Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy
Data Has Value
Imperva Confidential
21%
20%
15% 12%
12% 11% 9%
Top 7 Attacks Discussed in Hacker Forums
dos/ddos SQL injection spam brute-force shell code zero-day html injection
Sources of a Data Breach
Malicious Insider 33%
Non malicious
38%
Hacker 29%
Source: 2010 Securosis-Imperva survey of more than 1100 U.S. and multinational IT security practitioners.
https://www.imperva.com/ld/data_security_survey.asp?
Agenda
Imperva Confidential
Top 10 Database Security Threats • Definition • Analysis • Consequence • Mitigation
Database Top 10 Threats Excessive Privilege Abuse
Imperva Confidential
• Users (or applications) granted database access privileges in excess of “business need-to-know”
•
Definition
Database Top 10 Threats Excessive Privilege Abuse
Imperva Confidential
• Hard to obtain a true list of required privileges
• Database ACL semantics are too limited
Analysis
• Any “minor” breach becomes a major incident!
• See SQL Injection Consequence
Database Top 10 Threats Excessive Privilege Abuse
Imperva Confidential
Mitigation •More granular ACLs: Query ACLs
•What queries are allowed against the table by this user
•Automatic and Dynamic ACL profiling
Mitigation Query Access Control Lists
Imperva Confidential
Data Leakage via Database Access
•select * from classes where class_id = 101
Normal Usage
•select username, password from students
Privilege Abuse
select * from classes where class_id = ?
Mitigation Query Access Control Lists
Imperva Confidential
Data Leakage via Web Application
•Select * from users where username = ‘john’
and password = ‘smith’
Normal Usage
•Select * from users where username = ‘john’
and password = ‘smith’ or 1=1
Privilege Abuse
select * from students where username = ? and password = ?
Database Top 10 Threats Legitimate Privilege Abuse
Imperva Confidential
• Abuse legitimate db privileges for unauthorized purposes
•Definition
Database Top 10 Threats Legitimate Privilege Abuse
Imperva Confidential
• Use simple and available desktop tools
• Retrieve large quantities of data • Store sensitive data locally • Make unauthorized changes
Analysis
• Data theft • Data loss • Embezzlement
Consequence
Database Top 10 Threats Legitimate Privilege Abuse
Mitigation • More granular ACL: Context based ACL • ACL augmented with the context of query
E.g. Client machine, client software, time-of-day
Database Top 10 Threats Privilege Elevation
Imperva Confidential
• Low privileged user exploits database vulnerabilities to gain administrative privileges.
•
Definition
Database Top 10 Threats Privilege Elevation
Imperva Confidential
• Susceptible objects • Stored procedures and built-in
functions • SQL Statements
• Types of vulnerabilities • Buffer overflow • SQL Injection
Analysis
• Any “minor” breach becomes a major incident
• Built-in access control becomes ineffective
Consequence
Database Top 10 Threats Privilege Elevation
Imperva Confidential
Mitigation • More granular ACL: Query level ACLs • Automatic and dynamic ACL profiling • Monitoring access to vulnerable objects
CONFIDENTIAL
Weak Audit
Imperva Confidential
« In God I trust. For everyone else, I keep
log files. »
Database Top 10 Threats Weak Audit
Imperva Confidential
• Audit policies that rely on built-in database mechanisms suffer a number of weaknesses
•
Definition
Database Top 10 Threats Weak Audit
Imperva Confidential
Performance degradation and DBA attention span
Knowing what matters in the mountain of audit data
Limited Granularity
Database Top 10 Threats Weak Audit
Imperva Confidential
Proprietary
Vulnerable to database attacks
No End to End User-Tracking
Database Top 10 Threats Weak Audit
Imperva Confidential
• Regulatory problems • Data is not there when you
need it
•
•Consequence
• Independent audit device Mitigation
Database Top 10 Threats SQL Injection
Imperva Confidential
• Attacker inserts an unauthorized SQL statement through a SQL data channel
••
Definition
Database Top 10 Threats SQL Injection
Imperva Confidential
• Caused by non-validated input parametersAnalysis input parameters
• Access to unauthorized data • Unauthorized data
manipulation • Denial of service • Privilege elevation
Consequence
Database Top 10 Threats SQL Injection
Imperva Confidential
Mitigation • More granular ACL: Query level ACLs • Automatic and dynamic ACL profiling
Database Top 10 Threats Unauthorized Copies of Sensitive Data
Imperva Confidential
• Sensitive data copied to new databases without any individual held responsible
•
Definition
Database Top 10 Threats Unauthorized Copies of Sensitive Data
Imperva Confidential
• Databases created without knowledge of security team
• Correct security controls not applied
Analysis
• Sensitive data “Out-of-Scope” of assessment
• Illegal access of data
Consequence
Database Top 10 Threats Unauthorized Copies of Sensitive Data
Imperva Confidential
Mitigation Data Discovery Data Classification
Database Top 10 Threats Exploitation of Vulnerable, Mis-configured Databases
Imperva Confidential
• Vulnerable and unpatched databases, and databases with default accounts and configuration parameters which allow unauthorized access
•
Definition
Database Top 10 Threats Exploitation of Vulnerable, Mis-configured Databases
Imperva Confidential
• Lengthy database patching process • Default accounts and configuration
parameters • Weak account names and/ or
passwords • Weakened audit parameters
Analysis
• Access to unauthorized data • Unauthorized data manipulation • Privilege elevation • Credential theft
Consequence
Database Top 10 Threats Exploitation of Vulnerable, Mis-configured Databases
Imperva Confidential
Mitigation • Database assessment • Configuration assessment • Virtual patching
Database Top 10 Threats Denial of Service
Imperva Confidential
• Attacks that affect the availability of information from the database to users
• Attacks that affect the availability of Definition
Database Top 10 Threats Denial of Service
Imperva Confidential
• Specific vulnerabilities • Resource oriented attacks Analysis
• Critical for modern day organizations
• Paralyzing the entire operation of an organization or part of it
Consequence
Database Top 10 Threats Denial of Service
Imperva Confidential
Mitigation • Specific mechanisms for specific vulnerabilities • Resource control mechanisms
•Timing responses •Sizing responses •Connection Control
• Problem detection •Timing latency in system
Database Top 10 Threats Database Communication Protocol Vulnerabilities
Imperva Confidential
• Tampering with db related network protocol messages
•Definition
Database Top 10 Threats Database Communication Protocol Vulnerabilities
Imperva Confidential
• Proprietary network protocols to communicate data and commands
• Complex (and mostly obscure) protocols are prone to security vulnerabilities
•
•Analysis
00000000 12 01 00 34 00 00 00 00 00 00 15 00 FF 01 00 1b
00000010 00 01 02 00 1c 00 0c 03 00 28 00 04 ff 08 00 01
00000020 55 00 00 00 4d 53 53 51 4c 53 65 72 76 65 72 00
00000030 a8 07 00 00
Record Size = 52 Field Size = 255
Database Top 10 Threats Database Communication Protocol Vulnerabilities
51
Database Top 10 Threats Database Communication Protocol Vulnerabilities
Imperva Confidential
• Unauthorized data access • Unauthorized data manipulation • Denial of service
Consequence
Database Top 10 Threats Database Communication Protocol Vulnerabilities
Imperva Confidential
Mitigation •Protocol validation engine (addresses even unknown vulnerabilities) •Reactive protocol validation (addresses known vulnerabilities)
Database Top 10 Threats Backup Data Exposure
Imperva Confidential
• Unencrypted data on Back-up Tapes and Disk
•Definition
Database Top 10 Threats Backup Data Exposure
Imperva Confidential
• Many recent incidents where backup media is lost or stolen Analysis
• Exposure of huge amounts of sensitive information
Consequence
Database Top 10 Threats Backup Data Exposure
Imperva Confidential
Mitigation •End to end encryption •Disk encryption •Database encryption •A better solution is yet to be found!
More Information: www.imperva.com
Blog blog.imperva.com
iTunes/Podcasts www.imperva.com/resources/podcasts.asp
YouTube www.youtube.com/user/ImpervaChannel
Twitter twitter.com/Imperva
Linkedin www.linkedin.com/companies/Imperva
Facebook www.facebook.com/imperva