event-driven attacks on database systems · need to secure data data is very valuable. and anything...
TRANSCRIPT
![Page 1: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/1.jpg)
Event- Driven Attacks on Database Systems
Somendra Chaudhary & Vasanth Pranavan Selvam
Illinois Institute of Technology
![Page 2: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/2.jpg)
Huge Amounts of Data Generated!
Image taken from techcrunch.com
![Page 3: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/3.jpg)
Huge Amounts of Data Generated!
● Huge amount of data generated in today’s world.● Final destination of this data is the database.● Database is standard as data can be managed here
effectively and efficiently.● Data manipulation and maintenance done using
Database Management System (DBMS).
![Page 4: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/4.jpg)
Need to Secure Data
● Data is very valuable.● And anything valuable needs to be secured.● A database immune to attacks (internal or external) is
known as a secure database.● Security attacks compromise the integr ity of database,
render ing the system incapable of functioning.
![Page 5: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/5.jpg)
Types of Database Attacks
● SQL (Structured Query Language) injection (SQLi).● Pr ivilege Abuse.● Brute- force Attacks.● Denial of Service (DoS).● Phishing● Man- in- the- Middle attacks.
![Page 6: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/6.jpg)
Types of Events Under which Database Attacks are Considered
● Excessive Privileges.● Weak Audit.● Many more...
![Page 7: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/7.jpg)
Database is like a Bank Vault!
Image taken from pond5.com
![Page 8: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/8.jpg)
Database is like a Bank Vault!
Image taken from averageyouthministry.com
● Database can be local or outsourced.● If database is compromised, the very foundation of an
organization shakes.
![Page 9: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/9.jpg)
Database is like a Bank Vault and Needs to be Secured
● Attacks may be internal or external.
Image taken from lotr.fandom.com Image taken from redbubble.com
![Page 10: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/10.jpg)
Database is like a Bank Vault and Needs to be Secured
Do you know what percentage of database attacks are from cur rent or ex- employees?
![Page 11: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/11.jpg)
Database is like a Bank Vault and Needs to be Secured
80%
![Page 12: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/12.jpg)
Data can be at risk when in use, in transit or at rest!
Image taken from sealpath.com
![Page 13: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/13.jpg)
Seuring Stored Procedures
● Organizations use stored procedures.● Saved with a relegated in an RDBMS.● Can be shared and reused by different projects.● Two phase technique discussed by Som, Sinha and
Katar ia to secure stored procedures:● If first phase fails to secure, then second phase is
invoked!
![Page 14: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/14.jpg)
Seuring Outsourced Storage Systems
● Kellaris, Kollios, Nissim and O’Neil have proposed abstract models.
● These models capture secure outsourced storage systems in sufficient generality.
● They identify two basic sources of leakage, namely access pattern and communication volume.
![Page 15: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/15.jpg)
Attacks, Counter Measures and Control Methods
● Malik and Patel highlighted many possible attacks.● Also proposed counter measures.● Finally proposed possible control methods.
![Page 16: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/16.jpg)
SQL Injection
Image taken from avatier.com
![Page 17: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/17.jpg)
SQL Injection: Example 1: External
Image taken from cloudfare.com
![Page 18: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/18.jpg)
SQL Injection: Example 2: Internal
Image taken from portswigger.net
![Page 19: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/19.jpg)
SQL Injection
● Type of Injection attack.● SQL commands are injected in to the input of the data
plane to execute pre- defined SQL commands.● Uses malicious SQL quer ies to access information not
intended for display.● Information may include sensitive company data , user
lists or details of private customers .
![Page 20: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/20.jpg)
SQL Injection has far reaching negative afffects
● Unauthorized viewing of user lists. ● Removing whole tables. ● Gaining administrative r ights to a database from the
attacker .● Loss of customer trust if phone numbers, addresses
and credit card details are stolen.
![Page 21: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/21.jpg)
SQL Injection ususally targets websites!
Image taken from phpforum.in
![Page 22: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/22.jpg)
SQL Injection ususally targets websites!
● SQL queries are arbitrarily inserted into web - based app database by an unauthor ized user .
● Basic form of SQL injection is the user input.● Generally forms are used for user to input the data for
the respective field.● Through this form the data entered in the front- end is
passed to the backend database.
![Page 23: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/23.jpg)
SQL Injection ususally targets websites!
● SQL queries are arbitrarily inserted into web - based app database by an unauthor ized user .
● Basic form of SQL injection is the user input.● Generally forms are used for user to input the data for
the respective field.● Through this form the data entered in the front- end is
passed to the backend database.
![Page 24: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/24.jpg)
SQL Injection ususally targets websites!
● The input entered from the form by the user is rendered invalid by the web app.
● An attacker will be able to inject an SQL into the backend database
![Page 25: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/25.jpg)
SQL Injection: After system is compromised
● The attacker may:> Take copy of the content.> Modify content.> Remove content: entire tables!!> Poison cookies used to locally store information of customers.
● HTTP headers can be used as an attack by injecting code into the backend database if the inputs are not sanitized by the web application.
![Page 26: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/26.jpg)
Privelege Abuse
Image taken from me.me
![Page 27: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/27.jpg)
Privelege Abuse
● Clients (or applications) may be conceded database pr ivileges that surpass the prerequisites of their activity work.
● These benefits might be utilized to access pr ivate data.
![Page 28: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/28.jpg)
Privelege Abuse: Consider a college director
Image taken from stc- ea.com
![Page 29: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/29.jpg)
Privelege Abuse: Consider a college director
● The activity of the director requires just read - only access.
● Consider if they are given unreasonable update benefits.● Then there is a chance that they might use these
benefits to update to alter grades of students!
![Page 30: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/30.jpg)
Privelege Abuse
What’s the solution to this problem?
![Page 31: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/31.jpg)
Privelege AbuseFor one, have a good hiring policy!
Image taken from baudhayan.blogspot.com
![Page 32: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/32.jpg)
Privelege Abuse: Solution
● Query level access control.● Confines pr ivileges to least required activities and
information.● Most databases provide abilities like: RLS, tr iggers.● The manual plan of these devices make them illogical in
everything except the most restr icted organizations.
![Page 33: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/33.jpg)
Privelege Abuse
● Clients may manhandle genuine information get to benefits for unapproved purposes.
● A client may have benefits to see singular patient records by means of a custom social insurance application
● The client may manhandle that benefit to recover every single patient record through a MS- Excel client!
![Page 34: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/34.jpg)
Privelege Abuse: Solution
The idea is access control strategiesthat apply not exclusively to what
information is available, however how information is accessed.
![Page 35: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/35.jpg)
Privelege Abuse: Solution
By implementing strategies for time of day, area, and application
customer and volume of information recovered , it is conceivable to
distinguish clients who are mishandling access benefits.
![Page 36: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/36.jpg)
Privelege Abuse
● A programmer may exploit vulnerabilities in database to change over low- level access r ights to abnormal access pr ivileges.
● Pr ivilege escalation attacks can be vanquished with a blend of query level access control and conventional intrusion prevention system (IPS).
![Page 37: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/37.jpg)
Privelege Abuse
● Query level access control can distinguish a client who abruptly utilizes an uncommon SQL activity,
● While an IPS can recognize a par ticular archived danger inside the task.
● In most database establishments, the Least Pr ivilege Pr inciple isn 't clung to: but why?
![Page 38: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/38.jpg)
Privelege Abuse: Why isn’t Least Privelege Principle Adhered To?
Image taken from imgflip.com
![Page 39: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/39.jpg)
Privelege Abuse: Why isn’t Least Privelege Principle Adhered To?
● The programming staff probably don't know any better.● They may improve yet figure they don't have sufficient
resources to actualize this accurately.● The organizations simply don’t believe it to be as big a
r isk that it actually is.
![Page 40: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/40.jpg)
Brute Force Attack
Image taken from makeuseof.com
![Page 41: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/41.jpg)
What is a Brute Force Attack?
● A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected).
● It tr ies var ious combinations of usernames and passwords until it gets in.
● This repetitive action is like an army attacking a for t.
![Page 42: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/42.jpg)
Brute Force Attack: How it is done?
● Every common ID (for e.g. “admin”) has a password. ● All you need to do is try to guess the password. Simple,
isn’t it?● Well, not really!
![Page 43: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/43.jpg)
Brute Force Attack: How it is done?
● Let’s say if it’s a 4- digit- pin, you have 10 numer ic digits from 0 to 9. This means there are 100 possibilities.
● You can figure this out with pen and paper like Mr . Bean did in the movie, Mr . Bean’s Holiday.
● But, the truth is that no password in the wor ld consists of only 4 characters.
![Page 44: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/44.jpg)
Results and Findings
Excessive Privileges Weak Audit
SQLi x x
Privilege Abuse x x
Brute-force Attacks x
X-axis Event
Y-axis Attack
Key
![Page 45: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/45.jpg)
Conclusion
1. In order to prevent against attacks viz., SQLI and Privilege abuse , while granting pr ivileges, it must be str ictly adhered that to that excessive privileges are NOT granted !
2. A strong audit shall ensure protection against SQLI , Privilege Abuse and Brute - force attacks.
![Page 46: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/46.jpg)
Future Work
Image taken from triometric.net
![Page 47: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/47.jpg)
Future Work
The processes described in our paper have not been practically implemented: so practically implement them to ver ify
our findings.
![Page 48: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/48.jpg)
Future Work
More types of attacks such as Denial of Service, Phishing , Man- in - the- Middle (MITM) attacks et cetera may be taken
into consideration.
![Page 49: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/49.jpg)
Future Work
We have considered two events in this paper . Many more events may be taken
into consideration!!
![Page 50: Event-Driven Attacks on Database Systems · Need to Secure Data Data is very valuable. And anything valuable needs to be secured. A database immune to attacks (internal or external)](https://reader030.vdocument.in/reader030/viewer/2022041020/5ecf35664ccdb1799a4b695e/html5/thumbnails/50.jpg)
Thank You