Holistic Database Security

Size: px

Start display at page:

Download "Holistic Database Security"

Kristopher Lewis
5 years ago
Views:

1 Holistic Database Security 1

2 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches data. Hack: Anything can be hacked. Do something it was not intended to do or something you did not think it could do. Spillage: Sensitive data has spilled outside it s protected environment. It may not be compromised. Leak: Sensitive data has spilled outside of it s protected environment. It has been compromised. 2

3 Brain Hacking Demo Anything can be hacked. Hacking is getting something to do what it was not intended to do or something you did not think it could do. Young man, success comes in can, failure comes in can t. Adm Grace Hopper to a young Robert Lockard

4 Holistic Database Security 4

5 The crowning achievement of my career. 5

6 Don t get invited to a Congressional Committee 6

7 This is how we frequently view our data. 7

8 We are the stewards of our customer's data. She is trusting you. 8

9 Cloud Security Issues... Source Data X border encryption 9

10 SA Attack Surface People Users Listener Network Man in the middle Data on Disk Compromised Ghost Database Backup Lost Application Web Server Back end Code Storing Usernames / Password hash Rainbow Table Demo UI 10

11 RMAN Column Requires Additional Engineering Tablespace At Rest (TDE) External Table Datapump Demo Database Encryption Ghost Data Demo Algorithm 3DES168 AES256 Integrity Network Require Request AES192 DEFAULT AES128 Accepted Rejected 11

12 Factor Concept Database Vault Methods By Day Time of Day Database Trusted Path Real Application Security sys_context ACCESSABLE BY By subnet By Authentication Method VPD PL/SQL GRANT Roles to Packages / Functions / Procedures Redaction Demo 12

13 New Altered Objects Tripwire Grants ORACLE_HOME Roles Configuration Drift Users Connections New Dropped Frequency 13

14 Full Tablespace Encryption Map all ways to get to the data Audit Reports Four things a DBA Can Do Now Trusted Path Risks Per Path Identify all sensitive data Who connected Changes Objects ORACLE_HOME SQLPLUS SQLDeveloper Login Failures Multiple Logins Script Reports 14

15 4 things developers can do now to improve security Oooopsy, I lied, there are more than 4 things. :-) Invoker / Definer rights identify all dynamic SQL and PLSQL Bind Variables rock Assign Role to package / procedure / function Four things a Developer can do now Code Reviews Accessible by Put everything in packages Split up your packages Helper Non-Sensitive sensitive 15

16 What Else Can we do now Developers work with DBA and Security I know that like cats leading blind dogs 16

17 17

18 PEOPLE Exploit em Unmet Needs ideology Weakness Changed Drugs Finance Gambling 18

19 SQL Injection Demo 19

20 SQL Injection If you think I m picking on Oracle you're wrong. These examples are specific to Oracle however; do to MS SQL Server language implementation, it s more vulnerable to SQL Injection. In Oracle SQL Injection I can only add one command per SQL Injection. In MS SQL server, I can string as many commands as will fit in the line buffer into my SQL Injection. That makes the bad guys job much easier. And yes, DB2 has it s own set of issues. Because DB2 has implemented Oracle PL/SQL language, the same mitigations I show in secure coding can be applied to DB2. 20

21 Separate your data from your code APP non sensitive package non sensitive tables App sensitive packag Sensitive Tables SQL INJECTION BUG 21

22 Separate your data from your code APP SQL INJECTION BUG API App objects non sensitive package App sensitive packag grant execute to APP sensitive select API Sensitive Tables sensitive select role grant select to role 22

23 Separate your data from your code APP API App objects non sensitive package X App sensitive packag accessible by sensitive select API Sensitive Tables grant role to package sensitive select role grant select to role 23

Resources http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf https://docs.

24 Resources

25 Contact Information blog: youtube: 25

Oracle Database Security

Oracle Database Security Top Things You Could & Should Be Doing Differently Simon Pane November 17, 2016 About ME Pythian Solution Architect Working with Oracle DB since version 6 Oracle Certified Professional: