Embed Size (px)
Citation preview
Inge OsSolution Engineering Manager4/5-2020
Database Security 101
Copyright Oracle (c) 2020 Public
Type of cybercrime
Data breachData is compromized, stolen or altered
System hijackingRansomware
Denial of ServiceTake a service down
Copyright Oracle (c) 2020 Public
Regulations and Laws
Data privacy laws, GDRPNational Security Law, NIS
Copyright Oracle (c) 2020 Public
Common concepts
Why do you store dataWhat is the purposeIs processing inline with defined PurposeLegal base for processingProper RISK assessment
Who has accessed, why, how is the access used,
Data breach wall of Shame
Copyright Oracle (c) 2020 Public
https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/
Security in a nutshell
Copyright Oracle (c) 2020 Public
ConfidentialityData disclosure
IntegrityData change/trust
AvailabilityData availability
OWASP Top 10 security Risks
Copyright Oracle (c) 2020 Public
https://owasp.org/www-project-top-ten/
Security key concepts
Need to now-> you only have access to data required to fulfill your job role
Least privilege -> You only have been granted the privileges required to fulfill a task.
Privilege creep -> as you job role changed over time more privileges is granted. Privileges no longer needed is never revoked
Governance and access control -> system and function that is responsible for granting/revoking access rights
Role Based Access Control, RBAC -> Logical container that contains group of access rights. By granting the role and not the individual access rights, governance and administration is made simpler
Attribute Based Access Control, ABAC -> based on dynamic attributes like current time f day, current location, access rights or access roles are granted or revoked
Copyright Oracle (c) 2020 Public
It is all about Data, the datastore is the prime goal
Copyright Oracle (c) 2020 Public
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
Typical 3 tier architecure
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
What Are The Typical Risks?
Filesystem/Tape access
Insider network sniffing DBA privilege access
SQL Injection attacks
Test system with real data
SQL Injection
Copyright Oracle (c) 2020 Public
https://insecure-website.com/products?category=GiftsSELECT * FROM products WHERE category = 'Gifts' AND released = 1
https://insecure-website.com/products?category=Gifts'--SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
https://insecure-website.com/products?category=Gifts'+OR+1=1--SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
https://insecure-website.com/products?category=Gifts' UNION SELECT username, password FROM users--SELECT * FROM products WHERE category = 'Gifts' UNION SELECT username, password FROM users-- ' AND released = 1
What Are The Typical Risks?SQL Injection
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
BackupUser Search for deptno 20
select ename, empno from emp where deptno=’20’
Copyright Oracle (c) 2020 Public
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
What Are The Typical Risks? SQL Injection
User Search for “313' union select username,'x',passwd, 'x','x','x'
from user_auth where 'a'='a
select ename, empno from emp where deptno=’313' union select username,'x',passwd, 'x','x','x' from user_auth where 'a'='a“ --
Copyright Oracle (c) 2020 Public
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
What Are The Typical Risks? SQL Injection Protection
WAF type FW blocks unauthorized SQL
Copyright Oracle (c) 2020 Public
Expose Database as REST API
What Are The Typical Risks? Database Traffic sniffing
WiresharkTest copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
Copyright Oracle (c) 2020 Public
What Are The Typical Risks? Traffic sniffing
Copyright Oracle (c) 2020 Public
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
What Are The Typical Risks? Priviledged Account Access
Insider with DBA Access
Select * from appuser.secret_data;
Copyright Oracle (c) 2020 Public
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Backup
What Are The Typical Risks? Priviledged Account Access, rejected by DataVault
Insider with DBA Access
Access blocked by DataVault Realm
Copyright Oracle (c) 2020 Public
What Are The Typical Risks? Test System
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Copyright Oracle (c) 2020 Public
What Are The Typical Risks? Test System, mask the data during cloning
Test copy Production Storage
Prod DatabaseUsers AppServerWebServer
Production data is masked during clone process
Copyright Oracle (c) 2020 Public
The role of the DBA
Keep track of security, but go full access to the databaseBusiess demand access to data for adhoc usage
Make data avilable, but maintain CIA
Copyright Oracle (c) 2020 Public
Datasecurity and Microservices
Copyright Oracle (c) 2020 Public
Copyright Oracle (c) 2020 Public
