CS317 File and Database Systems

Transcription

1 CS317 File and Database Systems Lecture 12 DBMS Security Considerations November 13, 2017 Sam Siewert

2 Assignment #4 Grading Now Reminders Assignment #5, Physical DB Design Reviewing TEAMS Assignment #6, DBMS Project of Your Interest POSTED FINAL ORAL PRESENTATION Design Schema for DBMS project in a small team Logical design focus Normalization Physical is MySQL on PRClab Combine Network Applications with DBMS in C/C++, JDBC, or Python - Add Stored Programs and Triggers Add Views Create Transactions where needed Sam Siewert 2

3 Security Primer GENERAL PLATFORM SECURITY Sam Siewert 3

4 Key Issues NIST (National Institute of Standards and Tech) Department of Commerce Data privacy and protection FISMA (Federal Information Security and Modernization Act) Detailed categorization of federal information and systems (threat, risk, cost, benefit) - FIPS 199, FIPS 200, FIPS 800 v1, v2 How would YOU prioritize Data Security? 1. Data Privacy (Disclosure to unauthorized user, system, application) 2. Misuse of Data (Fraud, Identity Theft) 3. Fake Data (forged documents or credentials) 4. Access Privilege Violations (Seeing Co-worker salaries) 5. Data Corruption (Integrity, Veracity) 6. Denial of Service (Can t Access Data or Services due to Attack) 7. Data Loss (Restore from backup? - RTO/RPO) Sam Siewert 4

5 Recent Data Security Disasters and Lessons to Learn Equifax - facing potential judgment of corporate dissolution (corporate death penalty) Companies like this are data stewards, entrusted with personal financial data to provide services for pay - this is their job Why? million personal records compromised (financial records used in credit scores) Mistakes exposed in Congressional Hearings (6 Fresh Horrors From the Equifax CEO's Congressional Hearing) 1. Slow to act on knowledge of breach 2. Software vulnerability patching process (points of failure, human and automation) - one system had user=admin, pass=admin, Apache struts vulnerability ignored 3. Data storage of sensitive consumer information in plaintext 4. Quarterly security reviews (infrequent for primary business) 5. Not sure who is attacking them (or attacked) 6. Breach notification separate system (domain) Sam Siewert 5

6 Authorization and Access Control By Session Login By File (permissions) By Directory Host to Network (Known host Ethernet address, WWID) By Execution Privilege Level (root or user) sudo Authorized Users, Computers, and Applications Encrypted password, pass phrase, password hash (salt) - Randomness in Digital Cryptography: A Survey Avoid Dictionary and Birthday attacks Download password files (to crack) Use dictionary derived guesses Probability of one password matching any other is higher than one matching a specific Informed guessing and testing Require Authentication Proving you are who you claim you are Producing a pass phrase, an answer to a challenge question Key or smartcard Providing biometric scan 10% of the Internet Is Encrypted with Lava Lamps Marton, Kinga, Alin Suciu, and Iosif Ignat. "Randomness in digital cryptography: A survey." Romanian Journal of Information Science and Technology 13.3 (2010): Sam Siewert 6

7 Attacks on Security Early Famous Attacks DES (Banking) Encryption for ATM machines EFF Showed Weakness in DES (Cluster attack, then FPGA) Scramble to patch with Triple DES (1996 timeframe) NIST competition for AES (Advanced Encryption Standard) Cryptanalysis Capture Encrypted Data ( Man in the middle ) Capture Encryption code, key, or mechanism Capture Decryption code, key, or mechanism Analyze Examples to Deduce the Substitution and Transposition Cypher Code mappings Inverse Function Defense Very Large Cryptographic Hashing Functions 128-bit, 256-bit or larger random number generators Frequent Key Updates Sam Siewert 7

8 Denial of Service Rather than Gaining Unauthorized Access, Deny Other Authorized Users Access Bug System with 1000 s or Millions of Invalid Requests Per Second Flood Network with Bad Protocol or Packets Cause Routing Loops, Crash Services Remotely on Purpose Reason for Maximum Login Attempts Withdraw Prompt for Password to A Particular Network Client or Terminal Invalidate a Username Reason for Network Authentication of Clients Block All Traffic for a Specific IP or Ethernet Address Secure Physical Network Switches and Gateway Machines Sam Siewert 8

9 Malware Software Designed to Harm a Client or Exploit a Known Bug Trojan Horse Present Free Software, an Application, Plug-In, or other Method to Deliver an Application with Bad Intent User Agrees to Download without Authentication of Source or Verification of Code Data Digest (Unique Signature for Tested and Authentic Code) Beware of Free Software from Unknown Sources Virus Application Code that Installs Itself on a Computer in Key Operating System and Shared Data Locations Boot Code Commonly Used File system Code Transfer Malware via Shared Files, Networks, Disks (e.g. USB stick) Exploit Find Buffer Overflow on Widely Used Operating System or Networking Service to Exploit Buffer Overflow Provides Doorway to Modify Code Perfect Exploit in Private Lab, Release as Trojan Horse or Virus Rootkit Gain Access and Install Monitoring Software or Create Second Administrator Prviliege Password and Account Sam Siewert 9

10 Phishing Write A Program that Asks for a Password Run this on a Public Computing System Spoofing a Wellknown and Trusted Server Collect Login Credentials from Users (Produce Error Messages) Fake Requesting Credentials Fake Service or Business Front Impersonation of a Web Service (Re-direction of Traffic) Indicating your Are Over Quota Limits, Credit has Been Frozen, Etc. Followed by Request for Credentials Sam Siewert 10

11 Newer Threats Continue to Emerge Character Defamation Impersonation of Web Presence Defame a User - a.k.a. Fake News Influence a Stock Price ( Pump & Dump ) Confuse or Influence with specific purpose Identity Theft Creation of Accounts Using False Credentials Outright theft (credit card fraud) Less obvious - Sign up all identities for free Netflix trial Ransomware - Hold files hostage for payment to get back Cyber Attacks and Cyber Warfare Malware Designed to Harm or Deny Service to Physical Systems Using Process Control (Water, Power, Traffic Management, etc.) Financial Sector Attacks Discrediting a Company, Service Disruption of Exchanges and Banking Discrediting Governments, Spoofing, Replay Attacks Sam Siewert 11

12 White-hat Sites, Historic Attacks Wikipedia Overview on DEF CON Wikipedia on EFF BackTrack, Security Admin Tool for Analyzing Networks Alleged Cyber-warfare attack Stuxnet Motor Vehicle Attack Analysis Wired and Wireless Database Attacks Typically Stolen Account Information Playstation Attack April 17-19, Sony Blamed Anonymous, but Not Clear Who did it! JP Morgan Database Breach Home Depot Breach OPM Breach Many More Sam Siewert 12

13 Biggest Data Breaches Current (2017) Sam Siewert 13

14 Cybersecurity Some Databases for SOA (Service Oriented Architecture) with Cyberphysical Systems Growing Trend for Intelligent Transportation and Vechicle Telematics E.g. On-Star System uses Oracle DBMS Security not Just Records or Information Breaches Sam Siewert 14

15 Best General Defenses Encryption Used for Authentication, Data Exchange (e.g Secure Sockets), and to Sign and Verify All Updates and Upgrades Public Services, Ports, and Terminals Should be Limited Only Necessary Services SSH, SFTP No Plaintext Services FTP, Telnet Routine Monitoring and Logging Review all Connection Attempts and Login Attempts Review Logs for Services that Crash and Restart Installations, Updates, Upgrades Signed Drivers Modifications to Boot Code or CMOS/UEFI (Firmware) Security Patches and Updates from Trusted Sources Sam Siewert 15

16 Inside Threats Insiders with Physical Access to Machines and Networking Equipment Log all Entry / Exit to/from Data center and labs Cross-checks and Need-to-Know Limited Distributions of Sensitive Data No Password Sharing, Guest or Anonymous Accounts Delete Access and Accounts for Severed Relationships VPN Virtual Private Network Remote Access (Encrypted and Tunnels for Data from Authenticated Client to Host over SSL) Limit Data Removal on Media File Permission and ACL (Access Control List) Maintenance Sam Siewert 16

17 Extreme Protection Private Network, No Public LAN Limited Physical Access (Vault) Strong Encryption (E.g. AES 256 FIPS-197, or Larger Keys) AES Validation, Validation List Multi-method Authentication (Smartcard, Pass phrase, and Fingerprint) Compartmentalization - Limit Knowledge of Why Work is Being Done (Hide Global Purpose) Require Multiple Independent User Authentication Combined Key or Pass Phrase Access that Requires Two Logins [E.g. mysql-workbench SSH tunnel] Quotas on Bandwidth, Storage, Download, Session Time, Intrusion Detection Monitors, Port Monitors Sam Siewert 17

18 Encryption Methods Mathematical Hashing Functions One Way Hash Functions Digital Signatures, Authentication codes, Hash tables, Fingerprints Not Reversible, but Valuable in Protocol 1 to 1 Transposition and Substitution Mapping Functions Reversible Mathematical Transforms Y=f(X), X=f(Y) Security Based on: 1. Algorithm E.g. AES, Rijndael, RSA, PGP, DES, Triple-DES, 2. Key Length (Bits), Cypher Block Chaining 3. Key Exchange Protocol (Public or Private) Sam Siewert 18

19 Basic Encryption - Substitution Re-map Alphabet, 1-to-1 and On-to (function) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! BETA>INTRODUCTION TO COMPUTERS QGWOHITSWQHG WH SHDETWJOP INTRODUCTION TO COMPUTERS BETA>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX ABCDEFGHIJKLMNOPQRSTUVWXYZ BETA>exit JVQW EXIT Sam Siewert 19

20 Basic Encryption - Transposition Permute Text Block (e.g. up to 10 characters at a time) ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out ABCD ABCD TRAN>introduction to computers utcdnroiitc o ntopomuters introduction to computers TRAN>abcdefghijklmnopqrstuvwxyz gchfbdejaiqmrplnotksuvwxyz abcdefghijklmnopqrstuvwxyz TRAN>exit exit exit Sam Siewert 20

21 Basic Encryption Early Automation Substitution with transposition Enigma Code, U571 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! NNWBOGP WJWMQP! CRYPT>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX CSMKAIJRNQLDOEBGHWFPTZYVUX CRYPT>introduction to computers QGWOHITSWQHG WH SHDETWJOP TWSIGOHQQWS H GWHEHDTWJOP CRYPT>exit JVQW JVQW Sam Siewert 21

22 Symmetric Key Concepts Encryption Keys Can I encrypt and decrypt with the same key? struct charmap submap[alphabet] = { {'A','N'}, {'B','A'}, {'C','S'}, {'D','I'}, {'E','J'}, {'F','K'}, {'G','C'}, {'H','M'}, {'I','Q'}, {'J','R'}, {'K','F'}, {'L','B'}, {'M','D'}, {'N','G'}, {'O','H'}, {'P','E'}, {'Q','L'}, {'R','O'}, {'S','P'}, {'T','W'}, {'U','T'}, {'V','Z'}, {'W','Y'}, {'X','V'}, {'Y','U'}, {'Z','X'} }; With the substitution Key, Yes // int transmap[block_size]= {6, 2, 7, 5, 1, 3, 4, 9, 0, 8}; int detransmap[block_size]={8, 4, 1, 5, 6, 3, 0, 2, 9, 7}; With the transposition Key, Yes This is a Symmetric Key System Sam Siewert 22

23 Better Key Management? One Time Stack of Keys Exchanged in Private by Sender and Receiver in Advance Agree to Use Different Symmetric Keys Based on Day of Year or some Universal Coordination Cycle Through 365 Different Keys Attacker Can Still Capture Stack of Keys Better Approach is a Public-Private Key System, E.g. PGP Public Key Shared Public Key Used to Encrypt Only (Digital Signature) Private Key Used to Decrypt Only (Authentication, Plaintext Recovery) Key Exchange Protocol and Key Rings Sam Siewert 23

24 Security for MySQL on PRClab Level 1 SSH Login and/or Tunnel Authentication Level 2 MySQL Authentication Level 3 MySQL Grants and Privileges by DB 24

25 E.g. SSH Tunnel Setup for mysqlworkbench Generate SSH Keys on PRClab for your account In directory.ssh Copy and paste id_rsa contents into file on your PC Truncated for security purposes Start up mysql-workbench on your PC and set up SSH Tunnel using id_rsa private key on your PC Sam Siewert 25

26 SSH Tunnel Configuration SSH Tunnel PRClab Account PRClab id_rsa PRClab MySQL username Sam Siewert 26

27 SSH Tunnel Connection to DB Enter PRClab Password Enter MySQL PRClab Server Password Now workbench is connected to PRClab MySQL Server over Tunnel Sam Siewert 27

28 Summary Take a Cybersecurity Class E.g. CI311 (Operations) and CS303 (Design/Implementation) Tutorial Papers Big Iron Lessons 5 & 6 Old-Mathematics.pdf In Practice Used by Egypt to Present Day Cryptanalysis Time Should be Larger than the Time the Information is Sensitive or Private Assume All Codes Can Eventually Be Broken with Sufficient Computing and Man-in-Middle Samples [Change Keys, Pass Phrases, Passwords, etc. Often] Critical for Secure Military Communications Considered a Munition, Export Controlled Security Features Should Be Designed In and Patched Often as Threats Emerge Sam Siewert 28

29 Embry Riddle Courses to Go Deeper Sam Siewert 29

30 Encryption Substitution Take Away Transposition cypher blocks Mathematical Basis (mapping functions, random number generation, large hashing functions, one-way and reversible) Secure Systems Authorization Authentication and Access Control Denial of Service Trojan Horses, Malware, Exploits [E.g. Buffer Overflow] Sam Siewert 30

31 C&B Reference - Chapter 20 - Security DBMS SECURITY NOTES Sam Siewert 31

32 Chapter - Objectives The scope of database security. Why database security is a serious concern for an organization. The type of threats that can affect a database system. 32

33 Chapter - Objectives How to protect a computer system using computerbased controls. The security measures provided by Microsoft Office Access and Oracle DBMSs. Approaches for securing a DBMS on the Web. 33

34 Database Security Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential. 34

35 Database Security Mechanisms that protect the database against intentional or accidental threats. Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database. 35

36 Database Security Involves measures to avoid: Theft and fraud Loss of confidentiality (secrecy) Loss of privacy Loss of integrity Loss of availability 36

37 Database Security Threat Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization. 37

38 Summary of Threats to Computer Systems 38

39 Typical Multi-user Computer Environment 39

40 Countermeasures Computer-Based Controls Concerned with physical controls to administrative procedures and includes: Authorization Access controls Views Backup and recovery Integrity Encryption RAID technology 40

41 Countermeasures Computer-Based Authorization Controls The granting of a right or privilege, which enables a subject to legitimately have access to a system or a system s object. Authorization is a mechanism that determines whether a user is, who he or she claims to be. 41

42 Countermeasures Computer-Based Access control Controls Based on the granting and revoking of privileges. A privilege allows a user to create or access (that is read, write, or modify) some database object (such as a relation, view, and index) or to run certain DBMS utilities. Privileges are granted to users to accomplish the tasks required for their jobs. 42

43 Countermeasures Computer-Based Controls Most DBMS provide an approach called Discretionary Access Control (DAC). SQL standard supports DAC through the GRANT and REVOKE commands. The GRANT command gives privileges to users, and the REVOKE command takes away privileges. 43

44 Countermeasures Computer-Based Controls DAC while effective has certain weaknesses. In particular an unauthorized user can trick an authorized user into disclosing sensitive data. An additional approach is required called Mandatory Access Control (MAC). 44

45 Countermeasures Computer-Based Controls DAC based on system-wide policies that cannot be changed by individual users. Each database object is assigned a security class and each user is assigned a clearance for a security class, and rules are imposed on reading and writing of database objects by users. 45

46 Countermeasures Computer-Based Controls DAC determines whether a user can read or write an object based on rules that involve the security level of the object and the clearance of the user. These rules ensure that sensitive data can never be passed on to another user without the necessary clearance. The SQL standard does not include support for MAC. 46

47 Popular Model for MAC (Mandatory Access Control) called Bell-LaPadula 47

48 Countermeasures Computer-Based Controls View Is the dynamic result of one or more relational operations operating on the base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. 48

49 Countermeasures Computer-Based Backup Controls Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media. Journaling Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure. 49

50 Countermeasures Computer-Based Controls Integrity Prevents data from becoming invalid, and hence giving misleading or incorrect results. Encryption The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. 50

51 Setting the Insert, Select, and Update privileges 51

52 DBMSs and Web Security Internet communication relies on TCP/IP as the underlying protocol. However, TCP/IP and HTTP were not designed with security in mind. Without special software, all Internet traffic travels in the clear and anyone who monitors traffic can read it. 52

53 DBMSs and Web Security Must ensure while transmitting information over the Internet that: inaccessible to anyone but sender and receiver (privacy); not changed during transmission (integrity); receiver can be sure it came from sender (authenticity); sender can be sure receiver is genuine (nonfabrication); sender cannot deny he or she sent it (nonrepudiation). 53

54 DBMSs and Web Security Measures include: Proxy servers Firewalls Message digest algorithms and digital signatures Digital certificates Kerberos Secure sockets layer (SSL) and Secure HTTP (S- HTTP) Secure Electronic Transactions (SET) and Secure Transaction Technology (SST) Java security ActiveX security 54

55 How Secure Electronic Transactions (SET) Works 55