View
28
Download
1
Category
Tags:
Preview:
Citation preview
Free Powerpoint TemplatesPage 1
Free Powerpoint Templates
DATABASE SecurityLillian Nasharitah
Free Powerpoint TemplatesPage 2
What is Database?
A structured set of data held in a computer, esp. one that is
accessible in various ways.
Free Powerpoint TemplatesPage 4
Database Schema
A database schema of a database system is its structure
described in a formal language supported by the database
management system (DBMS) and refers to the organization
of data to create a blueprint of how a database will be
constructed (divided into database tables).
Free Powerpoint TemplatesPage 6
Confidentiality
Confidentiality can be enforced by encrypting the data
stored in the database.
Encryption is a technique or process by which data is
encoded in such a way only authorized users be able to read
the data.
In other words, encryption means rendering sensitive data
unreadable to unauthorized users.
Free Powerpoint TemplatesPage 7
Integrity
Integrity can be enforced by setting User Access Controls
(UAC) that define which users have to be given what
permissions in the database.
For example, data related to employee information is
stored in a database.
An employee may have permission for viewing the records
and altering only part of information like his contact details,
whereas a person in the human resources department will
have more privileges.
Free Powerpoint TemplatesPage 8
How to ensure integrity of the database?
Once the database is installed, the password has to be
changed. Similarly, periodic checks have to be conducted to
ensure the password is not compromised.
User accounts that are not in use have to be locked. If one
is sure that these user accounts will never be used again,
then the best step is to remove such user accounts.
Policies to set strong passwords have to be enforced. A
good idea is to have a policy of changing the passwords
once per a month.
Free Powerpoint TemplatesPage 9
How to ensure integrity of the database?
Check for the roles each user has and set the rules
accordingly. You must ensure that users are given
permissions to do what they are allowed to do. I know this is
a time consuming job when the database is huge, but once
the permissions are set the right way, it is easy to check
unauthorized entry or access.
Does your company have multiple database
administrators? If yes, segregate the duties among these
database administrators.
Free Powerpoint TemplatesPage 10
Availability
To ensure availability, following steps have to be taken:
Restrict the amount of storage space given to each user in
the database.
Limit the number of concurrent sessions made available to
each database user.
Backup the data at periodic intervals to ensure data
recovery in case of application issues.
Free Powerpoint TemplatesPage 11
Availability
Databases should be secured against security
vulnerabilities.
Free Powerpoint TemplatesPage 13
Threats to Database Security
1. Privilege abuse
When database users are provided with privileges that exceeds their day-to-day
job requirement, these privileges may be abused intentionally or unintentionally.
Take, for instance, a database administrator in a financial institution. What will
happen if he turns off audit trails or create bogus accounts? He will be able to
transfer money from one account to another thereby abusing the excessive
privilege intentionally.
2. Operating System Vulnerabilities
Vulnerabilities in underlying operating systems like Windows, UNIX, Linux, etc.,
and the services that are related to the databases could lead to unauthorized
access. This may lead to a Denial of Service (DoS) attack. This could be
prevented by updating the operating system related security patches as and when
they become available.
Free Powerpoint TemplatesPage 14
Threats to Database Security
3. Database Rootkits
A database rootkit is a program or a procedure that is hidden inside the database
and that provides administrator-level privileges to gain access to the data in the
database. These rootkits may even turn off alerts triggered by Intrusion Prevention
Systems (IPS).
4. Weak Authentication
Weak authentication models allow attackers to employ strategies such as social
engineering and brute force to obtain database login credentials and assume the
identity of legitimate database users.
Free Powerpoint TemplatesPage 15
Threats to Database Security
5. Weak Audit Trails
A weak audit logging mechanism in a database server represents a critical risk to
an organization especially in retail, financial, healthcare, and other industries with
stringent regulatory compliance. Regulations such as PCI, SOX, and HIPAA
demand extensive logging of actions to reproduce an event at a later point of time
in case of an incident. Logging of sensitive or unusual transactions happening in a
database must be done in an automated manner for resolving incidents. Audit
trails act as the last line of database defense. Audit trails can detect the existence
of a violation that could help trace back the violation to a particular point of time
and a particular user.
Free Powerpoint TemplatesPage 16
Example of Database
MySQL
Oracle
PostgreSQL
Microsoft Visual Foxpro
MariaDB
Free Powerpoint TemplatesPage 24
How to test for SQL Injection Vulnerability?
Free Powerpoint TemplatesPage 28
Getting Data from Database Using
ODBC Error Message
Free Powerpoint TemplatesPage 29
Hacking Tools
AutoMagic SQL
Absinthe Automated SQL
Free Powerpoint TemplatesPage 31
Absinthe Automated SQL Injection Tool
Free Powerpoint TemplatesPage 39
SQL Injection Attack Prévention
Minimize the privileges of database connections
Disable verbose error messages
Protect the system account “sa”
Audit source codes
• Escape single quotes
• Input validation
• Reject known bad input
• Input bound checking
Free Powerpoint TemplatesPage 40
SQL Injection Attack Prévention
Never trust user input
• Validate all textbox entries using validation controls,
regular expressions and code
Never use dynamic SQL
• Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account
• Use limited access account to connect to the database
regular expressions and code
Free Powerpoint TemplatesPage 41
SQL Injection Attack Prévention
Do not store secrets in plain text
• Encrypt or hash passwords and other sensitive data, you
should also encrypt connection strings.
Exceptions should divulge minimal information
• Do not reveal too much information in error message,
use custom error messages
Free Powerpoint TemplatesPage 43
Acunetix Web Vulnerability Scanner
Recommended