Database Security
description
Transcript of Database Security
![Page 1: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/1.jpg)
Database Security
Yuli Stremovsky
![Page 2: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/2.jpg)
Agenda
• Database Security• What is GreenSQL ?• Management Console• Demo• GreenSQL Roadmap
![Page 3: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/3.jpg)
Hackers have become professional
There are business models thatfinance them
SQL Injection attacks are becoming increasingly
sophisticated and difficult to combat.
It uses stealth techniques to go unnoticed for as long as possible.
Hackers create much more SQL
Injection attacks
The need
![Page 4: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/4.jpg)
Pricelist
![Page 5: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/5.jpg)
• Oct 2009 - One of NASA's was vulnerable to a SQL injection attacks. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security.
• Mar 2009 & Nov 2009 - SQL injection attack exposes sensitive customer data on Symantec web server.
• Nov 2009 - Russian cyber gang uses SQL injection attack crack deep inside the network of a giant U.S. debit and credit-card processor.
• Nov 2009 - An SQL injection flaw has been detected on the Yahoo! Website. The vulnerability was on the Yahoo job section.
• Dec 2009 - Wall Street Journal website, Intel, Apple
Latest Victims
![Page 6: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/6.jpg)
Replication
Backup
Wiki
Blog
Reporting
Testing
Forums
High privilegedusers
ApplicationUsers
Administrators
Casual users
Appl
icati
onco
nnec
tions
Use
rco
nnec
tions
CMS
DatabaseMonitoring
Financial data
Private data Customer data
E-commerce
Who uses the Database ?
![Page 7: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/7.jpg)
• Hundreds of websites are on the same database server - hundreds of attack vectors
• If your neighbor's web site database is vulnerable, then so are you, no matter how carefully you've vetted your own code.
Using Shared Hosting Services ?You are under attack !!!
![Page 8: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/8.jpg)
• Legitimate Query:SELECT * from usersWHERE username = ‘admin’ and password = ‘123’
• Injected SQL code:SELECT * from users where username = ‘admin’and password = ‘XXX’ or ‘1’=‘1’
What is SQL Injection?
![Page 9: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/9.jpg)
• Bypass login page• DOS - Deny of service• Install web shell• Iframe injection• Access system files• Install db backdoor• Theft of sensitive information / credit cards• Additional step of the attack:
– Attack computers on the LAN
SQL Injection after effect
![Page 10: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/10.jpg)
• Automated SQL Injection• Injecting <iframe src=http://xxxxx.com>• User visits infected site/page• Trojan horse drive by installation• Your PC is controlled by black hat hackers
– Send SPAM– Records all login information– Records all transactions with bank websites– Online money transfer
How iframe injection works
![Page 11: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/11.jpg)
Buzus Trojan
![Page 12: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/12.jpg)
• Open Source project• Started at 2007• Hosted at sourceforce• More than 30,000 downloads• Version 1.2 - 3k downloads in it’s first month
GreenSQL History
![Page 13: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/13.jpg)
• GreenSQL is a database firewall solution• Protects against SQL injections and other
known and unknown Database attacks• Cool web based management interface• MySQL / PostgreSQL built in support
What is GreenSQL
![Page 14: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/14.jpg)
Database Firewall
![Page 15: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/15.jpg)
![Page 16: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/16.jpg)
SQL Proxy
Risk Matrix Calculation
SQL Queries/WL/Policy
Good / Block /Warn / Learn
Forward andIntegration
Web AppsClient/Server Apps
Web services/ SOAPLegacy Apps
GreenSQL – High Level Architecture
DB Server 1 DB Server 2 DB Server 3 DB Server N
![Page 17: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/17.jpg)
• Reverse Proxy• Number of databases• Number of backend DB servers• Deployment options:
– Can be installed together with the DB server– Can be installed on dedicated server / VPS
How it works?
![Page 18: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/18.jpg)
Replication
Backup
Wiki
Blog
Reporting
Testing
Forums
High privilegedusers
ApplicationUsers
AdministratorsCasual users
Appl
icati
onco
nnec
tions
Use
rco
nnec
tions
CMS
Database
Monitoring
Ecommerce
Using the Database Securely
![Page 19: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/19.jpg)
GreenSQL management console
![Page 20: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/20.jpg)
Multiple Databases / Proxies
![Page 21: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/21.jpg)
Alert Example
![Page 22: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/22.jpg)
GreenSQL Advantages
• Multiple modes– IDS/IPS / learning / Firewall
• Easy to use• Pattern Recognition (signatures)• Heuristics (risk calculation)• Open Source
![Page 23: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/23.jpg)
GreenSQL Advantages – Cont’
• Cross Platform (any Linux and Unix system)• Rapid Deployment (pre built packages)• Well established (30,000 downloads and counting)
• Web application independent• The only free security solution for MySQL• The only security solution for PostgreSQL • User Friendly WEB GUI/Management tool
![Page 24: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/24.jpg)
GreenSQL IPS / IDS
• Sensitive tables• Multiple queries ( ; / UNION )• SQL comments• Empty password• SQL tautology - true statements (1=1)• Administrative commands • Information disclosure commands
![Page 25: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/25.jpg)
But, I’m a kick ass developerSo why should I use GreenSQL
• Legacy code• Not only Web application and web
services use your database• Protects the database console access• 0 day database attacks prevention• No direct access to the database
machine
![Page 26: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/26.jpg)
http://demo.greensql.net/
http://www.greensql.net/sql-injection-test
GreenSQL: Demonstration
![Page 27: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/27.jpg)
• Native Joomla / Drupal / Wordpres plugins• Integrated GreenSQL Console as CMS plugin
(you will use Joomla Admin to manage GreenSQL)• Web user name / IP address reporting in
GreenSQL alerts• Auditing
Open Source Roadmap
![Page 28: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/28.jpg)
GreenSQL Optimization
E-mail Submission
Service portal Software
Updates
Consulting
Installation Support
GreenSQL Support Program
![Page 29: Database Security](https://reader036.fdocuments.net/reader036/viewer/2022062400/56813ded550346895da7c4f7/html5/thumbnails/29.jpg)
Questions