building a database security program
DESCRIPTION
This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.TRANSCRIPT
BUILDING A DATABASE SECURITY PROGRAM
Matt Presson@matt_pressonSr. Information Security Analyst, Leading Multi-National Insurance Brokerage
WHO AM I?
Sr. Information Security Analyst Focus mainly on Application Security and
related issues Recently focused on designing a database
security program
OBJECTIVE
Why database security is important The process of developing the program What to watch out for NOT giving a blueprint!
WHY DATABASE SECURITY?
BECAUSE WE ARE FAILING!
WHY DATABASE SECURITY?
It stores your most sensitive data Traditional controls are not adapted to
new attacks Firewalls IDS, IPS AV, HIDS and HIPS Full Disk Encryption
Breaches are still happening!
WHY DATABASE SECURITY?
HIGH-LEVEL OVERVIEW
Planning
Determine Stakeholders
Goals & Focus Areas
Standards & Policies
Implementation
Discover & Assess
Secure Access
Secure Infrastructure
Monitor
Ongoing Management
Periodic Audits
Review and Update
Standards
Review and Update Policies
PLANNING
Determine stakeholders People with a vested interest in keeping data
safe Not just a part of the security department Critical business leaders Compliance/Audit organization Application support managers
Determine your goals and areas of focus Address current business issues and concerns Unique to each organization
Planning
Determine Stakeholde
rsGoals & Focus Areas
Standards & Policies
PLANNING
Standards and Policies Build configurations Password complexity Access control Permissions management Data classification
Planning
Determine Stakeholde
rsGoals & Focus Areas
Standards & Policies
PLANNING
Data Classification Different levels of assurance for different data
types Keep it SIMPLE! Example (security viewpoint):
Confidential – e.g. HR data, Financials, etc. Internal – e.g. Org Charts Public – Released earnings info, Company tweets,
etc. Planning
Determine Stakeholde
rsGoals & Focus Areas
Standards & Policies
HIGH-LEVEL OVERVIEW
Planning
Determine Stakeholders
Goals & Focus Areas
Standards & Policies
Implementation
Discover & Assess
Secure Access
Secure Infrastructure
Monitor
Ongoing Management
Periodic Audits
Review and Update
Standards
Review and Update Policies
IMPLEMENTATION LIFECYCLE
Discover and
Assess
Secure Access
Secure Infrastruc
ture
Monitor
DISCOVERY AND ASSESSMENT
Focus at the application layer Gather a manageable list of business
critical apps What are your most important systems? What applications have the largest impact on your
ability to do business? What systems do our auditors/regulators care
about most? Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
SECURE ACCESS
Minimize the number of accounts Get a list of accounts from DBA Group the accounts by usage, e.g.
Applications, DBAs, Individuals (normal and admin)
Reduce the number of admin accounts Talk to the person – determine what the real
need is Minimize account permissions
Can you use a view? What about a stored procedure?
Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
SECURE ACCESS
Control where accounts access from Are web and application servers ok? Should DBAs have access directly from their
workstations? Should employees have access from their
workstations? Do you need terminal servers or bastion
hosts? Should a database be accessible
from the Internet?
Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
SECURE INFRASTRUCTURE
Ensure you are up-to-date on OS patches Free / Commercial scanners Windows Update *nix distro repositories
Don’t forget about the DB software itself! MySQL authentication bypass – CVE-2012-
2122 Oracle TNS Poisoning – CVE-2012-1675 SQL Server 2003 Local Administrator
group
Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
MONITORING
Watch what your employees are doing Built-in transaction logs or auditing solutions Third-party tools Database triggers
Have different levels of monitoring Failed logins for everyone All activity by privileged accounts Individual account activity
outside of “the norm”
Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
MONITORING
Watch for specific events Access outside of the normal activity period Failed login attempts Returning too much sensitive data Abnormally high number of requests SQL injection attempts
Discover and Asse
ss
Secure
Access
Secure
Infrastructure
Monitor
IMPLEMENTATION LIFECYCLE
Discover and
Assess
Secure Access
Secure Infrastruc
ture
Monitor
HIGH-LEVEL OVERVIEW
Planning
Determine Stakeholders
Goals & Focus Areas
Standards & Policies
Implementation
Discover & Assess
Secure Access
Secure Infrastructure
Monitor
Ongoing Management
Periodic Audits
Review and Update
Standards
Review and Update Policies
ONGOING MANAGEMENT
Periodically audit completed systems Work with your DBAs Collaborate with internal audit
Keep your documentation current Review updated vendor documents Discuss upcoming migration plans with
technology teamsOngoing
Management
Periodic Audits
Review / Update
StandardsReview / Update Policies
SUMMARY
We have to protect the data Engage with the business
Determine their concerns Address their issues Become a business partner/enabler
Secure your most critical systems first Don’t forget about the infrastructure Monitor, monitor, monitor Stay current
QUESTIONS?
APPENDIX 1 – STANDARDS AND POLICIES Resources
Database Vendor NIST Government Agencies, e.g. NSA Standards Bodies, e.g. SANS, IANS International CERTs Existing company documentation