Access to Data

Getting up close and personal to data

Paul DavieCEO, Secerno

Nick RayCEO, Express HR

Controlling data access: DRM v. distributed services

Jericho Forum Commandment #9“Access to data should be controlled by security attributes of the data itself”

Approaches:– Attributes held within the data (DRM/Metadata)

• Documents, spreadsheets, data on the move– Attributes held in separate systems

• Database management systems• Service-Oriented Architecture / Web Services

“In my opinion, database security is riddled with holes and it’s the biggest problem we face in IT

today.

Database attacks offer the biggest potential for fraudulent activity and damage to companies’

reputations and customer confidence”.

David Litchfield, NGSS BlackHat Conference

Las Vegas, August 2006

(Slide A-02)

External Attack – It’s Personal

SQL injection remains the most serious type of attack affecting databases, with 250% year on year growth (Mitre).

Rate of growth of SQL injection

2001 2002 2003 2004 2005 2006

Internal Attack – It’s Personnel

One in 10 (of 300) of Glasgow's financial call centres has been infiltrated by criminal gangs, police believe– “The scam works by planting staff inside offices or by

forcing current employees to provide sensitive customer details”. (BBC Scotland, October 2006)

Police in the southern Indian city of Bangalore say they have arrested an employee in connection with a financial scam operating from a HSBC call centre– A data operator has been charged with hacking the

computer system which allegedly led to money being stolen from customer accounts.

– HSBC said funds were taken from a "small number" of customers in UK. (BBC, June 2006)

It is Easy and it Hurts

Exploit – 87% use legitimate user commands – 78% authorised accounts (43% using their own IDs)

Profile - diverse– 23% in technical positions (17% with root access!)– 39% unaware of the organisation’s security measures

Motivation – 81% financial gain – 23% revenge

Impact – 91% financial loss (30% > $0.5m) – 78% data modification or deletion– 26% damage to reputation

The E-Crime Watch Survey 4

Security Where It Matters

(Slide A-04)

A False Sense of Security

Current database security emphasis:– Encryption– Identity management– Authentication– Auditing– Perimeter defences

Compliance driving decisions– Following established technologies– Driving platform provider enhancements– Creating false sense of security

Emphasis on who is accessing the data – not whatthey are doing with it. Implicit trust.

Application–database interactions

User

User

User Application Database

SELECT * from dvd_stock where [catalog-no] = 'PHE8131'

Attacker

The database implicitly trusts its applications – speaking in the agreed language (SQL).

(Slide B-01)

?

Application Protocol Intrusion Protection and Detection (APIPS, APIDS)

JFC#4: Devices and applications must communicate using open, secure protocols– E.g. SQL for databases – but is SQL secure?

JFC#5: All devices must be capable of maintaining their security policy on an untrusted network– Can we trust the applications that access our databases?

Need to check what applications ask the DB to do:– Application Protocol Intrusion prevention and detection

Application Database

?

APIPS?

APIDS

Database usage analysis and APIPS policy building

Automatically classified actual usage

Policies based on changes to measured behaviour

Protection against unknown threats

(Slide B-20)

Application Vulnerabilities

“Applications are really written badly… really badly”. – Rohit Dhamankar at the SANS Top 20 2006 launch

Qualys, quotes 100 new issues per week, with badly written web applications being 60-70% of targets

“This [OWASP] ‘Ten-Most-Wanted’ List acutely scratches at the tip of an enormous iceberg. The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense.” – Dr. Peter G. Neumann, Author of Computer-Related Risks

Taming the costs

Organisations may have many hundreds of instances of applications that have these vulnerabilities. – The cost of fixing them is simply too high to contemplate. – This severely limits business agility.

It costs between 10 and 100 times the original development effort to fix these vulnerabilities in deployed systems. The factor depends on when in the development cycle the flaw was introduced – Gartner quote an average of 50x

Unless you can tame this cost, the benefits of business agility are threatened by the cost of making the applications sufficiently safe to conduct the new business functions.

Database APIPS – Benefits

Internal Security– Reduces risk of unauthorized disclosure or corruption– Detect unusual behaviour by authorized users

External Security– Fast, accurate, scalable APIDS/APIPS– Avoids black-list and white-list pitfalls– Protection available against SQL-injection attacks– Reduces the urgency to apply security patches

Audit & Compliance– Automated learning can reduce training time– Reduced cost of meeting compliance requirements

Application Development– Enables application design and performance improvement

Introducing expressHR

Leading provider of recruitment process outsourcing technology– Temporary, permanent and contract staff for …

– Local authorities, major corporates, call centres, warehouse, transport, social care, construction, hospitality

expressHR’s Vendor Management System is an end-to-end solution– From creating vacancy to selection, vetting and placement

– From online timesheets to self-bill invoicing, and reporting

expressHR’s ‘Software as a Service’– Web-based solution connecting all parties in the process

expressHR platform connects…

Corporate Line

Managers

Managed Recruitment

Service

Recruitment Agencies

CandidatesTemporary

Workers

expressHR platform connects…

Line Managers

Candidates Temporary Workers

Agencies

Managed Recruitment

Service

82,000Candidates/Qtr

56,000Placements/Qtr

15,000Users

17m Timesheet Hours / Qtr

£300m p.a.Transactions

Problem: Protecting de-perimeterised dBs

System contains critical personal 3rd-party data:– Banking information, salaries, pay rates, charge rates,

CVs and other personal details– Much of which must be protected by law

expressHR’s “Software-as-a-Service” provides business benefits to costs, speed and efficiency

But raises unique security concerns– Corporate responsibility– Customer reputation and brand

The de-perimeterised challenge is: defending critical information against internal and external threats

Approach: Database Micro-perimeter

Deploy a micro-perimeter protection– “Up close and personal” to critical dBs

Understand, control and protect– Application access to critical databases

Application Database

?

APIPS

dB APIPS: Understanding

Build up a rich UNDERSTANDING of Application-to-database behaviour

– Who is asking for what data and when?

– Why is the database system catalogue being queried?

Security improvements– Locate easily which database stored procedures should be

hardened to resist attack

Software engineering/performance issues– Why is ‘select * from …’ being used?

dB APIPS: Understand, Control & Protect

Use the understanding to: Insist on database interactions conforming ONLY

to allowable behaviours– Understand and measure exactly how the database is

being used, and the intent of applications - for informed decision making

Automatically build a fine-grained security policy– Reflecting how applications really use a database– Providing a continuous feedback loop based on actual

actual behaviour Control the risk and secure the corporate assets

Solution: SQL IPS

SQL: IPS

Usage AnalysisUser

User

User Application Database

Attacker

Monitoring

Case Study: Lessons Learned

Ease of implementation Training the system to recognise the

application(s) What we found Business Benefit Next Steps

Conclusion: DB APIDS in action

De-perimeterised businesses must balance:– granting 3rd-party access to critical databases– defending those critical business assets

dB protection where you need it– Close to your business asset …

This is micro-perimeter dB security that:– Understands they requests that made of DBs– Allows only appropriate database queries

APIDS / APIPS in action