server security –a to zmscom.co.il › downloads › sqlpresentations › 11062.pdfsql server...

SQL Server Security– A to Z

Oded Raz| CEO | BrillixLTD

What is Security?

Firewall

AuthenticationSmart Card

Public Key Infrastructure

SSL

Encryption

LDAP

Single Sign-OnAuthorization

Virtual Private Network

BS7799

Auditing

X.509 Certificate

Password

Kerberos

Intrusion Detection

DMZ

Anti Virus

RADIUS

Non Repudiation

Proxy

One Time Password

IPSEC

Access List

1

CIA

• “The Big Three” goal

• 100% is impossible!

– Is 99.99% good enough?

• Risk Management

– Assets

– Threats

– Vulnerabilities

– Risks

Confidentiality

Integrity Availability

Achieving Security

• The assets and threats are there

• Use Controls to limit vulnerabilities:

– Preventative

– Detective

– Reactive

• Controls have many forms

– Technical

– Physical

– Administrative

2

“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991�Network

� Application - Software

� Physical

� Human integrity

� Policies and procedures

The “Classic” Security Layers

Network Security

Network IDS

Firewall

Host IDS

Scanner

3

Network & Host Security

The Problem

• TCP/IP is common knowledge and not secured.

• “Weak links” in complex architectures.

• Relatively easy to attack without being detected, no time constraint, available hacking tools.

• Denial of service attacks.

• Eavesdropping from radiation of transmission media.

Network & Host Security

The Solution

• Firewall :

• Network

• Application

• Database

• Encryption of data during transmission – VPN , SSL and more

• IDS – On the network level

• ACL for routers.

• Scanner

4

“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991� Network

�Application - Software

� Physical

� Human integrity



Application Security

� “Inside the application” Security Mechanisms

� Identification / authentication

� User Management

� Authorization

� Auditing

� “Around the application” Security Mechanisms

� Reverse Proxy

� Application Level Firewall

5

Application Security - Building Blocks

User Name / User IDIdentification

Smart Card +

BiometricsBiometricsSmart CardCertificates

User +

Password

Authentication

Session Management ServiceSession

Auditing ServiceAuditing

Authorization ServiceAuthorization

Managing Applications

User Name / User ID

Smart Card +

BiometricsBiometricsSmart CardCertificates

User +

Password

Session Management Service

Authorization Service

Auditing Service

6

Multi-Application Problem

• Administrative problems– Efficiently provisioning users for applications

– Limited/no ability to delegate administration

• Usability problems– Different user names/passwords

– Little/no personalization of portal content

• Security problems– Inconsistent password management policies

– Fragmented security policy enforcement

14

Vulnerabilities By Industry – 2010

7

15

Top Web Site Vulnerabilities - 2010

16

Buffer Overflow

8

17

Buffer Overflow - Wikipedia

• It can be triggered by malicious input which may be crafted to execute arbitrary, possibly malicious, code, or make the program operate in a way which was unintended, this is a source of many software vulnerabilities.

• The problem can be avoided by sufficient bounds checking by the programmer or by a language which provides bounds checking as a language feature.

18

Severity

• The effectiveness of the buffer overflow attack has been common knowledge in software circles since the 1980’s

• The Internet Worm used it in November 1988 to gain unauthorized access to many networks and systems nationwide

• Still used today by hacking tools to gain “root” access to otherwise protected computers

9

19

HISTORY - Real World Scenarios

• Multiple IIS vulnerabilities gives System-level access

• Security researchers are warning of a potentially nasty buffer over-run flaw in Oracle Database

• Users of WinAmp player should upgrade to version 2.80 to avoid a vulnerability

20

Code Red Example

• /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

10

21

Stacks and Processes

• Assume we are in main(), and we make a procedure call to myFunction(char *str).

• myFunction access the variables that are passed to it via the stack

• The system knows where to resume execution of main(), when myFunction() has terminated via the return address

• The stack works just like a regular stack data structure, with pushand pop.

Variable x

Variable y

Push z

Temp=Pop()

Temp is now assigned the value z

Variable z

22

Stacks and Processes – Cont’

In our case, when we call myFunction(char *str), here is what happens.

void main(){

char bufferA[256];

myFunction(bufferA);

}

When we get here, the OS

executes the following

instruction:

push(bufferA);

call myFunction;

Our stack now looks like this:

Previous stack

content

bufferA

11

23

Stacks and Processes - Cont

• Now we are executing the code in myFunction(). As in any procedure, the first thing myFunction() does is push its local variables (bufferB[16] in this case) onto the stack. This variable, as defined in myFunction() is 16 bytes long. So the OS will allocate 16 bytes in the stack for it.

Previous stack

content

bufferA

Return Address

OS data

24

Stacks and Processes - Cont

Our stack now looks like this:

Previous stack

content

bufferA

Return address

OS data

bufferB 16 bytes long

void myFunction(char *str) {

char bufferB[16];

strcpy(bufferB,str);

}

12

25

Buffer Overflow Attacks

• Main() passes a 256 byte array to myFunction(), and myFunction() copies it into a 16 byte array, attempting to fill bufferB[16] with 240 bytes of data. Since there is no check on whether bufferB is big enough, the extra data overwrites other unknown space in memory.

• This vulnerability is the basis of buffer overflow attacks. How is it used to harm a system? It modifies the system stack.

void main(){

char bufferA[256];

myFunction(bufferA);

}

void myFunction(char *str) {

char bufferB[16];

strcpy(bufferB, str);

}

26

Implications

• Usually, the hacker wants to write code to gain access to the computer or gain more privileges on the system. Once this occurs, a number of system violations or damage can easily be performed

• Corrupts or damages program running, causing it to fail; produces incorrect results with other programs

• Can corrupt programs, causing it to disclose confidential information

• Can corrupt program, take remote control, and have it do undesired things

13

Copyright 2006 Swift

Coders Ltd. All Rights

27

Example Buffer Overflow Code

Void CopyString(char *dest, char *source){while(*source){

*dest++ = *source++;}

}void Example (){

char buffer[16];CopyString(buffer, "This string is too long!");

}

Application Buffer Overflow- Example

14


Application Buffer Overflow

15



16

33

SQL Injection

34

* Taken from nrg.co.il

A Real-Life Example

17

35

Impact of SQL Injection

• Bypassing authentication mechanisms– select id from users where name=‘admin’ and password=‘’ or

‘1’=‘1’

• Information disclosure– select phone from users where name=‘’

UNION select credit_num from users --’

• Information tampering– select usr_id from clients where name=‘’; update clients set

debt=0;--

• Database corrupting– select usr_id from clients where name=‘’; drop table clients;--

• Command execution– select picture from animals where name=‘‘;EXEC

master.dbo.xp_cmdshell 'format /y c:’

36

Authentication Bypass

The Naive Case - Identification Inputs

18

37


Naive Case – Identification Process

– "SELECT FamilyName FROM Users WHERE Username = '" & request.QueryString("username") & "' AND Password = '" & request.QueryString("password") & "'"

– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'imbad'

38


Hacker Case – Identification Process

– "SELECT FamilyName FROM Users WHERE Username = '" & request.QueryString("username") & "' AND Password = '" & request.QueryString("password") & "'"

– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'a' or '1'='1'

– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'a' or true;

– SELECT FamilyName FROM Users

19

How Prevalent Is XSS? 2006

2006 Statistics (January 1 – December 31)

http://webappsec.org/projects/statistics/

How Prevalent is XSS? 2007

The overall statistics includes analysis results of 32,717 sites and 69,476 vulnerabilities

2007 Statistics (January 1 – December 31)

http://webappsec.org/projects/statistics/

20

41

Definition

• Any way to fool a legitimate web site to send malicious code to a user’s browser

• Almost always involves user content (third party)– Error messages

– User comments

– Links

• References– http://www.cert.org/archive/pdf/cross_site_scripting.pdf (Jason

Rafail, Nov. 2001)

– http://www.spidynamics.com/support/whitepapers/SPIcross-sitescripting.pdf

42

Definition

A technique that allows hackers to:

Execute malicious script in a client’s Web browser

Insert <script>, <object>, <applet>, <form>, and <embed>

tags

Steal Web session information and authentication cookies

• Any Web page that renders HTML

containing user input is vulnerable

21

43

XSS - Demo

44

Protection = Input Validation

• Assume all input is malicious• Centralize your approach

– Use Web Application Firewalls

• Do not rely on client-side validation• Be careful with canonicalization issues • CVS doctrine - Constrain, Validate & Sanitize

22



�Physical

� Human integrity



• The Problem:– Almost unlimited capabilities when having physical

approach to network devices.

• The Solution– Strong authentication means: tokens, s. cards, biometrics.– Locked servers and communication hardware.– Locked workstations and drivers.– Locked backup tapes and removable memory devices.– Security devices: cameras, alarm, patrols.– Selective entrance to sensitive areas.

Physical Layer

23



� Physical

�Human integrity



•The Problem

– Computer crime, industrial espionage, sabotage, theft -by dishonest or disgruntled employees, authorized users, technicians.

•The Solution

– Checking honesty “certificates”.

– Auditing and forensic tools.

– Appropriate policies and procedures.

Human Integrity

24



� Physical

� Human integrity

�Policies and procedures


•The Problem– Security breaches caused by:

• Lack of realistic security policies and procedures.• No enforcement of security policies and procedures.• Low awareness to security policies and procedures.

•The Solution– Risk assessment.– Security policy writing.– Procedures writing as derived from policy.– Awareness program.– Enforcement

Policies and Procedures

25

DBA/Insider Theft Remains Key Concern

“The most common mistake is to assume that something "behind the firewall" will not be attacked, or alternatively, that insiders are all

upstanding citizens.” – Mary Ann Davidson, Chief Security Officer, Oracle

“Gartner estimates that 70 percent of security incidents that actually cause loss to enterprises – rather than mere annoyance – involve insiders, … Enterprises must broaden their approach to securing

Internet-exposed applications and servers.” – John Pescatore, Gartner

“The increasing sophistication of business applications requires a

similarly sophisticated application-centric approach to security.” –David Thompson, META Group

DBA/Insider Theft Remains Key Concern

• 80% of threats come from insiders

• 65% of internal threats are undetected

• 60% of data loss/corruption due to human error

• 30% concerned about DBA threat

• 50% looking at monitoring insider/DBA threats

26

The ‘Insider Threat’ – the Facts

Data Security – Vulnerabilities

• Misconfigorations & Administration malpractice• Default Users, Initial parameters ….• Applying Security paths• Permeations management

• ID & passwords control • One User one IP • Shared Users

• Applications & Applications level attacks• SQL Injection• Session managements• Application level ACL’s

27

Oracle 10g DoS Sample

Details

Buffer Overflow in SYS.PBSDE.INIT. This function has EXECUTE permission granted to SYSDBA or EXECUTE_CATALOG_ROLE. Members of these groups can exploit this vulnerability and crash the database or execute arbitrary code.

Example

SQL> exec sys.pbsde.init('AA',TRUE,'MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON',NULL);BEGIN sys.pbsde.init('AA',TRUE,'MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON',NULL); END;

*ERROR at line 1:ORA-03113: end-of-file on communication channel

WorkaroundRevoke execute privilege on sys.pbdsde.init from publicrevoke execute on sys.pbsde from public;

Common Application Architecture

UserAuthentication

ApplicationServer

Privileged User OracleDB

X.509,SSL

ActiveDirectory

AccessControl

sWebApplication

Users

Users Table

28

Motivation for using database encryption

• Hide data from the DBA

• Comply with regulations - PCI

• Last line of defense

• Encrypt data on external media (Backup)

• Many more reasons

29

Encryption challenges

Who is responsible for the entire key management ?

� Key is lost, Data is lost !

� Index Encrypted data – Database

performance.

� Who are we hiding from ?

SQL Server Encryption

DPAPI encrypts

Service Master Key

Service Master Key encrypts

Database Master Key

30

Asymmetric Encryption

• More secure encryption

• Only suitable for small amounts of data

• Certificates and asymmetric keys both provide the same RSA asymmetric encryption capabilities

• Nondeterministic

Symmetric Encryption

• Magnitudes faster than asymmetric encryption

• Symmetric keys may be secured with a password, symmetric key, certificate, and/or asymmetric key

• Supports encryption algorithms: DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES (128, 192, or 256)

• Nondeterministic

31

Key Management

• Keys can be fixed or computed

• Key management can be handled in many ways:

–With the client

–The server file system

– In the database

Computed Keys

• For every row a different key is dynamically generated.

• Advantages– No need to store keys in the database

– Every value has a different key

• Disadvantages– Algorithm to generate the key must be protected

32

Computed Keys - Sample

-- Open the symmetric key with which to encrypt the data

OPEN SYMMETRIC KEY CreditCards_Key11 DECRYPTION BY CERTIFICATE Sales09;

-- Encrypt the value in column CardNumber with symmetric

UPDATE HR.Employee

SET Base_Pay = EncryptByKey(Key_GUID(‘SALARY_Key11'), 6600, 1, CONVERT( varbinary, Employee_ID) );

Encryption

33

Package Interception

• The following approach works (in most cases) without DBA permission and a hacker is able to intercept all encryption keys

• With DBA permission a hacker or malicious DBA can ALWAYS intercept the encryption key

Decrypting the TDE Architecture

Database Master Key encrypts

Certificate In Master Database

DPAPI encrypts

Service Master Key

Service Master Key encrypts

Database Master Key

Certificate encrypts Database

Encryption Key

34

Transparent Database Encryption

Transparent Database Encryption

35

What is data masking?

What

• The act of anonymizing customer, financial, or company confidential data to create new, legible data which retains the data's properties, such as its width, type, and format.

Why

• To protect confidential data in test environments when the data is used by developers or offshore vendors

• When customer data is shared with 3rd parties without revealing personally identifiable information

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

D’SOUZA 989-22-2403 80,000

FIORANO 093-44-3823 45,000

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 40,000

BKJHHEIEDK 111-34-1345 60,000

KDDEHLHESA 111-97-2749 80,000

FPENZXIEK 111-49-3849 45,000

Policy Management

36

Audit

2008 Improvements

• The Surface Area Configuration Tool (SAC) has been deprecated.

• (SAC) has been replaced with Policy Based Management.

• Kerberos authentication has been expanded to include all protocols in the SQL Server stack

• SQL Server 2008 is tightly integrated with Windows Server 2008 and Active Directory Domain Services. ■It is now possible to rename the SA account during a fresh installation

37

2008 Improvements

• It is now possible to rename the SA account during a fresh installation

• The local Windows Group BUILTIN\Administrator is no longer included in the SQL Server sysadmin server role.

• SQL Server accounts are following the principle of least privilege as they are better protected and now further isolated from the operating system.

SQL Server Hardening

• Use Only windows authentication of possible.

• If using Mixed Mode, rename disable and rename sa user.

Use [MASTER]ALTER LOGIN sa DISABLE;GO

ALTER LOGIN sa WITH NAME = [KING];GO

38


• Install Only needed components.

• Disable unneeded network protocols.

• Change Listening port, do not use 1433.

• Hide SQL Server Instance.

• Run SQL Server Services OS user.

• Remove SQL Server service use from Administrator Group.


• BUILTIN\Administrators windows group from sysadmin server role.

• Enable audit for both successful and unsuccessful logins.

• Use SQL Server audit.

• Hide SQL Server Instance.

• Run SQL Server Services OS user.

• Remove SQL Server service use from Administrator Group.

39

Compliance

1. the act of conforming, acquiescing, or yielding.

2. A tendency to yield readily to others, esp. in a weak and

subservient way.

3. Conformity; accordance: in compliance with orders.

4. Cooperation or obedience: Compliance with the law is

expected of all.

What is SOX ?

1. A short stocking usually reaching to the calf or

just above the ankle.

2. A lightweight shoe worn by ancient Greek and

Roman comic actors.

3. Comic writing for the theater; comedy or comic

drama.

4. Furniture. a raised vertical area of a club or pad

foot.

40

What is SOX ?

"To protect investors by improving the accuracy and reliability of

corporate disclosures made pursuant to the security laws, and

for other

purposes”

Sarbanes-Oxley is US legislation enacted on July 30, 2002

AKA: Public Company Accounting Reform and Investor Protection Act of 2002

SOX

Sarbox

CPA Employment Act :)

Put forth in part because of accounting scandals of corporations such as Enron, Tyco

International, Adelphia, Peregrine Systems and WorldCom that cost investors billions

of dollars

Sections

1) Public Company Accounting Oversight Board (PCAOB)

2) Auditor Independence

3) Corporate Responsibility

4) Enhanced Financial Disclosures

5) Analyst Conflicts of Interest

6) Commission Resources and Authority

7) Studies and Reports

8) Corporate and Criminal Fraud Accountability

9) White Collar Crime Penalty Enhancement

10) Corporate Tax Returns

11) Corporate Fraud Accountability

41

Key Provisions

SOX Section 302: Internal control certifications

SOX Section 404: Assessment of internal control

SOX Section 802: Criminal penalties for violation of SOX

CIA & SOX

Confidentiality

Integrity Availability

42

SOX Section 302: Internal control certifications

Holds the Chief Executive Officer (CEO) and Chief Financial Officer

(CFO) personally responsible to certify that financial reports are

accurate and complete.

They must also assess and report on the effectiveness of internal

controls around financial reporting.

CEOs and CFOs now face the potential for criminal fraud liability.

Section 302 does not specifically list which internal controls must be

assessed.

control

• Understand the flow of transactions, including IT aspects

• Perform a fraud risk assessment

• Evaluate controls designed to prevent or detect fraud

• Conclude on the adequacy of internal control over

financial reporting.

43

violation of SOX

" Whoever knowingly alters, destroys, mutilates, conceals,

covers up, falsifies, or makes a false entry in any record,

document, or tangible object with the intent to impede,

obstruct, or influence the investigation or proper

administration of any matter within the jurisdiction of any

department or agency of the United States or any case filed

under title 11, or in relation to or contemplation of any such

matter or case, shall be fined under this title, imprisoned

not more than 20 years, or both. "

So, after all of that, what does

SOX have to do with

information security?

Nothing Really !!!

44

Control of access to financial records

• FGA

• Encryption

• Hardening – both DB & OS

Detection of modification

• AUDIT, AUDIT, AUDIT, AUDIT

Preventions of data loss and contingent liabilities

• Mirroring / Log Shipping

Need 2 Feature

עמדתו את המשקפות הבנקים על המפקח הוראות את מהווים אלה קבצים

. הנורמות הנדרשות לניהול בנקאי תקין בתחומים שונים לגבי

ניהול טכנולוגיית המידע - 357

בנק ישראל -הוראות ניהול בנקאי תקין

45

דירקטוריון תאגיד בנקאי חויב בקיום דיון תקופתי וקביעת

מדיניות ניהול טכנולוגיית המידע במסגרת מדיניות

על המדיניות לכלול בין . המחשוב של התאגיד הבנקאי

עקרונות גיבוי , היתר התייחסות לאבטחת מידע

מיקור, והתאוששות במצבים של תקלות ואסונות

, ידי משתמשי קצה-לרבות על, מדיניות פיתוח, חוץ

ושימוש בטכנולוגיות חדשות

עיקרי ההוראה

מינוי אחראי – סעיף 4

אשר יישא באחריות למכלול , הנהלת תאגיד בנקאי חויבה במינוי מנהל בעל הכשרה וניסיון מתאימים

נושאי טכנולוגיית המידע

נהלים ותיעוד – סעיף 5 ו-6

, אבטחה, תפעול, תאגיד בנקאי חויב בקביעת נהלים מפורטים לכל שלב ולכל תהליך המטפלים בניהול

שרידות ובקרה של טכנולוגיית המידע, גיבוי


46

הערכת סיכונים – סעיף 7

תאגיד בנקאי חויב לבצע הערכת סיכונים שתתעדכן

באופן שוטף ובהתאם להערכת הסיכונים לנקוט באמצעים

הנדרשים למזעור אפשרות פגיעה

מינוי מנהל אבטחת מידע – סעיף 8

הנהלת תאגיד בנקאי חויבה במינוי מנהל אבטחת מידע

מניעת ניגוד עניינים וקביעת תחומי אחריותו


הערכת סיכונים – סעיף 7

תאגיד בנקאי חויב לבצע הערכת סיכונים שתתעדכן

באופן שוטף ובהתאם להערכת הסיכונים לנקוט באמצעים

הנדרשים למזעור אפשרות פגיעה

מינוי מנהל אבטחת מידע – סעיף 8

הנהלת תאגיד בנקאי חויבה במינוי מנהל אבטחת מידע

מניעת ניגוד עניינים וקביעת תחומי אחריותו


47

סיקרי בטיחות ונסיונות חדירה – סעיף 9

תאגיד בנקאי יקיים סקר בטיחות של מערך טכנולוגיית המידע

בסקר תוערך האפקטיביות של . בהתאם להערכת הסיכונים, שלו

במערכות שהוגדרו , אמצעי ההגנה בהתייחס להערכת הסיכונים

.על ידי התאגיד הבנקאי ויוצעו דרכים לתיקון הליקויים שיימצאו

זיהוי ואימות משתמשים – סעיף 10

תנאי מוקדם למתן גישה למערכות התאגיד הבנקאי יהיה זיהוי

אישי של כל גורם בעל גישה


קישור תאגיד בנקאי לאינטרנט – סעיף 11

מותרת קישוריות כאמור במקרים של מתן שירותי בנקאות בתקשורת

וקישוריות של עובדי התאגיד הבנקאי תחת המגבלות המפורטות בהוראה

תאגיד בנקאי חויב בנקיטת אמצעים לאיתור התחזות של גורמים , בנוסף

בלתי מורשים לאתר האינטרנט של התאגיד הבנקאי

עקרונות גיבוי והתאוששות – סעיף 12

תאגיד בנקאי יקיים תכנית מפורטת להפעלת מערך טכנולוגיית המידע שלו

וכן יבצע ניסוי של כל הסדרי הגיבוי אחת , במקרים של תקלות ואסונות

לתקופה


48

פיזית -תאגיד בנקאי חויב ביישום אמצעי אבטחה

תיקון ותיעוד של חשיפות , גילוי, למניעה, ולוגית

בהתאם להערכת הסיכונים , במערך טכנולוגיית המידע

סודיות , ותוך התייחסות גם להיבטים של זיהוי ואימות

שלמות ומהימנות הנתונים ומניעת הכחשה, ופרטיות

PCI – Protecting Card Holder Data

ASSESSIdentify cardholder data and analyze the vulnerabilities that can put this data at risk.

REMIDATE

Fix vulnerabilities and don’t keep cardholder data unless you need it.

REPORT

Validate remediation.

49

PCI – Building Blocks

50

What to protect

PCI – Step By Step

51

• www.ilDBA.co.il – Read More

53

server security –a to zmscom.co.il › downloads › sqlpresentations › 11062.pdfsql server...

Documents