330 likes | 453 Views
Database Security. An Overview. Why is database security important?. Databases often store sensitive data Incorrect data or loss of data could negatively affect business operations Databases can be used as bases to attack other systems Data is a valuable resource!.
E N D
Database Security An Overview
Why is database security important? • Databases often store sensitive data • Incorrect data or loss of data could negatively affect business operations • Databases can be used as bases to attack other systems • Data is a valuable resource!
Database Vulnerability Exploitation A decade ago, attacks were • Broad based • Launched by disaffected “Hackers” • Intended to disrupt, gain respect / notoriety in the community Now, attacks are • Targeted against specific resources • Launched by sophisticated professionals • Intended to bring monetary gain to the attacker
Meet a Hacker • Kevin Mitnick went on a 2 ½ year coast-to-coast hacking spree • He hacked into computers, stole corporate secrets, scrambled phone networks and broke into the national defense warning system • Mitnick was caught and convicted in 1995; He served five years, 8 months of it in solitary confinement • He is now a computer security consultant, author and speaker.
Problems with Hacking • Invasion of privacy • Theft of information • Trespassing/unauthorized entry • Potential for damage • Mitigation cost
Hacking Legality • It is illegal to break and enter a private or public network without permission • Technology makes it easier for companies to identify hackers • Penalties • Fines from $500-10,000 • Up to 5 years in prison
Causes of Data Breach http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US
Attack Analysis http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US
Organizational Cost http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US
Why is Security Difficult? • No system can be 100% secure • Difficult to prove good security • Bad security gets proven for us • Good security and no security can look the same • Many things to secure • People • Equipment • Operating System • Network • Applications • Databases • Application Servers
Hardening Databases • Follow the principle of least privilege • Manage user accounts • Create views • Use firewalls/access control • Enforce password security • Protect physical security • Be wary of SQL injection
Principle of Least Privilege • Giving a user only those privileges which are essential to do his/her work • Databases and tables • Columns and rows • Actions • INSERT, UPDATE, DELETE • CREATE/DROP/ALTER • GRANT option • Connections • Allow Joe to login from any campus IP address • GRANT […] ON somedb.sometable TO joe@’128.255.0.0/255.255.0.0’;
GRANT SELECT ON Employee TO Red GRANT SELECT ON Employee TO Black WITH GRANT OPTION GRANT UPDATE(Salary) ON Employee TO White Grant and Revoke Black Red Brown (owner) White
Example • Create a user that has read-only access to the presidents table. CREATE USER 'black'@'localhost' IDENTIFIED BY 'black123'; GRANT SELECT ON sampdb.president TO black; SELECT * FROM president; SELECT * FROM student; DELETE FROM president WHERE first_name = ‘Calvin’
Revoking Privileges GRANT SELECT ON sampdb.president TO black;REVOKE SELECT on sampdb.presidentFROM black; GRANT SELECT, UPDATE ON sampdb.studentTO red;REVOKE UPDATE on sampdb.studentFROM red; You can only revoke privileges that have been granted!
Password Security • Strong passwords are a must • Default passwords are widely known & publicized • MySQL Defaults • Account: root / Password: null • Account: admin / Password: admin • Password policy control • Limit # of failed login attempts • Limit # of times password can be reused • Expire passwords after a certain length of time • Encrypt passwords
Password Encryption CREATETABLEusers( username VARCHAR( 30 ) NOTNULL ,access_levelTINYINT( 1 ) ,passwordVARCHAR( 40 ) ,PRIMARYKEY ( username ) ); SELECT access_levelFROM usersWHERE username = 'jshmo'AND PASSWORD = SHA1( 'shmo123' ); INSERT INTO users VALUES ('jshmo', 1, SHA1( 'shmo123' )), ('ssmith', 2, SHA1( 'bubb13s' ));
Views • A view is essentially a saved query • A view is a “virtual table” that can be queried just like a real table • Any query can be saved as a view, but not all views are updateable • The view data is not stored, only the view definition
Create Views Employee Table CREATE VIEW toy_dept AS SELECT Name, Salary, Manager FROM Employee WHERE Dept=“Toy”; SELECT * FROM toy_dept;
Practice Using sampdb: • Create a view called quiz_view that displays the student ID, student name, event ID, event date and score for all Quizzes • Query the view • Display all of the rows in the view • Display the rows in the view where the score is greater than 15 • Change the score for student_id 1, event_id 1 to 19
Why use views? • Security • Hide information from certain users • Simplicity • Simplify complex queries • Flexibility • Change your database structure without changing the applications that access that database • Usability • Table columns can be renamed in the viewCREATE VIEW studentView(StudentName, StudentSID) AS SELECT name, sid FROM student;
WITH CHECK OPTION • WITH CHECK OPTION specifies that changes cannot be made to the view unless they are visible to the view CREATE VIEW cust AS SELECT * FROM customers WHERE balance > 1000 WITH CHECK OPTION UPDATE cust SET balance = 500WHERE custID = 99; will FAIL!
Protect Physical Security • Database servers should be physically secure • Limit access to only authorized personnel • Protect against fire, power failure, water, and heat • Dispose properly of broken disk drives • Protect backup media
Backup and Recovery • Common causes of database failure • Hardware failure • Program bug • Human error • Malicious actions • Recovery • Fallback procedures • Restore from backup • Replay database activities since backup http://dev.mysql.com/doc/refman/5.0/en/backup-and-recovery.html
SQL Injection • SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. • Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you an SQL statement that you will unknowingly run on your database.
How it Works $name = $_POST[‘name’]; $query = "SELECT * FROM customers WHERE username = '$name'"; echo $query . "<br />"; Name: Timmy SELECT * FROM customers WHERE username = 'timmy' Name: ' OR 'x'='x SELECT * FROM customers WHERE username = '' OR ‘x’=‘x’
How it Works $name = $_POST[‘name’]; $query = "SELECT * FROM customers WHERE username = '$name'"; echo $query . "<br />"; Name: '; DELETE FROM customers WHERE 1 or username = ' SELECT * FROM customers WHERE username = ' '; DELETE FROM customers WHERE 1 or username = ' '
Preventing SQL injection • Filter data using mysql_real_escape_string() • Check that each piece of data is the right type • Use prepared statements SELECT * FROM customers WHERE username = ‘\' OR \‘x\’=\‘x’
Prepared Statements <?php$stmt = $dbh-> prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");$stmt->bindParam(':name', $name);$stmt->bindParam(':value', $value);// insert one row$name = 'one';$value = 1;$stmt->execute();// insert another row with different values$name = 'two';$value = 2;$stmt->execute();?>
Establishing a Security Mindset • Be Curious • Be Proactive • Be Paranoid • Be Cautious • Be Educated • Be a Minimalist • Be Vigilant
Resources • D.Litchfield, C.Anley, J. Heasman, B. Grindlay, The Database Hacker’s Handbook – Defending Database Servers, Indianapolis: Wiley Publishing Inc., 2005. • http://databasesecurity.com • http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic-sql-sql-injection.aspx • http://msdn.microsoft.com/msdnmag/issues/05/06/SQLServerSecurity/default.aspx • http://www.cgisecurity.com