Upload
johanswart1234
View
63
Download
2
Embed Size (px)
Citation preview
Welcome
Data is a Currency.
The only difference to a real currency is that Data can be monetized over and over.
Data Security Real Cases
The consequences of mishandling sensitive data.• 70%+ of data breaches is internal. Malicious attacks from
inside• CASE: Consultant Developer Smash-and-grab• CASE: Locked Backup drives stolen• LAW: Protection Of Personal Information (POPI)
Discussion Scope
• Handling Sensitive Data at Rest• Data that is stored, archived or residing on backup media• Access Control, Encryption, Obfuscation
• Handling Sensitive Data in Transit – not in scope• data that is traversing a network, or residing in memory• Firewalls, Network Access Control, User Interface Encryption
What data is Sensitive?
• Personal, Identifiable, Sensitive• Implications of Data Theft (Identity Theft)• Privacy• National Security• Compliance with Regulations
Types of Sensitive Data
• Government Assigned Identification• Biometric Data• Medical Data• Education Data• Employment Data• Communication Data• Financial Data• Trade Secrets
Protection Of Personal Information(POPI)
General• Identifying Name Of The Person• Race• National Ethnic• Gender• Identification Number
POPI (continued)
Health Detail• Physical Health• Mental Health• Pregnancy• Blood Type• Biometric Information
POPI (continued)
Historical Data• Medical History• Financial History• Criminal History• Employment History
What is the Goal?
• Our goal is to protect sensitive data to the fullest extent and have it only available to relevant people as per their specific needs.
Data Security Tools
• Encryption• Cryptographic Keys• Asymmetric Keys (Public and Private Keys) – RSA2048• Symmetric Keys (Block and Stream Ciphers) – AES256
• Certificates• Hash Algorithms – MD5 and SHA2
• Obfuscation• Honey Combing
Step 1 - Define Data Sensitivity Classes
• Define classes based on data sensitivityExample:• Low – General Public access• Medium – Internal Disclosure Only (Default)• High – Restricted to specific people
Step 2 – Categorize Data Elements
• Categorize every column in the database using your Data Sensitivity Classes• Consider the following during categorization• Decide on a Default Class• Laws and Regulations, Standards, Policies• What would be the Potential Damage if this data element is exposed• Contractual Obligation
• If possible store the DS Classification WITH the meta-data on the database rather than in a proprietary tool or application• Example – SQL Server uses extended properties. In other DBMS’s the comments can be used
Step 3 – Define Database Roles
• Define Database Roles based upon the classifications• Assign Users to the Roles
Step 4 – Database Encryption
• Secures data by encryption the physical files, backup files, log files, etc of the database• For added security a separate Database Instance can be used
for the highly sensitive data (Linked Server)
Step 4 – Database EncryptionRole_High
Role_Medium
Role_Low
High
Medium
Low
Backup Files
Log Files
Memory
Transparent Database
EncryptionLinked Server
Step 5 - Architectural Strategies
• Protection using Normalization (Third Normal Form)• Using Views• Revoke direct Access to all tables• Using Linked Servers
Step 5 – Architectural Strategies
TableLooku
pLookup
vwLow
vwMed
vwHigh
Role_HighRole_MediumRole_Low
Step 6 – Cell-Level Encryption
• Symmetric Key Encryption• Pros• Granular• Secure• User Specific
• Cons• Expensive Table Scans• Process Overhead• Might require data type change
Step 6 – Cell-Level Encryption
• Symmetric Key Encryption• Change Data Type• Populating the Encrypted Column• Views and Stored Procedures• Failed Decryption Handling
Step 6 – Cell-Level Encryption
• Using One-way Encryption• Pros• No Key Maintenance• Minimal Performance Impact
• Cons• Weaker Algorithm• May require Data Type change• Security Vulnerabilities during transit (Hush Mail)
Step 6 – Cell-Level Encryption
• Known Vulnerabilities• Dictionary Attacks• Rainbow Attacks
• Salting• Create Primary Hash Key Column• Create Secondary Hash Key Column for Searching• Views and Stored Procedures
Step 7 - Obfuscation
"To make so confused or opaque as to be difficult to perceive orunderstand … to render indistinct or dim; darken.”
American Heritage Dictionary
Step 7 - Obfuscation
• Character Scrambling• Character Masking• Numeric Variance• Nulling• Truncation• Encoding
• Hashing• Aggregation• Value Scrambling
Step 7 - Obfuscation
Encoding
male 1male 1
Value EncodingMale 1Male 4Female 2Female 7Female 8
female 7female 2
Step 7 - Obfuscation
Value Scrambling
James Bond,male, blond Alfred Penny,female,blondMoney Penny,female, brunette James M,male,grey
Alfred Q,male,grey Money Q,male,brunetteMaggie M,female grey Maggie Bond,female,grey
Step 8 – Honey Combing
Honey pots
A server that is placed in an environment for the sole purpose of attracting those who are snooping around
Step 8 – Honey Combing
• Create public accessible table Honey Table (EmployeeSalary)• Populate with bogus data• Create Audit feature on CRUD on the table• Setup notification process• Buy a shotgun and spade
Finally
• Have eyes in the back of your head• Create and reward Good Habits• Educate, Educate, Educate