IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Similar documents
Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

CS 356 Operating System Security. Fall 2013

Karthik Bharathy Program Manager, SQL Server Microsoft

B.H.GARDI COLLEGE OF MASTER OF COMPUTER APPLICATION. Ch. 1 :- Introduction Database Management System - 1

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

A (sample) computerized system for publishing the daily currency exchange rates

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

<Insert Picture Here> Oracle Database Security

Web Security. Outline


Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Enhancements in Informatica 9.6.x

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Database Management System Fall Introduction to Information and Communication Technologies CSD 102

McAfee Database Security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cyber Security Audit & Roadmap Business Process and

Solutions Business Manager Web Application Security Assessment

C and C++ Secure Coding 4-day course. Syllabus

HPE Intelligent Management Center

A database management system (DBMS) is a software package with computer

Security+ SY0-501 Study Guide Table of Contents

ANATOMY OF AN ATTACK!

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Hackproof Your Cloud Responding to 2016 Threats

Unit 5.2b - Security 1. Security. Unit 5.2b

Advanced Security Measures for Clients and Servers

Real Application Security Administration

Trustwave Managed Security Testing

K12 Cybersecurity Roadmap

SECURITY & PRIVACY DOCUMENTATION

Course Description. Audience. Prerequisites. At Course Completion. : Course 40074A : Microsoft SQL Server 2014 for Oracle DBAs

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

SQL Injection Attacks and Defense

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

Security Fundamentals for your Privileged Account Security Deployment

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Web Application Vulnerabilities: OWASP Top 10 Revisited

California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

QuickBooks Online Security White Paper July 2017

mission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact

2. INTRUDER DETECTION SYSTEMS

Software Security and Exploitation

Security Readiness Assessment

SAP HANA ADMINISTRATION

IBM services and technology solutions for supporting GDPR program

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

IBM SmartCloud Notes Security

Microlab 2005 Summer Internship. Subha Gollakota High School Junior Harker High San Jose, CA

Oracle Database Control Issues Jennifer L. Bayuk

Strategic Infrastructure Security

WHITEPAPER. Security overview. podio.com

CIS Controls Measures and Metrics for Version 7

Cassandra Database Security

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Topics covered 10/12/2015. Pengantar Teknologi Informasi dan Teknologi Hijau. Suryo Widiantoro, ST, MMSI, M.Com(IS)

Security in the Privileged Remote Access Appliance

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

SECURITY DOCUMENT. 550archi

Cyber Criminal Methods & Prevention Techniques. By

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Endpoint Security - what-if analysis 1

CIS Controls Measures and Metrics for Version 7

CSE 565 Computer Security Fall 2018

Security Specifications

Security Enhancements

Database System Concepts and Architecture

Storage and File System

Introduction To Computers

Configuring the Oracle Network Environment. Copyright 2009, Oracle. All rights reserved.

CIH

Survey of Oracle Database

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

epldt Web Builder Security March 2017

Secure Configuration Guide for Oracle9iR2

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Cyber Essentials Questionnaire Guidance

Data, Information, and Databases

Microsoft SQL Server Training Course Catalogue. Learning Solutions

An Introduction to Databases and Database Management Systems.

Database Centric Information Security. Speaker Name / Title

Privileged Account Security: A Balanced Approach to Securing Unix Environments

CSWAE Certified Secure Web Application Engineer

ClearPath OS 2200 System LAN Security Overview. White paper

MySQL for Database Administrators Ed 3.1

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

6 Months Training Module in MS SQL SERVER 2012

CoreMax Consulting s Cyber Security Roadmap

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

RSA Authentication Manager 8.0 Security Configuration Guide

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CO MySQL for Database Administrators

SDR Guide to Complete the SDR

Designing and Building a Cybersecurity Program

Transcription:

IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1

Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications Distributed Systems vs. Legacy Systems Production Environment vs. Development and Testing Environments General Control and Application Reviews 2

Computer Hardware Definition: All physical mediums to record, retrieve, store, process, input, output, and transmit digital and analog signals/information. CPU Hard drive Memory Mother Board Video Card/Sound Card/Camera Network Interface Card CD ROM/USB/PS2 Connector Mobile Devices 3

Operating Systems (OS) OS Built-in Controls: authentication and authorization, scheduler, traffic controller, planner, and security to resources of a computer system and/or its network (wired or wireless). Microsoft Windows UNIX/Linux Novell Netware, AS/400 & Mainframe Some OS work with third party security software: Mainframe TOP Secret, ACF2,RACF 4

System Software System Software: software used by System users (such as Database Administrator (DBA) System Administrator (SA) to support the running of OS Database Management Systems, SQL, Network Client, OnLine Transaction Processors (OLTP), etc. System Utilities such as FTP, Telnet, SNA and Shell Scripts 5

Databases Types of Databases Flat-file Hierarchical Data base Network Database Relational Database Benefits of database versus traditional file organization Audit Concerns in a Database Environment 6

Databases Pros. And Cons. Benefits Data independence (e.g. n-tier application) Reduction of data redundancy (via Normalization) Maximize data consistency (primary key/ foreign key) Reducing maintenance cost through data sharing Security Feature Enforce Data integrity 7

Databases Pros. And Cons. Steep Learning Curve Complex Tech Support Drawbacks 8

Database Terminology (continued) Database Management System (DBMS) Access and control functions; A variety of management and security features Older versions are hierarchical, in that there is a specific and somewhat rigid "parent and child" relationship among data elements Newer versions are relational, allowing dynamic reformatting of the tables that drive data access, so that they are more flexible and adaptable to changing needs 9

Database Terminology (continued) Database Management System (DBMS) Database management systems have features to help ensure the integrity and security of data stored in the DBMS tables. These include: Rules Triggers A Stored Procedure Security 10

Database Terminology (continued) Database Administration (DBA) A function involved in the coordination and control of data related activities, the DBA can be one or more people, depending on how large the environment is. 11

Database Terminology (continued) Data Dictionary/ Directory System (DD/DS) : Software that manages a repository of information about data and the database environment, allowing applications to share data elements and each application to have its own view of that data In Relational Databases, Data is organized into tables, columns and rows. A table is equivalent to a file, as it represents a collection of records. A row is a horizontal set of data fields or components. A column is a vertical set of data fields or components (think of a spreadsheet's rows and columns for a comparison). 12

Rules Rules define format and range of data that can be stored. For example, a rule can stipulate that a "loan interest" field cannot hold a negative number, or that allowable rates will be within a range of 6-12%. 13

Triggers Triggers can activate a DBMS stored procedure when a field, record or table is inserted, updated or deleted. For example, a trigger can cause an email to be sent to the security administrator when a record in the USER ID table is added or deleted. 14

Stored Procedure A stored procedure is a program written in the native language of the DBMS. Stored procedures behave like any other program, although native DBMS has additional verbs for database actions unique to the DBMS environment. Examples include SORT, LOCK, UNLOCK and COMMIT. 15

Views Because relational databases are highly customizable, users can present data in any way they wish. One of the most important concepts of the database is known as a view. Although the data is stored in tables, which may never change attributes, users can customize or delete a view easily without affecting the data. Views manipulate the data to present the important pieces that users would like to see, while removing the unnecessary data that is not used. This is similar to copying and pasting the important parts of documents into one file. 16

DBMS Security Features Security features - the DBMS provides ability to allow or deny a user or group access to a database, table, record or field. Some systems can also allow or deny a user or group administration ability. Additional security features including data encryption and scrambling. DBMS Access Controls: users, programs, transactions, etc. Audit Trails 17

Types of Databases A database management system (DBMS) manages data by providing organization, access, control and security functions. There are four classes of database structures. They are listed in the order of their evolutionary appearance: Flat File Hierarchical Networked Relational 18

Flat File Flat-File: A flat-file stores records without any relationships what so ever. Records can be stored in any arbitrary sequence, or in the order they were created. There can be one or more indices to optimize searching for records. 19

Hierarchical Database A hierarchical database stores records in a hierarchical order such as last name, customer number, or part number. Every record contains the record data and pointers to the child records. Some hierarchical databases also store pointers to the parent records. Records are placed into the database in the order they appear in the physical word. 20

Hierarchical Database All searches begin at the top of the database. Following pointers down (or up) take you from record-to-record in their sorted order If a new record needs to be inserted into the structure, the position of the record on the disk does not change; only the pointers need to be updated A hierarchical database can have only one top (or root) record 21

Network Database A network database is similar in construction to a hierarchical database except there can be more than one root record. 22

Relational Database A relational database is a collection of data items organized as a set of formally described tables from which data can be accessed easily. A relational database is created using the relational model. The software used in a relational database is called a relational database management system (RDBMS). Relational term relation, base relvar derived relvar tuple attribute SQL equivalent table view, query result, result set row column 23

Examples of Relational Databases Examples of relational databases include: DB2 Informix Lotus Approach MS Access Oracle SQL Server Sybase 24

Audit Concerns in a Database Environment The database can become the single point of failure. When the database is unavailable, all applications relying on the database will not work. Many applications might be authorized to update the same data fields. How do applications become authorized? What is the synchronization schedule for the databases replicates? Applications working against the database may not have the same security and integrity controls. Distributed copies of the database may not have the same security settings. 25

Chapter 9 Auditing Databases Database vulnerabilities and threats: Easily guessed passwords Missing Patches Misconfigurations Excessive Privileges Web application attacks (SQL-injection) Insider mistakes Weak or non-existent audit controls Social engineering 26

Chapter 9 Auditing Databases Oracle Defaults example - User Account: system / Password: manager - User Account: sys / Password: change_on_install - User Account: dbsnmp / Password: dbsnmp Microsoft SQL Server & Sybase Defaults - User Account: SA / Password: null Safeguards against password crackers: - Not all databases have Account Lockout - Database Login activity is seldom monitored - Scripts and Tools for exploiting weak passwords are widely available 27

Chapter 9 Auditing Databases Missing Patches: Privilege Escalation Become a DBA or equivalent privileged user Denial of Service Attacks Result in the database crashing or failing to respond to connect requests or SQL Queries. Buffer Overflow Attacks: memory safety issue Result in an unauthorized user causing the application to perform an action the application was not intended to perform. Can allow arbitrary commands to be executed no matter how strongly you ve set passwords and other authentication features. 28

Chapter 9 Auditing Databases Misconfigurations Can Make Databases Vulnerable Oracle External Procedure Service Default HTTP Applications Privilege to Execute UTL_FILE Microsoft SQL Server Standard SQL Server Authentication Allowed Permissions granted on xp_cmdshell Sybase Permission granted on xp_cmdshell IBM DB2 CREATE_NOT_FENCED privilege granted (allows logins to create SPs) MySQL Permissions on User Table (mysql.user) 29

Chapter 9 Auditing Databases Database Security Lifecycle Management Aspects Inventory Classification: e.g. confidential, internal user, public, etc. Access Prioritize Remediation Monitoring 30

Chapter 9 Auditing Databases Secure Configuration/Hardening Standards Patching Process Implement the Principal of Least Privilege Defense in Depth / Multiple Levels of Security Vulnerability Scan Remediation Action Plan Active monitoring Encryption of data-in-motion / data-at-rest 31

Chapter 9 Auditing Databases Strong Password policy Patch Management Database Server Security Disable non used functions Use selective encryption: At network level: use SSL, database proprietary protocols. At file level for backups, laptops, etc. Object and system permissions Restriction on new database installations DBA Privileges!!! DBMS configurations and settings best practices & hardening standards Audit trail aggregation and monitoring e.g. SIEM 32

Chapter 9 Auditing Databases Database Related Policies & Procedures: DB Version, patch level Build & Hardening Standard OS Security Requirements Database Directory and Registry Key Access Database Authentication and Authorization Provisioning and de-provisioning process Password Requirements Default Usernames and Passwords Service Accounts Remove Public Permission Access to Database objects (tables, views, triggers, store procedures, etc.) 33

Chapter 9 Auditing Databases Encryption (Data-in-Use, At-Rest, In-Motion) Network Encryption Back up Encryption Monitoring Logging and Audit trail Reviewing Practice Capacity Planning and Performance Monitoring Database Backup, Restore and Recovery 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback