430 likes | 581 Views
Lecture IS6172. 13/1/14. Top ten most common database security vulnerabilities Information Week(Lane, 2013). Deployment Failures
E N D
Lecture IS6172 13/1/14
Top ten most common database security vulnerabilities Information Week(Lane, 2013) • Deployment Failures The most common cause of database vulnerabilities is a lack of due care at the moment they are deployed. Although any given database is tested for functionality and to make sure it is doing what the databases is designed to do, very few checks are made to check the database is not doing things it should not be doing. 2. Broken databases The SQL Slammer worm of 2003 was able to infect more than 90 percent of vulnerable computers within 10 minutes of deployment, taking down thousands of databases in minutes. This worm took advantage of a bug that was discovered in Microsoft's SQL Server database software the previous year, but few system administrators installed a fix, leaving computers vulnerable. By exploiting a buffer-overflow vulnerability, the worm's success demonstrates how critical installing security patches and fixes are. However, whether lacking time or resources, not enough businesses keep their systems regularly patched, leaving databases vulnerable. 3. Data leaks Databases may be considered a "back end" part of the office and secure from Internet-based threats (and so data doesn't have to be encrypted), but this is not the case. Databases also contain a networking interface, and so hackers are able to capture this type of traffic to exploit it. To avoid such a pitfall, administrators should use SSL- or TLS-encrypted communication platforms. 4. Stolen database backups External attackers who infiltrate systems to steal data are one threat, but what about those inside the corporation? The report suggests that insiders are also likely to steal archives — including database backups — whether for money, profit or revenge. This is a common problem for the modern enterprise, and businesses should consider encrypting archives to mitigate the insider-risk.
Continued… 5. The abuse of database features The research team says that over the past three years, every database exploit they've seen has been based on the misuse of a standard database feature. For example, a hacker can gain access through legitimate credentials before forcing the service to run arbitrary code. Although complex, in many cases, this access was gained through simple flaws that allow such systems to be taken advantage of or bypassed completely. Future abuse can be limited by removing unnecessary tools — not by destroying the possibility of zero-day exploits, but by at least shrinking the surface area hackers can study to launch an attack. 6. A lack of segregation The separation of administrator and user powers, as well as the segregation of duties, can make it more difficult for fraud or theft undertaken by internal staff. In addition, limiting the power of user accounts may give a hacker a harder time in taking complete control of a database. 7. Hopscotch Rather than taking advantage of buffer overflow and gaining complete access to a database in the first stage, cybercriminals often play a game of Hopscotch: finding a weakness within the infrastructure that can be used as leverage for more serious attacks until they reach the back-end database system. For example, a hacker may worm their way through your accounts department before hitting the credit card processing arena. Unless every department has the same standard of control, creating separate administrator accounts and segregating systems can help mitigate the risk. 8. SQL injections A popular method for hackers to take, SQL injections remain a critical problem in the protection of enterprise databases. Applications are attacked by injections, and the database administrator is left to clean up the mess caused by unclean variables and malicious code which is inserted into strings, later passed to an instance of SQL server for parsing and execution. The best ways to protect against these threats are to protect web-facing databases with firewalls and to test input variables for SQL injection during development.
Continued.. 9. Sub-standard key management Key management systems are meant to keep keys safe, but the research team often found encryption keys stored on company disk drives. Database administrators sometimes falsely believe these keys have to be left on the disk because of database failures, but this isn't true — and placing such keys in an unprotected state can leave systems vulnerable to attack. 10. Database inconsistencies Finally, the researchers found that the common thread which brings all of these vulnerabilities together is a lack of consistency, which is an administrative rather than database technology problem. System administrators and database developers need to develop a consistent practice in looking after their databases, staying aware of threats and making sure that vulnerabilities are taken care of. This isn't an easy task, but documentation and automation to track and make changes can ensure that the information contained in enterprise networks is kept secure.
System Vulnerability and Abuse • Computer crime • Defined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” • Computer may be target of crime, e.g.: • Breaching confidentiality of protected computerized data • Accessing a computer system without authority • Computer may be instrument of crime, e.g.: • Theft of trade secrets • Using e-mail for threats or harassment
System Vulnerability and Abuse • Identity theft: Theft of personal Information (social security id, driver’s license or credit card numbers) to impersonate someone else • Phishing: Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. • Evil twins: Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet • Pharming: Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser
System Vulnerability and Abuse • Click fraud • Individual or computer program clicks online ad without any intention of learning more or making a purchase • Global threats - Cyberterrorism and cyberwarfare • Concern that Internet vulnerabilities and other networks make digital networks easy targets for digital attacks by terrorists, foreign intelligence services, or other groups
System Vulnerability and Abuse • Internal threats – Employees • Security threats often originate inside an organization • Inside knowledge • Sloppy security procedures • User lack of knowledge • Social engineering: • Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information
System Vulnerability and Abuse • Software vulnerability • Commercial software contains flaws that create security vulnerabilities • Hidden bugs (program code defects) • Zero defects cannot be achieved because complete testing is not possible with large programs • Flaws can open networks to intruders • Patches • Vendors release small pieces of software to repair flaws • However, amount of software in use can mean exploits created faster than patches be released and implemented
Business Value of Security and Control • Lack of security, control can lead to • Loss of revenue • Failed computer systems can lead to significant or total loss of business function • Lowered market value: • Information assets can have tremendous value • A security breach may cut into firm’s market value almost immediately • Legal liability • Lowered employee productivity • Higher operational costs
Business Value of Security and Control • Electronic evidence • Evidence for white collar crimes often found in digital form • Data stored on computer devices, e-mail, instant messages, e-commerce transactions • Proper control of data can save time, money when responding to legal discovery request • Computer forensics: • Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law • Includes recovery of ambient and hidden data
Establishing a Framework for Security and Control • Information systems controls • General controls • Govern design, security, and use of computer programs and data throughout organization’s IT infrastructure • Combination of hardware, software, and manual procedures to create overall control environment • Types of general controls • Software controls • Hardware controls • Computer operations controls • Data security controls • Implementation controls • Administrative controls
Establishing a Framework for Security and Control • Application controls • Specific controls unique to each computerized application, such as payroll or order processing • Include both automated and manual procedures • Ensure that only authorized data are completely and accurately processed by that application • Types of application controls: • Input controls • Processing controls • Output controls
Technologies and Tools for Security • Antivirus and antispyware software: • Checks computers for presence of malware and can often eliminate it as well • Require continual updating • Unified threat management (UTM) • Comprehensive security management products • Tools include • Firewalls • Intrusion detection • VPNs • Web content filtering • Antispam software
Database Security Controls • Database security on its own is an extremely in-depth topic • however there are a few best practices that can help even the smallest of businesses secure their database enough to make an attacker move on to an easier target
Database Best Practice • Separate the Database and Web Servers • Encrypt Stored Files • Encrypt Your Backups Too • Use a WAF • Keep Patches Current • Minimize Use of 3rd Party Apps • Don't Use a Shared Server • Enable Security Controls
Oracle Security Controls –Enable Database Security Controls • database activity monitoring and blocking • privileged user and multifactor access control • data classification and discovery • transparent data encryption • consolidated auditing and reporting • secure configuration management • data masking
Single Row Functions • Manipulate data items • Accept arguments and return one value • Acton each row that is returned • Return one result per row • May modify the data type • Can be nested • Accept arguments that can be a column or an expression Function name[(arg1, arg2……)]
Uses • Functions are used to manipulate data values. • • We will now examine character, number, and date functions. These are called single row functions. Later, we will • examine group functions – functions which apply to more than one row.
Character functions • We defined functions as being used to manipulate ( or change ) data values. • What can we change with functions? • We can change – User supplied constant (i.e. a number, date, or a string) – A variable name – A column name – An expression
Lower() • To change characters to lower case we use thelower() function. • For example Lower(‘John’) Would return john • Similarly, Select lower(ename) from emp; • Will return all the names is emp, in lower case.
Upper • This converts lower, or mixed, case to upper case. For example, lets take the script below. Select ename,sal,deptno From emp Where ename=’&name’; • If the user inputs miller then no values will be returned. • There is no ‘miller’ in the emp table. There is a ‘MILLER’. • To fix this run Select ename,sal,deptno From emp Where ename=upper(‘&name’);
Initcap • Initcap, forces the first letter of a string to be capitalized. • For example Initcap(‘john’) Will output John
Concat • We have seen concatenation using the || symbols. • We can also use the concat function. • The syntax is show in the command below Select concat(ename,job) from emp Where ename=’MILLER’; This will return MILLERCLERK • The difference between concat() and || is that concat can only join two parameters.
LPAD • Lpad is used to “pad” columns/strings to the left. • To see this let us take the following string. • Let us say that we want the string to appear as being • 10 characters in length. If we say that we want it tobe padded to the left, itwould appear like -
LPAD Continued… If we padded with ‘*’it would look like this • The syntax for this would be Lpad(‘diploma’,10,’*’) • Lpad the word ‘diploma’ so that it is 10 characters long, with extra spaces to the left being filled with*’s. RPAD • Rpad, does the same, except that it pads to the right. • What will the following command do ? • Rpad (‘course’,12)
Substr • This stands for substring. It returns a part of a string. We specify which part of the string we want to return. • For example, Substr(‘Diploma’,2,3) Will return ipl
INSTR() INSTR() is used to find where characters occur in a string. • For example, • Instr(‘Diploma’,’o’) • Would return the number 5.
INSTR() Continued.. • We can change the syntax slightly. So far we have searched for the 1st occurrence. We can also search for further occurences. • For example • Instr(‘Seventy’,’e’,3) • Would return the number 4. This is the first occurrence of the letter ‘e’ in the string • ‘Seventy’ if we started at character position 3.
Ltrim() • Ltrim() is used to remove leading occurences of • characters. • • If we don’t specify a character, Oracle will remove leading spaces. • • For example • Running ltrim(‘ Oracle’) • Will remove the leading spaces. • Ltrim(‘spacious’,’s’) • Will return • pacious (the leading s has been removed)
Ltrim() Continued.. • Ltrim(‘spacious’,’p’) • Will return Spacious (the ‘p’ is not a leading character) • • The order specified for the leading characters is not important. For example, • Ltrim(‘spacious’,’ps’) Is the same as Ltrim(‘spacious’,’sp’) • • RTRIM • Is the same as LTRIM, except it trims from the right.
SOUNDEX() Soundex is used to determine words that sound similarly. • For example, McDuff and MacDuff may sound the same, but Oracle would not normally match them. • If we used soundex, Oracle would regard the names as the same
SOUNDEX() Continued.. Where soundex(‘MacDuff’) = soundex(‘McDuff’) Would be a match. • Soundex converts character sounds into numbers. It then checks if the numbers are the same. For example, ‘intend’ has a soundex value of I535. Intent has the same soundex value.
Length() • Length() returns the length of a string. For example • Length(‘Oracle’) • Would return the number 6.
Translate Translate is used to change characters. select Translate('SMITH','I','O') from sys.dual; Will change all letter I’s to letter O’s in the string SMITH. (What is sys.dual) • We can also specify more than 1 character to translate. • Translate(dname,’EO’,’XY’) Would change all E’s to X’s and all O’s to Y’s in the dname column
REPLACE() • Replace is similar to translate. With translate there must be a match between the number of characters to change and the number of characters to change with. I.e. we can’t replace X with TR. We can only replace 1 character with 1 character, 2 with 2, etc. With replace we can do this. For example Replace(Title,’CHAIRMAN’,’CHAIRPERSON’) Will search the Title column and replace all occurences of CHAIRMAN with CHAIRPERSON.
Number functions • Number functions take numbers as input, change them, and output the results as numbers.
Round() • This is used to round values up or down and to specify the number of decimal places. To see this, run • Select round(123.4567,2), round(123.4567,3), round(1234.432,1) from sys.dual; • This will output ROUND(123.4567,2) ROUND(123.4567,3) ROUND(1234.432,1) ---------------- ----------------- ----------------- 123.46 123.457 1234.4
Trunc() Truncating is similar to rounding. We specify the required number of decimal places but Oracle doesn’t round up or down. It simply “chops off” extra digits. • To see the difference, examine the following select round(123.456,2), trunc(123.456,2) from sys.dual; Will return ROUND(123.456,2) TRUNC(123.456,2) ------------------------- ---------------------------- 123.46 123.45
Sign() This is used to show if a value is zero, positive, or negative. 1 is returned if the number is positive -1 is returned if the number is negative 0 is returned if the number is zero • i.e. select sign(-11421.215) from sys.dual will return –1.
CEIL() • Raises the value of the number to the next highest integer. • For example, Ceil(13213.4214) Returns 13214.
Floor() Lowers the value to the next lowest integer. For example Floor(123.89) Returns 123
Power() and others • POWER Raises the number given to the power given. Power(12,2) Raises 12 to the power of 2. • Others There are other numerical functions which Oracle can use. They are straight forward and easy to use. Other functions include SQRT (square root), ABS (absolute value), MOD (modulus), LOG (logarithmic), SIN (sine value), COS (cosine value), TAN (tangent value). There are several more.