ved du, hvor dine data er - og hvem, der har adgang til dem? ron ben natan, ibm us
DESCRIPTION
Præsentation fra Smarter Business 2012TRANSCRIPT
© 2012 IBM Corporation
Database Security and Compliance
Ron Ben-Natan, IBM Distinguished Engineer
CTO for Data Security, Compliance and Optimization
Database Security in the Forefront
2
Data loss prevention
Compliance requirements
Mature best practices
7 Steps
• Hardening
• Assessing
• Classifying
• Monitoring
• Auditing
• Enforcing
• Encrypting
Which types of information assets are compromised?
3
The “Unknown” Factor
4
Scoping
Infrastructure
Database Discovery
Databases
Hosts
Applications
Requirements/Initiatives
SOXPCIDPD
Basel IIGLBA
...SecurityBreaches
Sep. of duties...
DataClassification Scope
&Technical
Requirements
Auditing
Protecting
Assessing
Discovery & Classification
5
Example 1 - ANY System Privileges
6
Oracle has over 100 system privileges
Nearly every ANY system privilege can be used by an attacker to assume DBA privileges:
EXECUTE ANY PROCEDURE There are many procedures within the SYS schema that run with definer rights – so if I
can run them I can assign myself privileges exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true); exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’); exec sys.ltadm.executesql(‘grant dba to ronb’);
CREATE ANY VIEW I’ll create a procedure that gives me DBA privileges running with invoker rights I’ll create a view in the SYSTEM schema that will run the procedure I’ll convince a DBA to access the view
CREATE ANY TRIGGER I’ll create a procedure that grants me DBA, running with invoker rights Pick a user with DBA privileges Pick a table within that user schema for which PUBLIC has some privileges (e.g.
SELECT) I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the
procedure I’ll access the object (since I’m using a PUBLIC privilege) I now have DBA privileges! (the trigger runs as the schema owner)
Example 2 – UTL_FILE
7
file_name := utl_file.fopen(<dir>,<file name>, ‘w’);
utl_file.put_line(file_name, ‘abcdefgh’, true);
utl_file.fclose(file_name);
The ability to write files to the OS is a very dangerous thing Runs with the database instance owner privileges Can be used to delete audit files Can be used to delete or corrupt a data file – including the SYSTEM
tablespace Can use it to change config files Can use it to write a .rhosts file to allow access to the OS Can use it to write to .cshrc or .login for the oracle OS account Can use it to write a login.sql or glogin.sql file to cause a SQL command to
be called with privileges of a DBA
Assessing
ConfigurationAssessment
BehavioralAssessment
SecurityRecommendations
SecureConfiguration
Vulnerability Assessment
Scope&
TechnicalRequirements
ChangeTracking
CASProven Config
Compliance
Assessing & Securing
8
“Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve Mission Impossible-like scenarios. Quite the opposite, in fact.”
9
Complexity
Example 3 - Passwords
10
Spida –
Microsoft SQL Server
Empty sa password
Xp_cmdshell
PropagationMade it to 4th place in SANS “Top Ten”
APPS/APPS
weblogic.jdbc.connectionPool.eng=\ url=jdbc:weblogic:oracle,\ driver=weblogic.jdbc.oci.Driver,\ loginDelaySecs=2,\ initialCapacity=50,\ capacityIncrement=10,\ maxCapacity=100,\ props=user=scott,password=tiger,server=ORCL
<ias-resources><jdbc> <database>ORCL</database> <datasource>ORCL</datasource> <username>scott</username> <password>tiger</password> <driver-type>ORACLE_OCI</driver-type> </jdbc></ias-resources>
Provider=SQLOLEDB;Data Source=192.168.1.32;Initial Catalog=Northwind;User ID=sa;Password=sapwd;
Example 4 - Buffer Overflow Attacks
11
Sapphire worm/SQL Slammer“Zero-day attack”
Monitoring & Auditing
Scope&
TechnicalRequirements
InvestigationSupport
AuditCompliance
AuditingPolicy
AuditTrails
Data AccessInvestigation
PrivilegedUser
Monitoring &Auditing
ApplicationMonitoring
Monitoring & Auditing
12
Compliance – Many Regulations – Internal & External
13
Breach Discovery
14
15
More Oracle Performance tests
16
Sun E650028 CPUs, 28 GB100 concurrent connections
Each doing inserts (real application table, with indexes etc.)100 ms delay between each insert
Before Any Auditing
17
Throughout – Approximately 19,000 inserts per minute
last pid: 21715; load averages: 7.27, 4.66, 3.41 10:29:02271 processes: 269 sleeping, 2 on cpuCPU states: 66.3% idle, 25.3% user, 2.6% kernel, 5.8% iowait, 0.0% swapMemory: 26G real, 20G free, 4885M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 15044 oracle10 12 49 0 2137M 965M sleep 1:17 0.34% oracle 20904 oracle10 1 59 0 2123M 970M sleep 0:15 0.31% oracle 20773 oracle10 1 39 0 2124M 971M sleep 0:16 0.31% oracle 20932 oracle10 1 59 0 2123M 970M sleep 0:14 0.31% oracle 21008 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20946 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle 20789 oracle10 1 59 0 2123M 970M sleep 0:16 0.30% oracle 20873 oracle10 1 59 0 2123M 971M sleep 0:15 0.30% oracle 20958 oracle10 1 54 0 2123M 971M sleep 0:13 0.30% oracle 21004 oracle10 1 59 0 2123M 970M sleep 0:13 0.30% oracle 20795 oracle10 1 59 0 2123M 970M sleep 0:15 0.30% oracle 21002 oracle10 1 59 0 2123M 971M sleep 0:13 0.30% oracle 20867 oracle10 1 53 0 2124M 972M sleep 0:15 0.29% oracle
Oracle with Standard Auditing
18
Throughout – Approximately 13,000 inserts per minute30% drop in throughputLoad average almost double
last pid: 7622; load averages: 14.51, 9.90, 8.72 11:32:32271 processes: 269 sleeping, 2 on cpuCPU states: 28.2% idle, 66.5% user, 3.0% kernel, 2.3% iowait, 0.0% swapMemory: 26G real, 19G free, 4930M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 4036 oracle10 1 59 0 2124M 1239M sleep 1:13 0.65% oracle 4082 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4086 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle 4055 oracle10 1 55 0 2124M 1239M sleep 1:13 0.64% oracle 4034 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4139 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle 4174 oracle10 1 53 0 2124M 1239M sleep 1:11 0.64% oracle 4162 oracle10 1 59 0 2124M 1239M sleep 1:11 0.64% oracle 3927 oracle10 1 35 0 2124M 1239M sleep 1:09 0.64% oracle 4078 oracle10 1 51 0 2124M 1239M sleep 1:09 0.63% oracle 4010 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3947 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle 3939 oracle10 1 23 0 2124M 1239M sleep 1:13 0.61% oracle 4119 oracle10 1 59 0 2124M 1239M sleep 1:10 0.61% oracle 4020 oracle10 1 41 0 2124M 1239M sleep 1:11 0.60% oracle
Database Activity Monitoring - DAM
19
• Other reasons to look beyond native Auditing Heterogeneous support Easier to deploy and manage IPC interception to avoid impact to the database Functionality/Maturity
Security and AuditingAssessmentsPoliciesChange managementAudit (as opposed to auditing)
AutomationCompliance packages
Independence of the audit trail Separation of duties Allows security functions such as prevention and redaction
Security Monitoring & Data Protection
Scope&
TechnicalRequirements
Violations &Incidents
AccessCompliance
Data ExtrusionProtection
Data AccessProtecttion
Monitoring &Anomaly Detection
Privileged User Access
Control
Remidiation
Protecting
20
IBM Guardium - Addressing the Full Lifecycle
21
Integration with LDAP/AD, IAM, Change
Management, SIEM, Archiving, etc.
Optim
Development, Test & Training
Data Center 1
Data Center 2
Data-Level Access Control (S-GATE)
Collector
Collector
Central Policy Manager & Audit
Repository
IBM System z
Host-Based Probe (S-TAP)
22
Scalable Multi-Tier Architecture
22
Thank you!
23