690 likes | 845 Views
Database Security, A DBA’s Experience. David Bergmeier – Mark Gurry & Associates. How would you react?. Email from your IT department Time for the annual password change Please reply with your new password Must be exactly 8 characters Must not contain special characters (e.g. $ @).
E N D
Database Security, A DBA’s Experience David Bergmeier – Mark Gurry & Associates
How would you react? Email from your IT department • Time for the annual password change • Please reply with your new password • Must be exactly 8 characters • Must not contain special characters (e.g. $ @) Please let us know if you have any questions or concerns, Regards, Network Security & Operations
A Security Nightmare • Weak passwords – so users will remember them • No ability for users to change their password • Cost cutting: • Reduced coding • No resetting passwords by the helpdesk • Users not “inconvenienced” by password expiring
Until AUDITORS “Thou shalt allow users to change their passwords”
Whoops! The management response: • We’re moving to 3-tier architecture soon • This will be a waste of time and money • We’ll put our efforts into the rewrite In the meantime… “Let’s change everyone’s password TO KEEP THE AUDITORS HAPPY!”
Agenda • What do we mean by security? • Design – where do we start? • Operating System Controls • Passwords • Auditing • The Change Process • Useful Resources
Definition • What is security? • What about security is so important? • What are we trying to achieve? • Why do we care about security? The goals of security: • Lowering the probability of something bad happening • Reducing the impact of bad things when they do happen
Definition Security is all about managing risk. One of our biggest risks, is people.
Case Study Steve Stasiukonis (security expert) • Medical facility security check • Key card system – entry with grocery card • Dressed up as doctors • Conference room with network access • Steve went looking for more vulnerabilities
People and Passwords Passwords can be attacked by: • Spyware • Cracking tools • Brute force guessing • Social engineering • Phishing • Shoulder surfing • Acoustic cryptanalysis • Keystroke loggers
People and Passwords These risks can be mitigated by: • Anti spyware • Enforcing complex passwords • Enforcing long passwords • Regular password changes • Limited grace logins • User education • Good processes and policies • Password masking ******* • Good physical security of assets
Security is mostly about people How do we stop people writing down their passwords?
Design for Security Stages of the System Life Cycle Database and Specifications Application
Design for Security • Security MUST be considered from the outset • Security is not an optional extra • Security problems are easier to fix in the design phase • All stages of the development life cycle must consider security • Adding security later on may break business processes
How Expensive to repair $ Plan Analyze Design Develop Accept
Performance Design Problem SELECT col_security_check( project_no ), col_security_check( project_name ), ... FROM projects WHERE row_security_check( USER ) = ‘Authorized’
Common Design Problems • Security design does not consider performance • Inadequate data model • Building security into the client, not the database • Lack of standards or an inconsistent way of doing security
Schema Design • Start with a fully normalised data model • Denormalise for performance AND security • Natural versus Synthetic keys • Last updated by columns • Username • Timestamp • Module or Program
Operating System • Who has access • What to lockdown • Things to watch out for
Things auditors should know 1. Root access equals full database access 2. Oracle access equals full database access Note: This will change with Oracle Data Vault
Recommendations Get the basics right • Disable telnet and ftp • Use SSH • Includes scp and sftp • Consider controlled use of rcp for performancercp 8.5 times faster than scp • Lock the oracle account and prevent logins mask password in /etc/shadow • Become oracle via SSH or SUDO
Operating System Controls • Apply the Oracle security patcheshttp://www.oracle.com/technology/deploy/security/alerts.htm • Work through an Oracle security checklist (See links later in this presentation) • Consider externally authenticated users for cron jobs but make sure OS_REMOTE_AUTHENT is set to FALSE
Operating System Controls Known hacks Scrutinise all file permissions e.g. Sqlplus • login.sql • glogin.sql Backups • export dump files • rman backup pieces Data theft impossible to detect
Operating System Controls You also need to protect the DBA’s workstation Passwords stored in tools like • Toad • SQL Developer • OEM Desktop shortcuts Weak encryption?
Passwords • Background • The Oracle hashing algorithm • How safe are oracle passwords? • Good and bad examples
Passwords Kerckhoffs’ Principle: The security of a cryptographic systemmust not depend on keeping the cryptographic algorithm secret Users of a cryptographic system should assume the encryption algorithm is public knowledge The Oracle password hashing algorithm is known
Oracle password hashing The current hashing algorithm was released in Oracle 6 (1988) Design Goals: • Must work on all terminalsSome terminals did not have lower caseSo must be case insensitive • Must support non ASCII characters16 bits per character – high byte zeroed • Different users with the same password must have different hashes • Long passwords are supportedMaximum is 30 characters
Oracle password Hash • Username and plaintext password are concatenated • Converted to upper case • Hashed with a modified DES encryption algorithm (a one way function)
Oracle logins • Login requires username and password • They are concatenated, upper cased and hashed • The resulting hash is compared to the stored hash It is theoretically impossible to recover the plaintext from the hashes
Computationally Infeasible What does computationally infeasible mean? • We know the hashing algorithm • We cannot reverse the process and generate plaintext from the hashes However: • We can attempt brute force cracking by sequentially hashing all possible plaintext values until we get a match
Computationally Infeasible 1988 = Intel 80386SX • 25 MHz CPU • 4 MB RAM • MS-DOS 3.3 • 40 MB Hard drive • $3000 approx Estimate of time to crack 6 char alphanumeric passwords • = 36 ^ 6 passwords to check • = 2,176,782,336 passwords to check • Weeks?
Computationally Infeasible 2006 = Intel Pentium 4 • 2 GHz CPU • 1 GB RAM • MS-Windows XP • 30 GB Hard drive • $3000 approx Estimate of time to crack 6 char alphanumeric passwords • Less than 1 hour 7 alphanumeric = 1.5 days 8 alphanumeric = 53 days 9 alphanumeric = over 5 years
Recommendation If using Oracle authentication • Require longer passwords • Require complex passwords • Require regular password changes Balance this with human tendency to write down passwords Change ALL default passwords
Observation Standalone passwords obsolete in 10 years Instead will have multiple types of authentication For example: • Something only you knowe.g. a password or a PIN • Something only you havee.g. a smartcard or a token • Something only you aree.g. biometrics
Case Study Client/Server system in VB and Oracle 8.0 1. Password stored in plaintext in INI file on client • Single application user • Any user can login to production • Auditing impossible • Not very secure
Case Study 2. Password stored encrypted in INI file on client • Still single application user • Developers can login to production • Non application auditing impossible
Case Study 3. Passwords not stored • All users have their own account • Developers don’t have production access • Easy to make changes outside the application • Database upgraded to 8i
Case Study 4. The complex Solution • All users granted a password protected role • The app calls a wrapped stored proc to identify itself • The stored proc returns password to unlock the role • SQLNET.ORA tracing reveals the password
Secure Application Role Superseded in Oracle 9i by CREATE ROLE <role> IDENTIFIED USING <procedure_name> • Flexible – any procedure/function/package • No password to be discovered • Procedure cannot be bypassed • Requires EXECUTE privilege on procedure
Change and Auditing • Why audit? • How much auditing? • Auditing methods • The change process • Testing