Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

DATABASE SECURITY

Dec 13th CS555 presentation 1

Yiwen Wang

--“Securing the DB may be the single biggest action an organization can take to protect its assets”

David C. Knox

Database Security

Database Security - protection from malicious attempts to steal (view) or modify data.

Importance of Data Bank accounts Credit card, Salary, Income tax data University admissions, marks/grades Land records, licenses Data = crown jewels for organizations Recent headlines:

Personal information of millions of credit card users stolen

Criminal gangs get into identity theft Web applications been hacked due to the database

vulnerabilities

Aspects of database security

1) DB Security Plan2) Database Access Control3) DBMS Security: Patching4) DB Application: SQL injection, Inference Threats5) Virtual Private Databases6) Oracle Label Security7) Inference Threats8) Encryption9) Auditing10) Datawarehouse11) Security Animations

Access Control Default Users and Passwords

Users, Passwords Default users/passwords

sys, system accounts – privileged, change default password Sa (MS-SQL Server) scott account – well-known account/password, change it general password policies (length, domain, changing,

protection) People Having too many privileges

Privileges, Roles, Grant/Revoke Privileges

System - actions Objects – data

Roles (pre-defined and user-defined role) Collections of system privileges (example: DBA role)

Grant / Revoke Giving (removing ) privileges or roles to (from) users

Access Control (Continue)

GRANT privilege_nameON object_nameTO role_name;

REVOKE privilege_nameON object_nameFROM role_name;

Access Control (Continue)

Some important database priveleges: Select Insert Update Delete Index Alter Create database Drop database All Usage

DB application

Applications are often the biggest source of insecurity OWASP Top 10 Web Security Vulnerabilities

1. Unvalidated input2. Broken access control3. Broken account/session management4. Cross-site scripting (XSS) flaws5. Buffer overflows6. (SQL) Injection flaws7. Improper error handling8. Insecure storage9. Denial-of-service10. Insecure configuration management

DatabaseApplicationProgram

SQL Injection

SQL Injection Definition – inserting malicious SQL code

through an application interface Often through web application, but possible with any

interface Typical scenario

Three-tier application (web interface, application, database)

Overall application tracks own usernames and passwords in database (advantage: can manage users in real time)

Web interface accepts username and password, passes these to application layer as parameters

SQL Injection (Continue)

Example: Application Java code contains SQL statement: String query = "SELECT * FROM users table " +

" WHERE username = " + " ‘ " + username + " ‘ " +" AND password = " + " ‘ " + password + " ‘ " ;

Note: String values must be single quoted in SQL, so application provides this for each passed string parameter

Expecting one row to be returned if success, no rows if failure

Common variant – SELECT COUNT(*) FROM …

SQL Injection (Continue)

Attacker enters: any username (valid or invalid) password of: Aa‘ OR ‘ ‘ = ‘

Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;

Note: WHERE clause => F and F or T => F or T => T AND has higher precedence than OR

All user/pass rows returned to application If application checking for 0 vs. more than 0

rows, attacker is in

SQL Injection Prevention

How to resolve this? First (Attempted) Solution: Check Content

Client code checks to ensure certain content rules are met

Server code checks content as well Specifically – don’t allow apostrophes to be passed Problem: there are other characters that can cause

problems -- // SQL comment character ; // SQL command separator % // SQL LIKE subclause wildcard character

Which characters do you filter (blacklist) / keep (whitelist)?

Reference

Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing, 2(1), 2-18

Defense Information Systems Agency. (2004). Database security technical implementation guide, 7(1). Department of Defense. Retrieved January 31, 2010, from http://www.databasesecurity.com/dbsec/database-stig-v7r1.pdf

Wilhelm Burger Mark J.Burge(2010) Digital Image Processing—An Algorithmic Introduction Using Java

Thank you !