Professional Documents
Culture Documents
January 9, 2012
Overview
Introduction Why database security? How databases are hacked? More on SQL Injection How to protect against attacks? Conclusions References
Introduction
By one estimate, 53 million people have had data about themselves exposed over the past 13 months. (InformationWeek, 03/20/2006) This is old news, right now the number is > 100 million !!! Data theft is becoming a major threat. Criminals have identified where the gold is. In the last year many databases from fortune 500 companies were compromised. As we will see compromising databases is not big deal if they haven't been properly secured.
Introduction
Rank
1 2 3 4 5 6 7 8 9 10
# of Records or People
94,000,000 90,000,000 40,000,000 30,000,000 26,500,000 25,000,000 18,000,000 18,000,000 16,000,000 12,500,000
Entity
TJX, Inc. TRW Card Systems Deutsche Telekom U.S. Department of Veterans Affairs HM Revenue and Customs / TNT Auction.co.kr National Personnel Records Center Revenue Canada Bank of New York Mellon / Archive Systems Inc.
Date of Incident or Report 2007-01-17 1984-06-22 2005-06-17 2008-11-01 2006-05-22 2007-10-18 2008-02-17 1973-07-12 1986-11-23 2008-03-26
Type of Incident
Hack Hack Hack Exposure Stolen Laptop Lost Tapes Hack Fire Theft Lost Tape
Introduction
Want to be more scared? Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Some estimated money losses ChoicePoint: $15 million B.J.'s Wholesale: $10 million Acxiom: $850,000 Providence Health System: $9 million
On 2007 there are still > 50 unpatched vulnerabilities on Oracle Database Server
No matter if your server is up to date with patches, it still can be easily hacked.
Installing a rootkit/backdoor
Actions and database objects can be hidden. Designed to steal data and send it to attacker and/or to give the attacker stealth and unrestricted access at any given time.
Principal of Least Privilege A user or process should have the lowest level of privilege required in order to perform his assigned task. If you know a specific user will only read from the database, do not grant him root privileges. Segregate users. Define roles. The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code Coding techniques available for protecting against Sql injection
Cross-Site Scripting
Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. e.g. an attack on your database and update up to 5000 rows in every table and replace your strings in your database with random XSS attacks. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. To prevent cross-site scripting: Check that ASP.NET request validation is enabled. Review ASP.NET code that generates HTML output. Determine whether HTML output includes input parameters. Review potentially dangerous HTML tags and attributes. Evaluate countermeasures.
At file level
File and File System encryption
Backups, Data files, etc.
At database level
Column level encryption. Databases encryption API. Third party solutions.
Conclusions
Protect your data as you protect your money!!!!!!! Think about it, if you lose data you lose money. Use third party tools for Encryption. Vulnerability assessment. Auditing. Monitoring, Intrusion prevention, etc. Train IT staff on database security. Ask us for professional services :).
References
A Chronology of Data Breaches Reported Since the ChoicePoint Incident
http://www.privacyrights.org/ar/ChronDataBreaches.htm
References
Security & Privacy - Made Simpler
http://bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf
NTLM unsafe
http://www.isecpartners.com/documents/NTLM_Unsafe.pdf