Professional Documents
Culture Documents
Database Security
Agenda
Drivers Methods
Basic Tools Obtaining Credentials Privilege Abuse Privilege Elevation Audit Evasion
Prevention
Query Access Control Lists (ACL) Connection Control Database IPS Independent Audit
Database Attacks
Motivation
Means
VERY simple and accessible tools Some more sophisticated tools are gaining traction
Opportunity
Thick clients Loose internal network security Ill written applications
Database Attacks
Database Attacks
Basic Tools
The Problem:
Most internal users are not Hackers Some organizations have strict controls over local software installation
The Solution:
Common software packages provide DB front-end front end
E.g. Microsoft Excel Part of any Office deployment
DB client software
E.g. SQL Query Analyzer Default with MS-SQL E.g. Oracle SQL*Plus Default with Oracle Similar client for other database vendors
Database Attacks
Obtaining Credentials
Total username / password combinations: (27)12 = 284 Given a scan speed of 1000
hits/ sec.
Time required:
~274 seconds, ~262 hours, ~258 days 100,000,000,000,000,000,000 years 100 000 000 000 000 000 000 years.
Obtaining Credentials
Methods Exist to 1000 hits/sec. Given a scan speed of Dramatically Cut Time to Success
Server is practically dedicated to being attacked
Time required:
~274 seconds, ~262 hours, ~258 days 100,000,000,000,000,000,000 years 100 000 000 000 000 000 000 years.
Obtaining Credentials
Obtaining Credentials
Bad Password
Obtaining Credentials
Bad Username
Obtaining Credentials
Users need passwords they can remember Otherwise they write them on postix or notes under their keyboard
Obtaining Credentials
Database Attacks
Definition
Privilege Abuse
User has privileges to access database for specific purpose Abuses access privileges to retrieve data in an uncontrolled manner
Hard to Protect
Granular and accurate column level and row level access control Tight integration between DBA, programmer and Security Officer during the life cycle of an application
Database Attacks
SQL Statements
Some cannot be restricted Implementation is susceptible to buffer overflow
Alter session set time zone = <long string> time_zone Create database link
Approx. 10 vulnerabilities in recent years
Database Attacks
xp_sprintf, ctx_output.start_log
Tens of vulnerabilities in recent years
Database Attacks
Database Attacks
Attacker only needs network access to server Little research on the subject (mainly login messages)
Database Attacks
Audit Evasion
Many databases not audited so audit evasion not an issue Often only security failures are audited Of l f l d d
Most of the previously mentioned attacks will not be audited
Database Security
Audit
Log database activities (incl. DBA) (incl
Protection
Alert on attacks and policy violations Block on attacks and policy violations Stops platform attacks
Database Attacks
Database Protection
Query Access Control Lists (ACL) Connection Control
Time of Day Client application restrictions Failed logins
Database Protection
(ACLs)
Database Protection
(ACLs)
Database Protection
Real-Time Verification of Usage Alert on Policy Violation
Business Activities Queries Stored Procedures Privileged Operations System Objects
(ACLs)
Database Protection
Database Protection
Database Protection
Database Protection
Database Protection
Database Protection
Database Protection
Misuse of thick client login and passwords Alert on use other applications (e.g. free query tool)
Database Protection
Database IPS
Known Vulnerabilities
Detect attempt to exploit known vulnerabilities Use a frequently updated signature database Must target platform vulnerabilities
Protocol Validation
No RFC C Rules are set based on protocol semantics and behavior of common clients
Database Protection
Independent Audit
Database Security Gateway
Audit outside database server No affect on database
No ff t N effect on performance f No effect on stability
Internal Users Data Center Proprietary Data and Critical Servers
Segregation of duties
Audit trail cannot be tampered by privileged database user
Resilience
Not affected by database vulnerabilities
Database Protection
Database Protection
Assessment
Audit
Logs all activity (incl. DBA) Identifies activities that matter in real time
Protection
Alerts (blocks) attacks and policy violations Stops platform attacks Database server software Operating system
Thank Y Th k You
Imperva, Inc.
3400 Bridge Parkway, Suite 101, Redwood Shores CA 94065 Sales: +1-866-926-4678 www.imperva.com