Securityx

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)

87 views

DATABASE SECURITY,
AUTHORIZATION,

AND ENCRYPTION

BY: Eric
McChriston

Mitchell Smith

INTRODUCTION


Database security is divided into three separate interconnected
areas.

1.
Secrecy : is concerned with improper disclosure of information.

2.
Integrity: is concerned with improper modification of
information or processes

3.
Availability: is concerned with improper denial of access of
information.


HISTORY


Over The Years:
The importance of security in database research
has greatly increased
.
M
ost
of critical functionality of the business
and military enterprises became digitized.


Information About Database security:
. Database is an integral
part of any information system and they often hold sensitive data.
The security of the data depends on physical security, OS security and
DBMS security.



HISTORY


The security of the data depends on physical security,
Operating
Systems
security and
Data Base Management Systems
security
.


Database security can be compromised by obtaining sensitive data,
changing data or degrading availability of the
database.


HISTORY


Over the Years:
the last 30 years the information technology
environment have gone through many changes of evolution and the
database research community have tried to stay a step ahead of the
upcoming threats to the database security. The database research
community has thoughts about these issues long before they were
address by the implementations.


HISTORY


By tradition databases have been essentially secured against
hackers through network security measures such as firewalls, and
network based invasions recognition systems.


DATABASE SECURITY


Database security is the system, processes, and procedures that
protect a database from unintended
activity.


BASIC SECURITY
CLASSIFICATION LEVELS


(
TS) or Top Secret is the highest level


(S) or Secret


(C) Confidential


(U) Unclassified is the lowest level



Everything from the user and account to a tuple and column
are classified within the database.


EXAMPLES BASED ON
CLASSIFICATION LEVELS:


A subject (T) will not be allowed read access to object (S) unless
class (T) >= class (S)


This example is known as the simple security property.



A subject (T) will not be allowed to write an object (S) unless class
(T) <= class (S)


This example is known as the star property (or * property)


SECURITY RISKS THAT OCCUR
IN DATABASE SYSTEMS:


Illegal
activity by hackers or
errors
and mishaps by authorized users,
managers, or administrators


Viruses or infections


Overloading and capacity issues which enables users to use the database


Physical Damage to the servers


Design or programming errors


Corruption of data or loss of data through invalid commands or data entry


TYPES OF I NFORMATI ON SECURI TY
CONTROLS FOR A DATABASE:


Access Control


Auditing


Encryption


Backups


Data Integrity


ACCESS CONTROL


Controlling who can access the database and what they are
able to view within the database.



Example: user id and password



Process that monitors the actions of users on the database.



This helps security administrators and others to be aware of
suspicious activity being conducted on the database.

AUDITING


Encryption in a database is the process of turning the text/data into an
unreadable state and is only readable to those that posses the knowledge of the
encryption key(s).



Most encryption is controlled by a Data Base Management System, and in
some cases it may be a default and automatic.



Example:jh3#HT987s1a5]nS32onM


ENCRYPTION


Process that brings the database back to its previous state if a software
error, corruption, or deletion of data occurs.


Back ups have to store a lot of data and managing this data can be a very
complicated task.


Incremental Backups are frequently used, these only record the changes
from the previous backup. This helps save storage space but are more complex
.


Remember when storing the backup files always store them away from the
data source.




BACK
-
UPS


Is the accuracy and consistency of data in the database.



Data Integrity in a database starts at the design stage through the
use of rules and procedures.



Example: Each record should have a unique identifier

DATA INTEGRITY


Article was written by Phil
Neray
, who is the Vice President of Data
Security at
InfoSphere

Guardium

&
Optim
.



“Discover
: Data can’t be secured if you don’t know it exists in the first
place. Discover all locations of sensitive data including rogue databases and
legacy applications. Don’t forget about non
-
regulated data and corporate
intellectual property (IP) such as strategic plans, product designs and
proprietary algorithms. Execute automated discovery scans on a regular basis
because sensitive data locations are constantly changing.”



10 BEST PRACTI CES FOR DATABASE
SECURI TY AND COMPLI ANCE


“Assess vulnerabilities:

Regularly assess database configurations to ensure they
don’t have security holes or missing patches. Use standard checklists such as the
CIS Database Server Benchmarks

and the
DISA Security Technical
Implementation Guides

(STIGs). Don’t forget to check OS
-
level parameters such
as file privileges for database configuration files and database configuration options
such as roles and permissions, or how many failed logins result in a locked account
(these types of database
-
specific checks are typically not performed by network
vulnerability assessment scanners).”


“Harden the database
: The result of a vulnerability assessment is often a set
of specific configuration recommendations to take as next steps. You should also
remove all database functions and options that you don’t use.”


“Audit configuration changes
: Once the hardened configuration is
established, continually track it to ensure the “gold” configuration hasn’t
changed. Use change auditing tools that compare configuration snapshots and
immediately alert whenever a change is made that affects your security posture.”


“Deploy Database Activity Monitoring (DAM) and Database Auditing:
Continuous, real
-
time monitoring is crucial for rapidly detecting suspicious or
unauthorized activity


such as a customer service rep downloading hundreds of
customer records in a single day. Monitoring privileged users
--

such as DBAs, developer
and outsourced personnel
--

is also a requirement for most compliance regulations, as well
as for detecting intrusions from outside attackers, since cyber attacks frequently result in
the attacker gaining control of privileged accounts. DAM is also essential for finding
“behavioral vulnerabilities” such as users sharing privileged credentials. Database auditing
allows organizations to generate a secure, non
-
repudiable

audit trail for all critical
database activities
--

such as creation of new accounts and viewing or changing sensitive
data
--

and it’s also important for forensic investigations.”


“Authenticate, control access and manage entitlements
: Controlling access to sensitive
data on a “least privilege” basis is essential to ensuring full accountability. You should also
periodically review entitlement reports as part of a formal audit process.”


“Monitor the application layer:
Well
-
designed DAM solutions associate specific database
transactions performed by the application with specific end
-
user IDs, in order to
deterministically identify individuals violating corporate policies. In addition, combining
database auditing information with OS and network logs via a security information and event
management (SIEM) system to see everything that a user has done can also provide critical
information for forensic investigations.”


“Encrypt:

Encryption renders sensitive data unreadable, so an attacker can’t
gain unauthorized access to data from outside the database. File
-
level encryption
at the OS layer, combined with granular real
-
time monitoring and access control
at the database layer, is typically accepted as a practical alternative to column
-
level
encryption.”


“Mask test data:

Masking is a key database security technology that de
-
identifies live production data, replacing it with realistic but fictional data that can
then be used for testing, training and development purposes, because it is
contextually appropriate to the production data it has replaced.”


“Automate and standardize compliance processes
: Most compliance regulations require
implementation of data security measures to reduce risks to a reasonable and appropriate level.
Achieving compliance is not only important because no one likes to fail an audit, but it also
provides third
-
party validation that your organization has implemented the proper controls to
ensure the confidentiality, integrity and availability of your data. Automating and standardizing
compliance processes is essential for reducing compliance costs, minimizing last
-
minute audit fire
drills and easily addressing ever
-
changing regulations.”


“Once these 10 steps have been taken, enterprises should feel confident that they have taken
the necessary steps to mitigate the risk of a data breach.”


Each user must create a password and use it when connecting
to the database
.


This procedure helps to prevent unauthorized users from
accessing the database
.


The password is then encrypted and stored in the data
dictionary. Even when the password is used to connect to the
database it is sent encrypted Data Encryption Standard.


AUTHENTICATION METHOD
IN ORACLE

Oracle uses account locking to lock a users account if (1) login attempt fails a
specific number of times, but when this happens it only stays locked for a
certain amount of time and is unlocked automatically (2) a Database
Administrator locks the account manually and if this happens only the DBA
can unlock it.

ACCOUNT LOCKING



The DBA is in charge of setting the expiration date on the password



Once the password has expired a user gets alerted with a message
prompting the user to change the password, if the password is not changed
within a period of time it locks the account



PASSWORD EXPIRATION



Is the password complex enough to stop intruders from guessing it

Requirements:


Has to have a minimum of 4 characters


Has to be different from the
userid


Must consist of at least one number, one letter, and one punctuation mark


Cant be simple words like user, database, etc.


Has to be different from the previous passwords






PASSWORD COMPLEXITY
VERIFICATION


Physical Access Control Checklist



Personnel Checklist



Secure Installation and Configuration Checklist



Networking Security Checklists

SECURITY CHECKLISTS IN
ORACLE


Showing proper authorization should be the initial line of security in order to
protect your data and staff


Without this it makes it easier for intruders to steal information from the
database


Organizations must properly evaluate their risks, how many visitors are coming
and going and assist the risks with proper measures Ex: Surveillance system


By improving physical access control it will increase the security in a company by
making it harder to get in, remain in , and leave without being undetected and
leaving a trail


PHYSICAL ACCESS CONTROL
CHECKLIST


The security of the organization is dependent on its staff


The staff must be honest and trustworthy and aware of security threats


When hiring a staff member always perform background checks and
observations first, by doing this the organization can avoid hiring the wrong people


Train your employees so they can be aware of all threats within the organization


By doing this you are protecting the employees and the data within the
organization

PERSONNEL CHECKLIST


Only install what you need avoid installing products that you wont use


Lock and Expire Default User Account


Change all default passwords after installation to avoid unauthorized user
accessing the database


Enable data dictionary protection


Only allow the users with the necessary privileges to do their jobs


Authenticate users properly


Patch all security holes as soon as possible


SECURE INSTALLATION AND
CONFIGURATION CHECKLIST


Network communication is improved when using client, listener,
and network checklist for ongoing protection, also using SSL with
these lists, provides top security for communication and
authentication.

NETWORK SECURITY
CHECKLISTS

Internet Standard Protocol for ensuring secure communication and providing
mechanisms for data integrity and data encryption. These mechanisms protect
messages sent and received by you and the server.


Make sure configuration files use the proper port for the SSL and if a firewall is
in place it needs to also use the same port for secure communication.


Be certain that the SSL is consistent in both ends of communication.


SSL( SECURE SOCKETS LAYER)
CHECKLIST


Instead of authenticating client computers, users authentication is
done instead to avoid issues that include falsified IP addresses, hacked
systems, or stolen identities.


Establish connection to SSL


Set up authentication for clients and servers

CLIENT CHECKLIST


Restrict the listeners privileges, so it cant attempt to read or write
files within the database


Secure Administration by the following


Password protect the Listener


Cut out on
-
line administration


When administering the listener use SSL


Monitor Listener activity


LISTENER CHECKLIST


Limit the physical access to the network, and it will help to prevent
unauthorized devices to interfere with the network communication


Guard all network access points to prevent unauthorized access


Use encryption when transferring data on line


Use firewalls to prevent external users into the organizations intranet and
also keep the database server behind firewall


Prevent accepting anything from unknown sources

NETWORK CHECKLIST

MODERN DAY


Todays Database security concerns the use of a extensive variety
of information security controls to protect databases.


Database security is a specialist topic within the broader realms of
computer security, information security and risk management.

MODERN DAY


Security
risks include: Unauthorized or
unplanned
activity or misuse by
certified
database users, database administrators, or network/systems
managers, or by unauthorized users or
hackers.


Malware infections causing incidents such as unauthorized access,
leakage or disclosure of personal or proprietary data, deletion of or
damage to the data or programs, interruption or denial of authorized
access to the database, attacks on other systems and the unanticipated
failure of database services


MODERN DAY


Overloads, performance
restrictions
and
size
issues resulting in the
failure
of
approved operators
to use databases as
intended.


Physical damage to database servers caused by computer room
fires or floods, overheating, lightning, accidental liquid spills, static
discharge, electronic breakdowns/equipment failures and
obsolescence;


MODERN DAY


Design flaws and programming bugs in databases and the
associated programs and systems, creating various security
vulnerabilities, data loss/corruption
.


Data corruption and/or loss caused by the entry of invalid data or
commands, mistakes in database or system administration processes,
sabotage/criminal damage etc.


ENCRYPTION


What is
it? Encryption is the
alteration
of data into a form, called a
ciphertext
, that
cannot be easily understood by unauthorized people.
Decryption is the
method
of
transforming
encrypted data back into its
unique
form, so it can be understood.


How Did it evolve? They believe that the earliest form of encryption
dates all the way back to the Egyptians. When the hieroglyphics had some
hidden meanings that did not fit into context with the rest of the writings.


FORMS OF ENCRYPTION


AES Encryptions
Broken:
Although much more secure than
their DES counterparts, the AES Encryption has shown to be
exploitable as well. The Wi
-
Fi Encryption Scheme (WEP), is a
modern day AES system that has been broken. In 2005 the FBI held
a demonstration where they broke into a WEP network in 3 minutes.

FORMS OF ENCRYPTION


Content Scrambling
System:

This system, which is used in all DVD's and DVD Players is a hold
over from before 1996 when the government regulated the length of
encryption keys, and has been broken on countless
occassions
.

FORMS OF ENCRYPTION


GSM
Communications:

GSM Communications are the encryptions used by A5/1 and
A5/2 cellphone roaming networks, which 98% of all
cellphones are on, have also been
cracked.

http://docs.oracle.com/cd/B12037_01/network.101/b10773.pdf

Wikipedia.org

http://www.ctoedge.com/content/beating
-
breach
-
10
-
best
-
practices
-
database
-
security
-
and
-
compliance

Darkreading.com

Towercare.com

REFERENCES :

DATABASE VIDEO


http://
www.youtube.com/watch?v=UtWr03BjTmI