune 2015

Introduction: Threats to DB SecuritySection 1

Database Security • A threat from within1

PwCJune 2015

Databases: an attractive target

Section 1 – Introduction: Threats to DB Security

January:

Snapchat(4.5M)

February:

Kickstarter(5.6M)

March:

KoreanTelecom(12M)

eBay(145M)

Database records stolenin early-2014

• Credentials• Email addresses• Credit cards information• Social security numbers• Medical records• etc…

Source: Verizon - Data breach investigations report 2015

96% of records breached are fromdatabases…

PwCJune 2015

Top 10 Database Threats

Limited securityexpertise & education

10Denial of Service 9

UnmanagedSensitive data

8DB vulnerabilities &misconfiguration

Weak authenticationsBruteforce, stolen credentials6Backup exposure

Often unprotected media5

Weak audit trailUnable to detect

4MalwareCompromised Hosts

SQL injections19% of web app attacks

2Excessive privilegesUnauthorized access & abuse

PwCJune 2015

Top 10 Database Threats

Limited securityexpertise & education

10Denial of Service 9

UnmanagedSensitive data

8DB vulnerabilities &misconfiguration

Weak authenticationsBruteforce, stolen credentials6Backup exposure

Often unprotected media5

Weak audit trailUnable to detect

4MalwareCompromised Hosts

SQL injections19% of web app attacks

2Excessive privilegesUnauthorized access & abuse

But who’s toblame?

PwCJune 2015

Who are the stakeholders (threats) of Database Security?

Developers

Network Admins

Testers

System Admins

Storage/Backup Admins

End UsersDBAs

CISO Auditors IT Security Business You ?

PwCJune 2015

•Strongauthentication(PKI, Kerberos,RADIUS)

•Native NetworkEncryption

•Database NativeAuditing

7•Oracle LabelSecurity

•Global roles•Virtual PrivateDatabase

8i Fine GrainedAuditing9i

Oracle Security History

•Secure Backup•Transparent DataEncryption

•Oracle Audit &Database Vault

10g•ActivityMonitoring &DatabaseFirewall

•Privilege Analysis•Sensitive dataDiscovery

11g•Separation ofDuty

•New AuditFramework

•AdvancedSecurity Optionsare embedded

PwCJune 2015

Native Security provided by Oracle and the others

Virtual PrivateDatabase

MaterializedViews

Synonyms

Data Masking

TransparentEncryption

RBAC (Roles)

DynamicViews only

No Synonyms

NoAnonymization

ManualEncryption

No Roles

Audit viaModule

MaterialisedViews

Synonyms

NoAnonymization

RBAC (Roles)

MaterialisedViews

No Synonyms

NoAnonymization

RBAC (Roles)

MaterialisedViews

Synonyms

NoAnonymization

ManualEncryption

RBAC (Roles)

Audit viaModule

Oracle MySQL PostgreSQL SQL Server Sybase

Label BasedAccess Control

MaterializedQuery Tables

Synonyms

Anonymization(optional)

RBAC (Roles)

IBM DB2

PwCJune 2015

Architecture & VocabularySection 2

PwCJune 2015

Oracle Architecture

Section 2 – Architecture & Vocabulary

Memory (SGA)

Background Processes

Instance (SID)

DatabaseDatafiles, Online Redo logs,Controlfiles, Backup files,

Parameter Files

PwCJune 2015

Logical vs Physical

Database Bloc

Database

Tablespace

Segment

Extent

Datafile

O.S. Bloc

Schema

PwCJune 2015

Logical Structures

Tables Constraints Indexes Views

Synonyms Profiles SequencesProcedures& Functions

Triggers Packages

PwCJune 2015

Dictionary & Catalog

Tables

TBS USERS TBS SYSTEM

Dictionary

Tables

Information about the database itself (Metadata)

Catalog

Views on the dictionary

SYSTEM

Indexes

Constraints

PwCJune 2015

Structured Query Language - SQL

SQL is a special-purpose programming language designed for managing dataheld in a database (RDBMS).

Data Definition LanguageDefine the structure of tables and otherobjects

CREATE , ALTER, DROP or TRUNCATE

Data Manipulation LanguageUse and manipulate the data

SELECT, INSERT, UPDATE or DELETE

Data Control LanguageDefine permissions for users/schemas

GRANT or REVOKE

PwCJune 2015

Access Control & Application SecuritySection 3

PwCJune 2015

Strategy to Secure Data

Section 3 – Access Control & Application Security

ClassifyData/Users

AnticipateAnticipateThreats

MapControls

STRATEGYTO SECURE

PwCJune 2015

Role Based Access Control (RBAC)

DB2 DB3DB1

Public

Internal

Confidential

Top Secret

Business Users

Developers

Secu. Admins

Managers

Databases

DataClassification

Roles &Responsibilities

rolesprivileges

PwCJune 2015

Data Classification against the Triad

Classification against their contentsSecret/Confidential/Internal/Public

Impact when modifying dataHigh/Medium/Low

What Availability is required?90%? 99.5%?

INTEGRITY

AVAILABILITY

CONFIDENTIALITY

PwCJune 2015

Misconfiguration Risk with Privileges

Thomas

App. Owner

WithAdmin/Grant

Option

~~~~~~~~~~~~

App. Table

~~~~~~~~~~~~

App. Table

~~~~~~~~~~~~

App. Table

~~~~~~~~~~~~

App. Table

PwCJune 2015

Misconfiguration Risk with roles

Select

InsertUpdateSelect Delete

SelectSelect

Insert

Business User

Application Role = DBA Access !!

PwCJune 2015

Misconfiguration Risk with Profile

Lambda

• Password Lifetime• Password Complexity• Failed Login Attempts• CPU per Session• Connect Time• …

Beware to ‘default’ or ‘Unlimited’ value…

PwCJune 2015

Data AnonymizationSection 4

PwCJune 2015

Data Anonymization

Section 4 – Data Anonymization

Businessuser

SeniorDBA

Developer JuniorDBA

Externalprovider

NAME SSN SALARY NOTES

Dupont 203-55-1478 40,000 -

Schmitt 325-65-1469 60,000Will be

promoted

ProductionNAME SSN SALARY NOTES

Dupont 203-55-1478 40,000 -

Schmitt 325-65-1469 60,000Will be

promoted

Testing

redacted

170-96-1765

123-45-6789

GBerilQ

JaOXnRtx

Data maskingDelete or replace with aconstant value.

Data scramblingReplace with a randomvalue of same format.

Data encryptionRepeatable: an input alwaysgives the same result.

CopyAnonymize

PwCJune 2015

Data Masking in Production

Section 4 – Data Anonymization

Views to hide rows and/or columnSynonyms to replace view’s name by the original table one (or used tohide the use of Database Link)Virtual Private Databases to segregate data from different customers

PwCJune 2015

AuthenticationSection 5

PwCJune 2015

Authentication

Section 5 – Authentication

OS LEVEL

DB LEVEL

# oracle

sys (dba)

# root

Database

DB USER

OS USER

LDAP USER

STRONG AUTHENTICATION

Strong AuthenticationAccountabilityLeast PrivilegesNon Repudiation

Monitoring & BlockingUsersHigh Priv. Accounts

Data Leakage

PwCJune 2015

Oracle Encryption

Section 5 – Authentication

Database

KEY VAULT

Wallet

SecureBackup

DataPump

PwCJune 2015

Governance, Risk and ComplianceSection 6

PwCJune 2015

Section 6 – Governance, Risk and Compliance

Appli.

Internal Network

Perimeter & Cloud

Physical

Plan, Policies & Procedures,Baselines, Awareness

SecurityGovernance, Risk

& Compliance

OperationalSecurity,

Monitoring &Controls (Audit)

Identity & AccessManagement

PwCJune 2015

Database Vulnerability AssessmentSection 7

PwCJune 2015

Database Vulnerability Assessment

Section 7 – Database Vulnerability Assessment

Weak passwords

Misconfiguredprivileges

Missing patches

Configurationchanges

Accountssharing

Unusual houractivities

Suspicious adminlogins

PwCJune 2015

ODAT: penetration testing for Oracle Database

Section 7 – Database Vulnerability Assessment

Source: https://github.com/quentinhardy/odat

SID scanning

Accounts & passwordsguessing

File upload, download& deletion

SID: ORCL

http://badguy.com/

~~~~~~

3 Columnsscanning

4 HTTP requests

5TCP port scanning

Systems commands &Remote shell access

PwCJune 2015

Database Audit & ProtectionSection 8

PwCJune 2015

Audit Trail & Fine Grained Auditing

Section 8 – Database Audit & Protection

Auditevents

~~~~~~~~~~~~

Audittable

Audit table

OS file

System log

Interoperability issuesPerformance issues

Audit Trail can be accessed and altered!

Audit TrailFast & SimpleNon-selective

Fine Grained AuditVery flexible

Complex

PwCJune 2015

• Audit Vault centralizes audit logs from the databases, the OS, Active Directory…

• It allows easy reporting and custom alerts

• Cooperate with Database Firewall, which filters request made to the database

1- Oracle Audit Vault & Database Firewall

Source: Oracle Audit Vault documentation

Is it not impacting the performance?

PwCJune 2015

2- IBM Infosphere Guardium

?Span monitoring

Change of (ip, port)Local traffic

Change of (ip, port)

Switch

Aggregator

Collector

F-TAPIs it safe?

Policies

Real-time alerts Post-mortem reportsReports

PwCJune 2015

Other players in the market

PwCJune 2015

Database Security in the CloudSection 9

PwCJune 2015

Container database

Databases in the Cloud

Section 9 – Database Security in the Cloud

Database protection

Auditing &monitoring

Policies

! !! Yellow AppDBA

Cloud ProviderDBA

AlertsAppsAppsApps

Database Vault

• Consolidation dbs into a single container• Multi-tenancy• Elasticity• Pluggable databases• Segregation of data

Thank you!

PwCJune 2015

Questions and AnswersSection 10

PwCJune 2015

Oracle Multitenant:

Consolidate several databases into a singlecontainer:

• Share resources & ease maintenance

• Preserve segregation of data

• Databases are pluggable

A Cloud infrastructure for Databases whichprovides:

• Elasticity & cost reduction

• Flexibility

• Segregation

Multitenancy in the Database

Section 10 – Questions and Answers

Source: Oracle Multitenant documentation

PwCJune 2015

Database protection

Section 10 – Questions and Answers

Database Vault:

Realm-based authorization

• Preserve segregation of duties

• Privileged accounts cannot access sensitivedata or data from other databases

• Restriction according to Business Hours

• Security Layer on the top of the DBAs

Source: Oracle Database Vault documentation

Cyber Security Team Database Security Security Team PwC Database Security • A threat from within...

Documents

Database Security

Database Security Assessment Tool Tutorial · 2 | Database Security: Identifying Security Risks with the Database Security Assessment Tool TUTORIAL OVERVIEW Welcome to this Database

Database Security · PDF fileDatabase Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Database Application Security Models Database Application Security Models 1

17 Database Security

Database Security - Farkas 1 Database Security and Privacy

Oracle Database Security in the Cloud - Integrigy Oracle Database Security... · Oracle Database Security in the Cloud February 25, 2016 Michael Miller Chief Security Officer Integrigy

Oracle Database Security - · PDF fileOracle Database Security Paul Needham, Senior Director, Product Management, Database Security. Target of Data Breaches ... Oracle Database Vault

2.0 - Database Security

OpenTrust PKI v4 - ANSSI€¦ · Database security provided by OpenTrust PKI: This Security Target makes no claims about inherent database security. All database security (i.e., confidentiality

Set 6, Statistical Database Security Sylvia Osborn CS96161Set 6, Statistical Database Security

PA State Police (PSP) Database Design PA State Police (PSP) Database Design Data Modeling Standards Database Team Version 1.4 Date: 03/19/2014 SECURITY WARNING The information contained

1 Database Application Security Models Database Application Security Models Dr. Gabriel

Database Support Team

Database Security DBMS Features Statistical Database Security

Oracle Database Security

Database Security Lecture

Database & Data Security

Database Support Team Beginning Accounting 2005. Database Support Team Menu 12 Company Maintenance

02 database security