Making the Most of InfoSphere Guardium Vulnerability Assessment

Transcription

1 Making the Most of InfoSphere Guardium Vulnerability Assessment Ian Schmidt Mike Louis Lam

2 2014

3 Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We ll try to answer questions in the chat or address them at speaker s discretion. If we cannot answer your question, please do include your so we can get back to you. When speaker pauses for questions: We ll go through existing questions in the chat 3 3

4 Reminder: Guardium Tech Talks Next tech talk: What is this thing called Hadoop and how do I secure it? Speakers: Kathy Zeidenstein and Sundari Voruganti Date &Time: Thursday, July 17th, :30 AM Eastern Time (75 minutes) Register here: Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerworks community: Please submit a comment on this page for ideas for tech talk topics. 4

5 New!!! Regional user groups this year US Location Date of session Location Registration Link *New* Miami, FL *NEW* Markham, Ontario, Canada June 11, 2014 June 19, 2014 IBM Office Columbus Center, Suite Alhambra Plaza Coral Gables, FL IBM Canada Ltd Steeles Avenue East 1st Floor, Room B104 Markham ON L3R 9Z7 Canada NYC, NY June 25, 2014 IBM 590 Madison Ave Room 1219 New York, NY rollall?openform&seminar=326pxces&locale=en_ US rollall?openform&seminar=8acm45es&locale=en_ US rollall?openform&seminar=4fbkuges&locale=en_ US Atlanta, GA August 28, 2014 IBM (Building A) Technical Exploration Center 6303 Barfield Rd., NE Atlanta, GA IBM Insight Oct 26, 2014 TBD To follow rollall?openform&seminar=4c2u2fes&locale=en_ US 5

6 Agenda Review of InfoSphere Guardium Vulnerability Assessment features and offerings Application-specific vulnerability assessment and demo Step by step demo of custom query creation Q and A 6

7 Vulnerability Assessment: Industry Definition Vulnerability assessment" (VA) covers tools for finding known vulnerabilities and configuration weaknesses on computing resources such as servers, desktops, mobile computing assets and other networked devices as well as on related workflow processes such as vulnerability prioritization and analysis. Exploit Includes configuration weaknesses, unpatched OS components and applications, some other technical security deficiency, or a situation that doesn't comply with organizational IT policies. Gartner group: Vulnerability Assessment Technology and Vulnerability Management Practices, John Chuvakin, Published: 7 February

8 Data Protection is key to holistic approach to Information Governance and Security 8

9 Why are Databases Vulnerable? BigData Data in all its forms are exploding while resources to manage it are limited Development systems that get replicated to production without proper lock down Application packages that get deployed with default settings with no understanding security implications Systems are turned over DBA s with little control over how the databases are set up Mobile Cloud 9

10 Guardium s Holistic Data Protection Process Vulnerability Assessment Discover Assess Harden Monitor Block Mask Where is the sensitive data? How to secure the repository? Who should have access? What is actually happening? How to prevent unauthorized activities? How to protect sensitive data to reduce risk? 10

11 InfoSphere Guardium Vulnerability Assessment, Editions Guardium Vulnerability Assessment Evaluation Guardium Vulnerability Assessment - Standard Guardium Vulnerability Assessment - Advanced Free, Downloadable, Up to 10 sources, 30 Day Trial Uncovers risk with sensitive data discovery Detailed assessments and vulnerability reporting Sensitive Data Discovery Comprehensive Testing and Reporting Ongoing protection with testing subscription Collaboration and workflow Extensible framework Adds to Standard: Configuration auditing system Entitlement Reporting 11

12 InfoSphere Guardium Vulnerability Assessment - Standard Edition Sensitive Data Discovery Guardium VA Standard Edition Comprehensive testing and reporting Identifies Sensitive Data like credit cards, transactions or PII Reporting on sensitive objects Discover database instances Extensible design Enables custom designed defined tests Tuning existing tests to match needs Report builder for custom reports Perpetual License Support, Education Subscription to test updates Using industry best-practices and benchmarks and primary research Predefined tests to uncover database vulnerabilities Recommendations for mediation Vulnerability Assessment scorecard View side by side comparison of tests View graphical view of trends Collaborate to protect Compliance Workflow Exception management Export to other security tools 12

13 Why Build Custom Tests? Some vulnerabilities in databases are specific to a particular usage Creating custom tests to target specific use cases can be: Organization level Industry level Application level Guardium VA was designed to be extensible by users or partners who have special domain knowledge 13

14 Guardium Vulnerability Assessment Mike

15 Agenda Application Specific Vulnerability Assessment What are we finding out Results Case Studies Demo and How/Why we created it 15

16 About BTRG Years 250+ Unique Customers PeopleSoft Experience One of the first PeopleSoft 16 partners Implemented, upgraded and integrated every major release of PeopleSoft PeopleSoft 9.2 Testing Partner Several current clients upgrading to 9.2 Unique BTRG Solutions Progressive Testing ERP Vulnerability Manger Action Center Hiring Hub Information Governance Industries Complete Data Security Management Award winning software solutions Trusted advisor for ERP security Addressing the full lifecycle of security & compliance Big Data Management Strategy Information Lifecycle Governance Information Management Enterprise Content Management 16 Telecom Retail Federal Manufacturing Healthcare Financial Banking Insurance Pharma State/Local Gov. Media Transportation Utilities

17 About the Presenter Director of Information Governance Practice for BTRG More than 20 years of experience in Information Technology, 15 years as a PeopleSoft Consultant Frequent presenter at webinars and conferences IBM Champion Connect: 17

18 Guardium Application Vulnerability Assessment Why create it? Most ERP systems and packaged applications control security within the application itself Vulnerabilities can and often do exist within the application that no amount of database security will address What is it? Application (PeopleSoft) specific checks Vulnerability Assessment Generates a scorecard (0% to 100%) of security level Provides details on each vulnerability and recommendations for remediation How does it work? Leverages existing Guardium Technology Built upon 20 years of best practices at BTRG for PeopleSoft security configuration Interactive and dynamic report that allows you to monitor application security level over time 18

19 Identifying Security Risks Vulnerability Assessments: Key components in overall security 19 19

20 Types of checks that are done Privilege Password settings, expiration Authentication Application Users, Logon Times Configuration Application security, configuration best practices Version Current fixes, patches, bundles Other Query Levels and access 20

21 Vulnerability Check Examples Operator IDs associated with inactive employees Usage of the ALLPAGES or other demo/delivered configuration Ensure all Operator IDs/User IDs are assigned to an Employee Permission lists with access to sensitive/security PeopleTools Pages Operator with access to Security and Functional pages Users/Permission lists with ability to join more than 5 tables and unlimited sign-on ability 21 21

22 Application Scorecard 22 22

23 How can you be sure you are secure? Delivered/Vanilla PeopleSoft scores an 11% on this assessment A good amount of things can go wrong between 11% and 100% Upgrades can introduce additional vulnerabilities Best practice is to benchmark before and after as well as over time Have found instances of very low scores Some examples: 26%, 19%, 15% 23

24 Vulnerability Assessment Case Study Customer: Leading Technology Company Solution: PeopleSoft Application Vulnerability Assessment Score: 26% Results: 1.Found vulnerabilities in PeopleSoft configuration 2.Implemented immediate corrections within hours, others within days 3.Implemented database activity monitoring and ongoing vulnerability checks. 4.Improved audit reporting (2 audit reports to 20+) which proved PCI and SOX compliance. 24

25 Vulnerability Assessment DEMO 25

26 Guardium Vulnerability Assessment QueryBased Test Builder Louis Lam

27 Agenda - Guardium Vulnerability Assessment Build your own query-based test Q&A Discover Where is the sensitive data? 27 Harden How to secure the repository?

28 Query-based Test Builder What is the query-based test builder? A tool that allow users to create their own custom tests, leveraging the VA infrastructure from existing Guardium predefined tests. Supports all the RDBMS database types that VA currently supports. Easy to deploy; requires little programming experience. Custom tests can be exported from one Guardium appliance to another using security assessment export. Why create it? Most ERP systems and packaged applications control security within the application itself. Vulnerabilities can and often do exist within the application that no amount of database security will address. 28

29 Navigate To Query-based Test Builder There are two ways to access the query-based test builder within the Guardium appliance. Access as a normal user: Click on Assess/Harden tab. Click on Assessment builder icon. Click on Query-based Tests. Click on New to create a new test. Access as an admin user: Click on Tools tab. Click on Security Assessment Builder under Config & Control tab with Tools. Click on Query-based Tests. Click on New to create a new test.

30 Creating a test, step by step Test Name Name of the test you want to use. Ideally, give it a meaningful name that indicates what the test actual checks. Using a prefix is recommend so you can identify your test easily from Guardium tests. Example: IBM - db_owner granted to users and roles 30

31 Creating a test, step by step (Continued) Database type Pick a database type from the drop down list. Example: MS SQL SERVER 31

32 Creating a test, step by step (Continued) Category Pick a category from the drop down list. Privileges: Check for object creation and usage rights, privilege grants to DBAs and users, and system level rights. Authentication: Verify password policies, default vendor accounts, no empty passwords, remote login parameters, etc. Configuration: Check platform-specific variables such as maximum failed logins for DBA profiles. Version: Verify appropriate version numbers and patch levels. Other: Example: Privilege 32

33 Creating a test, step by step (Continued) Severity Pick a severity level from the drop down list that best fits your test. Note, severity can be overridden in the assessment test tuning section. You may decide that the severity level for a given test in one datasource is higher than another. Severity levels Critical Major Minor Cautionary Informational Example: Major 33

34 Creating a test, step by step (Continued) Short description This is where you describe what your test does. The more descriptive the better. You can talk about scenarios that would cause your test to pass or fail. Example: 34 This test check for db_owner role granted to user or roles in each MSSQL databases. Grantee with db_owner can perform all configuration and maintenance activities on the database. This test does loop through all the databases in a given SQL Server instance. Granting db_owner role should be limited to only few in production. If you have server role sysadmin, you would not need to be granted db_owner per databases.

35 Creating a test, step by step (Continued) External Reference Any references you may use for this test like STIG, CIS, CVE, your company security policy benchmark, etc. This field can be left blank if you don t have any references. Example: Advance VA feature demo 35

36 Creating a test, step by step (Continued) Result text for pass Reason why the datasource passed this test. Example: db_owner database level role has not been granted to unauthorized grantee. 36

37 Creating a test, step by step (Continued) Result text for fail Reason why the datasource failed this test. Usually this means the configuration setting is not your recommended value. Privileges are granted to unauthorized grantees. Database might not be patched to some required level Example: db_owner database level role has been granted to unauthorized grantee. 37

38 Creating a test, step by step (Continued) Recommendation text for pass Any recommendation you want to provide when a datasource passes the test. Usually there is no recommendation when a test passes. Example: No action required. 38

39 Creating a test, step by step (Continued) Recommendation text for fail Recommendation you are providing when a datasource fails your test. It is important to provide as much detail as you can when the test fails. You want to talk about conditions in your test that would cause a datasource to fail. Ideally, provide an example remediation syntax where possible so the end user knows what needs to be done to pass your test. Example: We recommend that you revoke db_owner role from unauthorized grantees. You can use this SQL Server example command for revoking such privilege: EXEC sp_droprolemember N'db_owner', N'UserName or RoleName' GO. To exclude authorized grantees from this test, you can populate an exception group with your authorized grantees and link the group to this test. 39

40 Creating a test, step by step (Continued) SQL Statement This is the query your test will execute when connecting to a datasource. This can be a query or union of queries. You can use T-SQL or PL/SQL as long as your codes return a valid value that can be compared in determining the condition for the test s passing or failing criteria. Tips: 40 When using comment within a query do this /*my comment*/ instead of my comment. Make sure you test your SQL syntax on a native database tool or JDBC tool first. When writing your SQL, it is best that the SQL return a count(*) for comparison. Majority of the tests can be structured this way. You can return this within SQL Server or Sybase T-SQL as well. Select count(*) from some_table where some_grant = bad For Oracle, if you are using PL/SQL, the way to return a value from an anonymous block is via? := retval; There will be an example for this in a later slide. Use %THRESHOLD% in SQL syntax when you want your test to compare against some predefined default value and you want your end user to override your default value uses in the test comparison. There will be an example in a later slide.

41 Creating a test, step by step (Continued) SQL Statement (Continued) Example: SELECT FROM WHERE 41 COUNT(*) sys.database_role_members ro, sys.database_principals db_role, sys.database_principals grantee ro.role_principal_id = db_role.principal_id and ro.member_principal_id = grantee.principal_id and db_role.name = 'db_owner' and grantee.name <> 'dbo' /* Ignore the default dbo grant */

42 Creating a test, step by step (Continued) SQL Statement Oracle PL/SQL Example declare nver retval sver strval number; integer := 0; varchar2(255) := ''; varchar2(255) := ''; begin select VERSION into sver from V$INSTANCE; nver := to_number(substr(sver,1,(instr(sver,'.',1,2) - 1))); if nver >= 11.1 then select VALUE into strval from V$PARAMETER where NAME = 'sec_case_sensitive_logon'; end if; if (nver < 11.1 or strval = 'TRUE') then retval := 0; else retval := 1; end if;? := retval; end; 42

43 Creating a test, step by step (Continued) SQL Statement for detail (Optional) This is the query your test will execute when connecting to a datasource. It would only execute if the condition for the test fails The purpose of this query is to provide the user detailed grants or configuration settings when a test fails so the user will know what to remediate. Tips: All the tips from the SQL Statement are relevant here. When the SQL Statement for detail is used, the test would allow for exception group when the test returns a failed score. All the columns projected for SQL provided here must be concatenated into one field. See example below. Example: SELECT 'Grantee = ' + grantee.name collate DATABASE_DEFAULT + ' : Grantee_type = ' + grantee.type_desc collate DATABASE_DEFAULT FROM sys.database_role_members ro, sys.database_principals db_role, sys.database_principals grantee WHERE ro.role_principal_id = db_role.principal_id and ro.member_principal_id = grantee.principal_id and db_role.name = 'db_owner' and grantee.name <> 'dbo' 43

44 Creating a test, step by step (Continued) Pre test check SQL (Optional) Lets you write SQL that checks for a condition to determine if test should execute or not. This is useful when you are querying against database that may or may not have the tables or columns you are looking for. A 0 return value from your SQL here would mean the test should not be executed and therefore the test would not get a pass or fail score. A 1 return value from your SQL here would mean the test should continue and has passed the pre-test check requirement. Example: select count(*) from sys.all_objects where name = 'database_principals' and schema_name(schema_id) = 'sys' 44

45 Creating a test, step by step (Continued) Pre test fail message (Optional) If the pre test check SQL returns 0, then the test would not execute. In this case, it will display the text you wrote for pre test fail message field. Example: sys.database_principals view is not found in your system catalog. This test will not execute, please research why this system view is missing. 45

46 Creating a test, step by step (Continued) Loop databases & DB loop flag (Optional) Loop databases allow you to write SQL, indicating what databases your SQL statement should execute against. This is only supported in the following database types: Informix, SQL Server, Sybase ASE, PostgreSQL and MySQL. The looping is performed if the DB loop flag box is checked. You can use this function only when the test returns an integer value for comparison. Example: select name from sys.databases Or db_name1, db_name2 db_name(n) 46

47 Creating a test, step by step (Continued) Detail prefix (Optional) Enter a Detail prefix that will appear at the beginning of the SQL statement for string details. Example: Grantees with db_owner role. 47

48 Creating a test, step by step (Continued) Bind output variable (Optional) Check the "Bind output variable" checkbox if the entered text in the SQL statement is a procedural block of code that will return a value that should be bound to an internal Guardium variable that will be used in the comparison to the "Compare to" value. Example: See slide 21 for how this is used for Oracle PL/SQL. 48

49 Creating a test, step by step (Continued) Use Threshold (Optional) Check the Use threshold" checkbox if you allow use of threshold values for your test. For example, if you are testing for a backup configuration setting that should be kept for 12 backups or more. A different division may not agree with your requirement and decided that 8 should be their minimum and not 12. In this case, you can set your test default threshold value as 12, but allow the end users to change your threshold when they execute the assessment. Your SQL statement would have to change to use this Guardium specific feature. In your SQL, you would substitute the actual value you are comparing, which is 12 with %THRESHOLD%. You would then define the default value for your %THRESHOLD% which would be 12 in the default threshold value column. You also need to define a prompt Prompt for threshold, so the user knows the threshold can be changed. The next two slides will demonstrate the use of threshold. 49

50 Creating a test, step by step (Continued) Use Threshold Example (Optional) Here is a SQL Statement without using threshold. SELECT COUNT(*) FROM ( SELECT CAST(VALUE AS INTEGER) AS VALUE FROM SYSIBMADM.DBCFG WHERE LOWER(NAME) = 'num_db_backups' ) AS RESULT WHERE VALUE < 12 50

51 Creating a test, step by step (Continued) Use Threshold Example (Optional) Here is a SQL Statement using threshold. SELECT COUNT(*) FROM ( SELECT CAST(VALUE AS INTEGER) AS VALUE FROM SYSIBMADM.DBCFG WHERE LOWER(NAME) = 'num_db_backups' ) AS RESULT WHERE VALUE < %THRESHOLD% 51

52 Creating a test, step by step (Continued) Return Type, Operator and Compare to Value. Return type is the datatype that your SQL Statement returns. This can integer, date or string. Operator is the operator you want to compare your SQL statement result to the Compare to value. The available operators are in a drop down list like (=, <=, >=, <, >) Compare to value is the value you are using to compare against your SQL Statement. If your condition is met, then the test will pass, otherwise it will fail. Example: What the above example shows is our SQL Statement will return an integer value for us to compare. If the value of that integer is zero, then the test we created in this presentation will pass. If the SQL statement returns anything else, our test will execute and return a failed grade because it found some condition that violates the logic of the test. 52

53 Creating a test, step by step (Continued) Applicable Version From and Applicable Version To (optional). Applicable version from and applicable version to: Use these two fields if you want to control what version of the database your test should be executed in. The format that should be use is: ##.## For example, Oracle 11gR2 would be 11.2 or DB2 v10.5 would be For SQL Server, we follow the actual Microsoft version convention. SQL Server 2005 would be 9.00 and SQL Server 2008R2 would be Example: In our example, we are saying we want our test to execute against SQL Server 2005 and higher only. Since the catalog objects we used are only available in SQL Server 2005 and newer. Since we have not put in an applicable version to, our test can run against any later SQL Server release. 53

54 Creating a test, step by step (Continued) Our example test execution result. This is execution of our example ran against a SQL Server 2005 server where it found some db_owner grantee and shows its finding and give this test a failed score. 54

55 Creating a test, step by step (Continued) Our example test execution result. This is an execution of our example that ran against a SQL Server 2005 server and does not find any db_owner grantee and gives this test a passing score. 55

56 Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 56 Italian

57 Information, training, and community InfoSphere Guardium Vulnerability Assessment Evaluation Edition on developerworks InfoSphere Guardium YouTube Channel includes overviews and technical demos developerworks forum (very active) Guardium DAM User Group on Linked-In (very active) Community on developerworks (includes content and links to a myriad of sources, articles, etc) Guardium Info Center InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to bamealm@us.ibm.com if interested. 57

58 Reminder: Guardium Tech Talks Next tech talk: What is this thing called Hadoop and how do I secure it? Speakers: Kathy Zeidenstein and Sundari Voruganti Date &Time: Thursday, July 17th, :30 AM Eastern Time (75 minutes) Register here: Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerworks community: Please submit a comment on this page for ideas for tech talk topics. 58