Database Attacks, How to protect the corporate assets

download Database Attacks, How to protect the corporate assets

of 56

  • date post

    08-Jun-2015
  • Category

    Documents

  • view

    7.067
  • download

    1

Embed Size (px)

Transcript of Database Attacks, How to protect the corporate assets

  • 1. Database Attacks,How to protect the corporate assets Presented by:James Bleecker

2. Agenda

  • Introduction
    • Landscape
    • Database Vulnerabilities Are The New Front-Lines
  • Attacking Where the Data Resides
    • Planning an Attack
    • Attacking Database Vulnerabilities
  • How Do You Protect Your Database?
  • What is Application Security direction/Vision?

3. Old Data Processing Environment Winchester IMS Array Glass House Halon Release Switch CICS Controller BIG IRON Hyperchannel Halon 4. New Data Processing Requirement

  • Increasingly Focused Attacks
  • Directly on applications (75%!)
  • Including insiders (80+%!)
  • As perimeter crumbles
  • Demand for Pervasive Access
  • By anyone
  • To any application
  • Increasingly direct
  • Compliance Requirements
  • Info ultimately in Db apps:
    • Privacy / confidentiality
    • Integrity
  • Compliance must be:
    • Repeatable
    • Demonstrable

Stored Data 5. Typical Network Landscape 6. Database Vulnerabilities

  • A decade ago, databases were
    • Physically secure
    • Housed in central data centers not distributed
    • External access mediated
    • Security issues rarely reported
  • Now, databases are externally accessible
    • Suppliers directly connected
    • Customers directly connected
    • Customers and partners directly sharing data

7. Database Vulnerability Exploitation

  • A decade ago, attacks were
    • Broad based
    • Launched by disaffected Hackers
    • Intended to disrupt, gain respect / notoriety in the community
  • Now, attacks are
    • Targeted against specific resources
    • Launched by sophisticated professionals
    • Intended to bring monetary gain to the attacker
  • Data is a valuable resource in your company
    • Value increases with greater integration and aggregation
    • But so does the threat of data theft, modification, or destruction

8. Databases Are Under Attack

  • 106 Incidents in 2005
  • Flurry of new data breaches disclosed : More than 190 such incidents have been reported since February 2005, Jaikumar Vijayan and Todd Weiss; June 19, 2006 (Computerworld)
  • Were not Winning!

9. Recent Incidents 22-May-06 1500 Department of Energys nuclear weapons 15-Feb-06 350,000 Dept of Agriculture 5-Mar-06 41,000 Georgetown University 9-Feb-06 200,000 Miscretail debit card compromise(OfficeMax?) Source: Privacy Rights Clearinghouse,http://www.privacyrights.org/ar/ChronDataBreaches.htm ~50,000,000+ # of customers affected Etc, etc, etc .15-Feb-05 145,000 ChoicePoint 19-Apr-05 200,000 Ameritrade 9-Mar-05 310,000 LexisNexis 25-Feb-05 1,200,000 Bank of America 8-Mar-05 1,400,000 DSW Shoe Warehouse 6-Jun-05 3,900,000 Citigroup 17-Jun-05 40,000,000 Card Systems Date of Initial Disclosure # ofAffected Customers Company/Organization 10. Top 5 Issues in Enterprise Security

  • Attackers have gone pro
    • Want personal data they can sell Personal data like credit card and social security numbers are relatively easy to monetize
  • Attacks are moving to the source
    • Why pull a single credit card via compromising the network? It's relatively hard with a meager pay off. Instead, take over the corporate database and get them ALL
  • The perimeter provides little defense
    • Insiders don't go through the firewall thus perimeters provide no protection from this growing source of risk
  • Inside the perimeter, enterprises have little-to-no protection
    • Beyond anti-virus, enterprises are only just now getting started to build a layered defense. For example, how does a largely signature-based security solution protect you from an insider that doesn't need to run a vulnerability against a system to get access?They've got plenty of privileges already ;-)
  • Everyone is watching
    • Everyone is very-much clued in to the increased threats against personal data. Any mistakes are likely to be very public

11. How Do You Secure Apps? Key Components of Enterprise Applications Vulnerabilities exist within each of these components 12. Database Vulnerabilities:

  • Default & Weak Passwords
  • Denial of Services (DoS) & Buffer Overflows
  • Misconfigurations & Resource PrivilegeManagement Issues

13. Database Vulnerabilities: Default & Weak Passwords

  • Databases have their own user accounts and passwords

Oracle Microsoft SQL Server Sybase Default & Weak Passwords MySQL IBM DB2 14. Database Vulnerabilities Default Passwords

  • Oracle Defaults (Over 200 of them)
      • User Account: internal / Password: oracle
      • User Account: system / Password: manager
      • User Account: sys / Password: change_on_install
      • User Account: dbsnmp / Password: dbsnmp
  • IBM DB2 Defaults
      • User Account: db2admin / Password: db2admin
      • User Account: db2as / Password: ibmdb2
      • User Account: dlfm / Password: ibmdb2

15. Database Vulnerabilities Default Passwords

  • MySQL Defaults
      • User Account: root / Password: null
      • User Account: admin / Password: admin
      • User Account: myusername / Password: mypassword
  • Sybase Defaults
      • User Account: SA / Password: null
  • Microsoft SQL Server Defaults
      • User Account: SA / Password: null

16. Database Vulnerabilities Weak Passwords

  • It is important that you have all of the proper safeguards against password crackers because:
      • Most databases do not haveAccount Lockout
      • Database Login activity isseldom monitored
      • Scripts and Toolsfor exploiting weak identification control mechanisms and default passwords are widely available

17. Database Vulnerabilities: Denial of Services (DoS) & Buffer Overflows

  • Databases have their own DoSs & Buffer Overflows

Oracle Microsoft SQL Server Sybase Denial of Services& Buffer Overflows Default & Weak Passwords MySQL IBM DB2 18. Denial of Services Databases Have Their Own Class of DoS Attacks

  • Category of attacks that could result in the database crashing or failing to respond to connect requests or SQL Queries.
  • Significant Database Denial of Services:
    • Oracle8i: NSPTCN data offset DoS
    • https://www.appsecinc.com/Policy/PolicyCheck31.html
    • Oracle9i: SNMP DoS
    • https://www.appsecinc.com/Policy/PolicyCheck45.html
    • Microsoft SQL Server: Resolution Service DoS
    • https://www.appsecinc.com/Policy/PolicyCheck2066.html
    • IBM DB2: Date/Varchar DoS
    • https://www.appsecinc.com/Policy/PolicyCheck3014.html

19. Buffer Overflows Databases Have Their Own Buffer Overflows

  • Category of vulnerabilities that could result in an unauthorized user causing the application to perform an action the application was not intended to perform.
  • Most dangerous are those that allow arbitrary commands to be executed by authenticated users.
      • No matter how strongly youve set passwords and other authentication features.
    • Significant Database Buffer Overflows:
      • Oracle9i:TZ_OFFSET buffer overflow
      • Microsoft:pwdencryptbuffer overflow/Resolution Stack Overflow
      • Sybase:xp_freedllbuffer overflow