Upload
sybil-lucas
View
212
Download
0
Embed Size (px)
Citation preview
Database Vulnerability And Encryption
Presented By:
Priti Talukder
Content
Different types of Threats. How will organization protect sensitive data? What is database encryption, and how does it
work? Is database encryption alone enough to protect
data from compromise? Does encrypting a database impact server
performance?
Threats External Threats
Hackers breach a software company’s website, stealing credit card information.
Internal ThreatsA disgruntled employee accesses confidential
salary information and distributes it.
Physical threatsThieves strike a data center.
Example Of Threats
Stolen 55,000 credit card records from the database of CreditCards.com by Mexus. mirror image of Mexus’s web site.
Database encryption
What is Database encryption? Protect data from compromise and abuse.
How does it work?
Credit Card Number
0111123456779991234567890123456 +
Encrypted Credit Card Number
Encryption Key + Encryption Algorithm
04wØ×1ve
Encryption Strategy
Inside DBMS Advantages and
Disadvantages Least impact on application Security vulnerability-
encryption key stored in database table.
Performance degradation To separate keys, additional
hardware is required like HSM.
Outside DBMS Advantages and
Disadvantages– Remove computational
overhead from DBMS and application servers.
– Separate encrypted data from encrypted key.
– Communication overhead.
– Must administer more servers.
Is database encryption enough?
Compromising with web server. Hacking while transfer(MITM)
Solution
Additional security practices such as SSL and proper configuration of firewall.
Application Spher
Structure
Firewall
Telnet Http
DPI, IPS
Application Sphere
Sql injection
Buffer overflow
Cookie poisoning
Front Door
Metal Detector
Pick pocket
XSS
Statistics
Attack Percent vulnerable
Cross-site scripting 80%SQL injection 62%Parameter tampering 60%Cookie poisoning 37%Database server 33%Web Server 23%Buffer overflow 19%
Application security-essential element
Information Database
Business Logic Application server
Application Web custom
Host OS, Network, System, Memory
Network TCP, UDP, Port over IP
References
http://www.imperva.com http://databases.about.com/library/weekly/
aa121500b.htm http://www.governmentsecurity.org/articles/
Databasesecurityprotectingsensitiveandcriticalinformation.php
http://techlibrary.wallstreetandtech.com/data/rlist?t=itmgmt_10_50_20_24