1 / 0

Database Security

Database Security. Yiwen Wang. --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox. Database Security. Database Security - protection from malicious attempts to steal (view) or modify data. Importance of Data. Bank accounts

chavez
Download Presentation

Database Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Security

    Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox Dec 13th CS555 presentation
  2. Database Security Database Security - protection from malicious attempts to steal (view) or modify data.
  3. Importance of Data Bank accounts Credit card, Salary, Income tax data University admissions, marks/grades Land records, licenses Data = crown jewels for organizations Recent headlines: Personal information of millions of credit card users stolen Criminal gangs get into identity theft Web applications been hacked dueto the database vulnerabilities
  4. Aspects of database security 1) DB Security Plan 2) Database Access Control 3) DBMS Security: Patching 4) DB Application: SQL injection, Inference Threats 5) Virtual Private Databases 6) Oracle Label Security 7) Inference Threats 8) Encryption 9) Auditing 10) Datawarehouse 11) Security Animations
  5. Access Control Default Users and Passwords Users, Passwords Default users/passwords sys, system accounts – privileged, change default password Sa (MS-SQL Server) scott account – well-known account/password, change it general password policies (length, domain, changing, protection) People Having too many privileges Privileges, Roles, Grant/Revoke Privileges System - actions Objects – data Roles (pre-defined and user-defined role) Collections of system privileges (example: DBA role) Grant / Revoke Giving (removing ) privileges or roles to (from) users
  6. Access Control (Continue) GRANT privilege_name ON object_name TO role_name; REVOKE privilege_name ON object_name FROM role_name;
  7. Access Control (Continue) Some important database priveleges: Select Insert Update Delete Index Alter Create database Drop database All Usage
  8. DB application Applications are often the biggest source of insecurity OWASP Top 10 Web Security Vulnerabilities Unvalidated input Broken access control Broken account/session management Cross-site scripting (XSS) flaws Buffer overflows (SQL) Injection flaws Improper error handling Insecure storage Denial-of-service Insecure configuration management Application Program Database
  9. SQL Injection SQL Injection Definition – inserting malicious SQL code through an application interface Often through web application, but possible with any interface Typical scenario Three-tier application (web interface, application, database) Overall application tracks own usernames and passwords in database (advantage: can manage users in real time) Web interface accepts username and password, passes these to application layer as parameters
  10. SQL Injection (Continue) Example: Application Java code contains SQL statement: String query = "SELECT * FROM users table " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ; Note: String values must be single quoted in SQL, so application provides this for each passed string parameter Expecting one row to be returned if success, no rows if failure Common variant – SELECT COUNT(*) FROM …
  11. SQL Injection (Continue) Attacker enters: any username (valid or invalid) password of: Aa‘ OR ‘ ‘ = ‘ Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; Note: WHERE clause => F and F or T => F or T => T AND has higher precedence than OR All user/pass rows returned to application If application checking for 0 vs. more than 0 rows, attacker is in
  12. SQL Injection Prevention How to resolve this? First (Attempted) Solution: Check Content Client code checks to ensure certain content rules are met Server code checks content as well Specifically – don’t allow apostrophes to be passed Problem: there are other characters that can cause problems -- // SQL comment character ; // SQL command separator % // SQL LIKE subclause wildcard character Which characters do you filter (blacklist) / keep (whitelist)?
  13. Reference Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing, 2(1), 2-18 Defense Information Systems Agency. (2004). Database security technical implementation guide, 7(1). Department of Defense. Retrieved January 31, 2010, from http://www.databasesecurity.com/dbsec/database-stig-v7r1.pdf Wilhelm Burger Mark J.Burge(2010) Digital Image Processing—An Algorithmic Introduction Using Java
  14. Thank you !
More Related