material clase seg db.pdf
TRANSCRIPT
-
8/10/2019 Material clase Seg DB.pdf
1/78
-
8/10/2019 Material clase Seg DB.pdf
2/78
Se uridad en Base de Datos
Ing. Alfredo Juan Haln Tafich M.C.
-
8/10/2019 Material clase Seg DB.pdf
3/78
Traduccin de palabras tcnicas
Data breach: Fuga o prdida de datos.Organization asset: Activos de la organizacin.Forensic anal sis: Anlisis forense.
Security regulations: Normas de seguridad.Regulatory compliance: Cumplimiento de normas.Data encryption: Cifrado de datos.Threat: Amenaza.
-
8/10/2019 Material clase Seg DB.pdf
4/78
-
8/10/2019 Material clase Seg DB.pdf
5/78
The cost of a data breach
Data constitutes organizations most important and prized asset.Information can describe an institutions relationship with itscustomers, com etitive or ro rietar rocesses, tradin
relationships with partners, and tactical and strategic positioningagainst their competitors.When data is lost or stolen, real and significant damage canoccur.
Potential costs associated with Developing and Understanding.Additional security infrastructure, such as encryption and auditingsolutions.
-
8/10/2019 Material clase Seg DB.pdf
6/78
Actions after a data breach
Forensic analysis and internal investigation of the theft.Notification campaign, emails, phone calls, letters, and so on.Call center costs due to increased volume of customer traffic.
Legal costs for defense and investigation.Internal investigations resulting in mitigation.Classify to salvage customer and investor relations.Fees and penalties.
-
8/10/2019 Material clase Seg DB.pdf
7/78
Indirect Costs after a data breach
Loss of employee productivity.Erosion of customer base due to loss of confidence.Reticence for new customers to establish relationshi s.
Reduced shareholder confidence and value.Decreased competitive standing.ROI Calculation.
-
8/10/2019 Material clase Seg DB.pdf
8/78
Regulatory compliance
Health Insurance Portability and Accountability Act of 1996.(HIPAA)Gramm-Leach-Blile Act of 1999. GLBA
Sarbanes-Oxley Act. (SOX)California Senate Bill 1386. (SB 1386)Payment Card Industry Data Security Standard. (PCI)IBM Data Server Security. (ISS)
Ley Federal de proteccin de datos personales en posesin delos particulares (LFPDPPP)
-
8/10/2019 Material clase Seg DB.pdf
9/78
HIPAA
Also known as Public Law 104-191 or the Kennedy-KassenbaumBill, is an act passed by the U.S. Congress and signed into effecton Au ust 21, 1996.
Guarantee health insurance coverage of employees.Reduce health care fraud and abuse.Implement administrative simplification to augment effectivenessand efficiency of the health care system.
Protect the health information of individuals against accesswithout consent or authorization.
-
8/10/2019 Material clase Seg DB.pdf
10/78
GLBA
Enacted on November 12, 1999, approximately seven monthsafter the merger between Citicorp and Travelers Group to formCiti rou .
Ensure the security and privacy of customer information.Protect against threats to the security and integrity of customerinformation.Protect against unauthorized access or usage of this information
that could result in harm or inconvenience to the customer.
-
8/10/2019 Material clase Seg DB.pdf
11/78
SOX
Passed by the U.S. Senate and the U.S. House ofRepresentatives with large majorities and signed into law on July30, 2002.Audit committee issues.Audit committee expertise.
Enhanced review of periodic disclosures.New oversight board for corporate governance.Certification of financial statements.Improper influence of conduct of audits.
Forfeiture of bonuses and profits (in some cases).Off-balance sheet transactions.Pro-forma financial information.Dealings with securities analysts.
-
8/10/2019 Material clase Seg DB.pdf
12/78
SB 1386
In September 2002, the Governor of California signed Senate Bill1386 into effect.In effect this means that an business that maintains ersonal
information of a resident of California must have the appropriateprovisions and capabilities to know when this information mayhave been accessed by an unauthorized person.
-
8/10/2019 Material clase Seg DB.pdf
13/78
PCI
The standard includes 12 requirements across six categories,concentrating on data authentication, access control, audits, anddata encr tion. To com l , com anies that handle a ment card
information are required to establish stringent security policies,processes, and procedures.
-
8/10/2019 Material clase Seg DB.pdf
14/78
ISS
Securing data requires a holistic and layered approach thatconsiders the broad range of threats. This is commonly referred toas defense in de th, and re uires a securit b desi n a roach,
where multiple layers of security work together to provide thethree ultimate objectives of security, commonly known as the CIAtriad: confidentiality, integrity, and availability.
-
8/10/2019 Material clase Seg DB.pdf
15/78
LFPDPPP
Como aplica?Dnde em ieza?
Que incluye el aviso de privacidad?Como se cumple con la Ley?Existe alguna solucin tecnolgica?
-
8/10/2019 Material clase Seg DB.pdf
16/78
-
8/10/2019 Material clase Seg DB.pdf
17/78
Database Components
Database Server InfrastructureNetwork ComponentsA lica ion S r c re
Clients (End Point)
-
8/10/2019 Material clase Seg DB.pdf
18/78
Database Server Infrastructure
Server HardwareServer Operating SystemWindowsUnix
LinuxServer DBMS
OracleInformix
DB2SQL ServerEtc.
-
8/10/2019 Material clase Seg DB.pdf
19/78
Network Components
Core SwitchSwitchesRoutersAccess Points
-
8/10/2019 Material clase Seg DB.pdf
20/78
Application Structure
Language ProgrammingVisual BasicPSPEtc.
SQL elementsDatabaseTablesStore Procedures
Etc.
-
8/10/2019 Material clase Seg DB.pdf
21/78
Clients (End Point)
Traditional PCScreen emulation (3270 type)Bar code readerPrinters and scanners
Internet access
-
8/10/2019 Material clase Seg DB.pdf
22/78
-
8/10/2019 Material clase Seg DB.pdf
23/78
Database Elements
TablesPrimary KeyForeign Key
Indexes
Data ModelEntitiesAssociations
-
UniqueMultiple
SynonymsViews
Etc.
1-MM-M
Normalization
-
8/10/2019 Material clase Seg DB.pdf
24/78
Primary KeyA primary key is a column or group of (non-superfluous) columns thatinsures the uniqueness of rows within a table. A primary key thatconsists of more than one column is a composite primary key.
Primary keys do not imply either sequence or access path.
Primary keys are indicated by the letters PK under the appropriatecolumn heading (s)
Assuming that EMPLOYEE.NUMBERs are always unique:
EMPLOYEE
NUMBER
EMPLOYEE
NAME
HIRE
DATE
BIRTH
DATE
SALARY
AMOUNT
PK
-
8/10/2019 Material clase Seg DB.pdf
25/78
Primary Key ..Assuming that the combination of ORDER.NUMBER andPART.NUMBER is always unique:
ORDERNUMBER
PARTNUMBER
ORDEREDQUANTITY
SHIPPEDQUANTITY
PK +
Primary key values may not be null because a row without a primarykey cannot (technically) be distinguished from other rows in the same
table
Primary key values must never be null (PK implies NN).
-
8/10/2019 Material clase Seg DB.pdf
26/78
Primary Key ..
By definition
Primary key columns may not contain duplicate values (PK impliesND).
This rule is currently the subject of debate among relational databasetheorists. In certain cases, it seems desirable to allow changes to somecomposite primary keys. Generally speaking, however, it is advisableto abide by the rule.
.
-
8/10/2019 Material clase Seg DB.pdf
27/78
Foreign Key
A foreign key is a column or group of columns that is not the wholeprimary key of a table, but is based upon the same domain(s) as the
primary key of the same or; some other, table. A foreign key thatconsists of more than one column is a composite foreign key.
EMPLOYEE.DEPT.CODE is a foreign key since it is not the primarykey of the EMPLOYEE table, but is based upon the same domain asthe primary key of the DEPT table.
DEPTCODE
DEPTNAME
EMPLOYEENUMBER
EMPLOYEENAME
DEPTCODE
PK PK FK
-
8/10/2019 Material clase Seg DB.pdf
28/78
ORDER.CUSTOMER.NUMBER is a foreign key since it is not theprimary key of the ORDER table, but is based upon the same domainas the primary key of the CUSTOMER table.
CUSTOMERNUMBER
CUSTOMERNAME
ORDERNUMBER
CUSTOMERNUMBER
PK PK FK
Foreign Key ..
Locate the foreign key(s) in the following tables:
BUILDINGNUMBER
BUILDINGNAME
DEPTNUMBER
DEPTNAME
BUILDINGNUMBER
PK PK
MANAGERNUMBER
MANAGERNAME
PROJECTNUMBER
PROJECTNAME
MANAGERNUMBER
PK PK
-
8/10/2019 Material clase Seg DB.pdf
29/78
Reading tables
The system is concerned with departments and employees (from the table
Given these two tables,
DEPTCODE
DEPTNAME
EMPLOYEENUMBER
EMPLOYEENAME
DEPTCODE
PK NN,ND PK NN FK
.
Each department must have a department code (PK implies NN)Each department code is unique (PK implies ND).Department codes are not subject to change (PK implies no changes).Every department has a department name (NN).Every department has only one department name (each department codeappears on only one row).
No two departments have the same name (ND).Each department may have zero, one or more employees (FK)All employees have employee numbers (PK implies NN).Each employee number is unique (PK implies ND).Employee numbers cannot be modified (PK).
And so forth...
-
8/10/2019 Material clase Seg DB.pdf
30/78
Data ModelA data model is a collection of constructs, operators and integrity ruleswhich together support a dynamic representation of real-world objectsand events
Constructs
Constructs are the basic building blocks of a data model.Relational data models use a single type of construct, tables.
OperatorsOperators are the means whereby the data in a data model ismaintained and retrieved. Typical relational operators are add,change, delete, select, project, join, group, and so forth.
Integrity Rules
Integrity rules serve to maintain order and consistency in a data
model. No null, no duplicate, primary key and foreign keyconstraints are examples of integrity rules
-
8/10/2019 Material clase Seg DB.pdf
31/78
Entities
An entity is a person, place or thing, of inters to the user community,
about which the system is to maintain, correlate, and displayinformation
Entities are nouns
.
Entities have existence in, and of, themselves and are therefore notdependent upon, or subordinate to, something else.
Entities may be tangible (such as buildings or employees), intangible(like departments or accounts), or semi-tangible (orders, perhaps or,invoices).
Characteristics of entities (such as an employee's name), and other
information about entities (the total number of customers, or the averagenumber of orders placed in May) are not considered entities.
-
8/10/2019 Material clase Seg DB.pdf
32/78
Associations
An association is a relationship between two or more entities (or other
associations), of interest to the user community, about which thesystem is to maintain, correlate an display information.
Associations occur in three forms: one-to-one(1:1), one-to-many(1:M),and many-to-many(M:M).
Associations are within the scope of the system.
Associations typically occur between one entity and another (customersand orders, for example, or orders and parts), but can involve anynumber of entities and interrelationships (see the topic "Complex
Associations" in Section Four for a further discussion of this matter).
Associations occur in three different forms (discussed in the following
topics).
-
8/10/2019 Material clase Seg DB.pdf
33/78
One to One associations
A one-to-one association occurs when two entities (say, A and B) arerelated as follows: each occurrence of entity A is related to at most oneoccurrence of entity B, and each occurrence of entity B is related to atmost one occurrence of entity A
One-to-one associations are relatively rare.
One-to-one associations are modeled by placing the primary key of theentity A table as a foreign key, no duplicates (FK, ND) allowed column inthe entity B table
A B
-
8/10/2019 Material clase Seg DB.pdf
34/78
One to One associations ..The data model for the one-to-one association above is
A
KEY
B
KEY
A
KEYPK PK FK, ND
A1 B1 A1
A2 B2 A3
A3 B3 A5
A4
A5
Foreign keys that model one-to-one associations should be placed tominimize or eliminate null values.
Since oneone--toto--oneone associationsassociations areare symmetricalsymmetrical,, either key may be
placed in the other table.
-
8/10/2019 Material clase Seg DB.pdf
35/78
One to Many associations
A one-to-many association occurs when two entities (say, A and B) are
related as follows: each occurrence of entity A is related to zero, one or
more occurrence(s) of entity B, but each occurrence of entity B isrelated to at most one occurrence of entity A.
One-to-many associations are quite common.
One-to-many associations are modeled by placing the primary key ofthe entity A table as a foreign key (FK) column in the entity B table.
Entity A Entity B
-
8/10/2019 Material clase Seg DB.pdf
36/78
One to Many associations ..
The data model for the one-to-many association above is:
AKEY
BKEY
AKEY
PK PK FK
A1 B1 A1
A2 B2 A3
A3 B3 A1
B4 A1
B5 A3
SinceSince oneone--toto--manymany associationsassociations areare notnot symmetricalsymmetrical, the A key must
be placed in the B table, and not vice versa.
Note that 1:M associations in tabular form look exactly like 1:1associations, with the exception of the "ND" integrity constraint.
-
8/10/2019 Material clase Seg DB.pdf
37/78
Many to Many associationsA many-to-many association occurs when two entities (say, A an B) arerelated as follows: each occurrence of entity A is related to zero, one ormore occurrence(s) of entity B, and each occurrence of entity B is
related to zero, one or more occurrence(s) of entity A.
Many-to-many associations are quite common.
Many-to-many associations are modeled by defining a new table with acomposite primary key. The components of the new primary key are
the primary keys of the entity A and entity B tables. Both components
of the new primary key are also individual foreign keys.
-
8/10/2019 Material clase Seg DB.pdf
38/78
Many to Many associations ..The data model for the M: M association described above is:
A
KEY
B
KEYPK PKA1 BI
A2 B2
A
KEYBKEY
PK +FK FKA1 BI
A1 B2A2 B1
Since many-to-many associations are symmetrical, and since the order
of the columns of a table is arbitrary, the above table could have beendrawn in reverse (B/A, the B Key first).
-
8/10/2019 Material clase Seg DB.pdf
39/78
Atributes
An attribute is a characteristic or quality of an entity or an association,
of interest to the user community, about which the system is tomaintain, correlate and display information.
Attributes may be related to either entities (the name of a customer, forexamp e , or assoc a ons say, e quan y o a par cu ar par on a
particular order).
All columns of a table are technically attributes of that table, andtherefore are also attributes of the entity of association modeled by thattable. But it is useful to distinguish between three different "roles" that
attributes can play in table.
-
8/10/2019 Material clase Seg DB.pdf
40/78
1.- Primary key attribute identify the entity or association modeled by atable.
2.- Forei n ke attributes define relationshi s between entities and other
Attributes ..
entities and/or associations.
3.- Other attributes (that are neither primary key nor foreign key
components) further the entity or association modeled by a table.
-
8/10/2019 Material clase Seg DB.pdf
41/78
-
8/10/2019 Material clase Seg DB.pdf
42/78
Database Security
Concerns the use of a broad range of information security controls toprotect databases (potentially including the data, the database applicationsor stored functions, the database systems, the database servers and theassociated network links) against compromises of their confidentiality,
.
It involves various types or categories of controls, such as technical,procedural/administrative and physical.Database securityis a specialist topic within the broader realms ofcomputer security, information security and risk management.
-
8/10/2019 Material clase Seg DB.pdf
43/78
Database Security ..
Security risks to database systems include, for example:
Unauthorized or unintended activity or misuse by authorized database users,database administrators, or network/systems managers, or by unauthorizedusers or hackers (e.g. inappropriate access to sensitive data, metadata orfunctions within databases, or inappropriate changes to the database
programs, structures or security configurations);
Malware infections causing incidents such as unauthorized access, leakageor disclosure of personal or proprietary data, deletion of or damage to the dataor programs, interruption or denial of authorized access to the database,
attacks on other systems and the unanticipated failure of database services;
Overloads, performance constraints and capacity issues resulting in theinability of authorized users to use databases as intended;
-
8/10/2019 Material clase Seg DB.pdf
44/78
Security risks ........
Physical damage to database servers caused by computer room fires orfloods, overheating, lightning, accidental liquid spills, static discharge,electronic breakdowns/equipment failures and obsolescence;
Database Security ..
Design flaws and programming bugs in databases and the associatedprograms and systems, creating various security vulnerabilities (e.g.unauthorized privilege escalation), data loss/corruption, performancedegradation etc.;
Data corruption and/or loss caused by the entry of invalid data or commands,mistakes in database or system administration processes, sabotage/criminaldamage etc.
-
8/10/2019 Material clase Seg DB.pdf
45/78
Many layers and types of information security control are appropriate to
databases, including:
Access controlAuditing
Database Security ..
u en ca on
EncryptionIntegrity controlsBackupsApplication security
Database architecture
-
8/10/2019 Material clase Seg DB.pdf
46/78
Access control is the selective restriction of access to a place or otherresource. The act of accessing may mean consuming, entering, or using.
Permission to access a resource is called authorization.
Locks and login credentials are two analogous mechanisms of access control.
Access control
Database auditing involves observing a database so as to be aware of the
actions of database users. Database administrators and consultants often setup auditing for security purposes, for example, to ensure that those without thepermission to access information do not access it.
Auditing
-
8/10/2019 Material clase Seg DB.pdf
47/78
Authentication is the act of confirming the truth of an attribute of a datum orentity. This might involve confirming the identity of a person or softwareprogram, tracing the origins of an artifact, or ensuring that a product is what itspackaging and labeling claims to be.
Authentication
Encryption is the process of encoding messages (or information) in such a waythat eavesdroppers or hackers cannot read it, but that authorized parties can.
ncryp on
-
8/10/2019 Material clase Seg DB.pdf
48/78
-
8/10/2019 Material clase Seg DB.pdf
49/78
A backup, or the process of backing up, refers to the copying and archiving ofcomputer data so it may be used to restore the original after a data loss event.
Backups have two distinct purposes. The primary purpose is to recover dataafter its loss, be it by data deletion or corruption. Data loss can be a commonexperience of computer users. A 2008 survey found that 66% of respondents
had lost files on their home PC.
Backups
The secondary purpose of backups is to recover data from an earlier time,according to a user-defined data retention policy, typically configured within abackup application for how long copies of data are required. Though backupspopularly represent a simple form of disaster recovery, and should be part of a
disaster recovery plan, by themselves, backups should not alone be
considered disaster recovery.One reason for this is that not all backup systems or backup applications areable to reconstitute a computer system or other complex configurations suchas a computer cluster, active directory servers, or a database server, by
restoring only data from a backup.
-
8/10/2019 Material clase Seg DB.pdf
50/78
Application security encompasses measures taken throughout theapplication's life-cycle to prevent exceptions in the security policy of an
application or the underlying system (vulnerabilities) through flaws in the
Application security
, , , , .
-
8/10/2019 Material clase Seg DB.pdf
51/78
Hierarchical architectureNetwork architecture
Database architecture
e a ona arc ec ure
Object Oriented architecture
-
8/10/2019 Material clase Seg DB.pdf
52/78
Seguridad de la Informacin
-
8/10/2019 Material clase Seg DB.pdf
53/78
Uno de los mayores retos en la administracin de TI, es el manejo de laseguridad de la informacin.
Seguridad de la Informacin
tecnologa basada en Internet.
El potencial dao causado por ataques, podra detener la operacin de unaorganizacin.
-
8/10/2019 Material clase Seg DB.pdf
54/78
En la actualidad, todos los ejecutivos de una empresa necesitan entender lasamenazas a los sistemas basados en Internet.
Seguridad en la era de Internet
.
Desde 1996, el Computer Security Institute y el San Francisco Federal Bureauof Investigation Computer Intrusion Squad, han hecho encuestas anuales aempresas para conocer los crmenes cometidos.
Tipos de Ataques
-
8/10/2019 Material clase Seg DB.pdf
55/78
Tipos de Ataques
Prdidas en 2006
-
8/10/2019 Material clase Seg DB.pdf
56/78
Prdidas en 2006
Tecnologas de Seguridad usadas
-
8/10/2019 Material clase Seg DB.pdf
57/78
Tecnologas de Seguridad usadas
-
8/10/2019 Material clase Seg DB.pdf
58/78
Autentificacin.-
Verificar la autenticidad de usuarios.
Identificacin.-Identificar usuarios ara otor ar acceso.
5 Pilares de la Seguridad
Privacidad.-Proteger la informacin.
Integridad.-Mantener la informacin en su forma original.
No repudiacin.-Que nadie pueda negar que una transaccin ocurri.
-
8/10/2019 Material clase Seg DB.pdf
59/78
Si bien los sistemas de informacin son slo una parte de las operaciones de
una empresa, stos han llegado a ser una parte crucial.
Usando recursos internos:Mlti les Centros de Com uto
Recuperacin en caso de desastre
Proceso Distribuido
Respaldo de ComunicacionesLANs
Usando recursos externosServicios integrados
Servicios especializadosAlmacenamiento de datos
-
8/10/2019 Material clase Seg DB.pdf
60/78
Mltiples centros de computo
En los ltimos aos y para ahorrar dinero, las empresas han consolidado
Usando recursos internos
sus mltiples centros de cmputo en uno solo.
Septiembre 11, caus que esto cambiara, ya que mltiples centros,pueden proporcionar respaldo de emergencia a servicios crticos.Para respaldo de datos, las empresas tienen lugares retirados con discos,que son actualizados regularmente y que pueden ser accesados en lneao en modo batch.
-
8/10/2019 Material clase Seg DB.pdf
61/78
Proceso distribuido
Otras organizaciones usan proceso distribuido para recuperarse en casode desastre. Ellas realizan el proceso crtico en forma local ms bien que
Usando recursos internos
continuar in-interrumpidas en caso de desastre en el centro de cmputo.Debido al costo de esta alternativa, por la redundancia de datos,
normalmente se utiliza solamente para aplicaciones que deben continuaroperando, como ejemplo: proceso de rdenes y transaccionesfinancieras.
-
8/10/2019 Material clase Seg DB.pdf
62/78
Respaldo de comunicaciones
Las compaas manejan el respaldo de las comunicaciones de dosformas:
Duplicando sus instalaciones Utilizando servicios de Carriers
Usando recursos internos
Servidores en una LAN pueden ser usados para respaldar servidores deotras LAN.
-
8/10/2019 Material clase Seg DB.pdf
63/78
Servicios Integrados
Respaldo completo de las instalaciones del cliente.
Servicios Especializados
Usando recursos externos
Respaldo parcial de las instalaciones del cliente.
Almacenamiento de Datos
Bvedas resistentes al fuego que pueden mantener los datos en lnea.
-
8/10/2019 Material clase Seg DB.pdf
64/78
-
8/10/2019 Material clase Seg DB.pdf
65/78
Vulnerability refers to the inability to withstand the effects of a hostileenvironment. A window of vulnerability (WoV) is a time frame within which
defensive measures are reduced, compromised or lacking.
Data Base Vulnerability
-
8/10/2019 Material clase Seg DB.pdf
66/78
Default, blank, and weak username/password
It might be a daunting task at an organization that has to keep track ofhundreds or even thousands of databases. But removing default, blank and
Data Base Vulnerability
-
database armor. The bad guys are keeping track of default accounts, andthey'll use them when they can.
, & /
-
8/10/2019 Material clase Seg DB.pdf
67/78
To create a strong password:
Dont use words that can be easily guessed or found in the dictionary
Data Base Vulnerability
,Create a complex sentence instead of a wordDo not share your password with anyone or write it down and leave it in yourdesk drawer
-
8/10/2019 Material clase Seg DB.pdf
68/78
SQL injections
When your database platform fails to sanitize inputs, attackers are able to-
Data Base Vulnerability
,eventually allowing them to elevate privileges and gain access to a wide
spectrum of functionality. A lot of vendors have released fixes to prevent theseproblems, but it won't do much good if your DBMS remains unpatched.
1000
-
8/10/2019 Material clase Seg DB.pdf
69/78
For example, the model SQL code might be:
SELECT Count(*) FROM UsersTableWHERE UserName = contents of username textbox
=
Data Base Vulnerability
When a user enters a valid username, such as Mary and a password ofqwerty, the SQL query becomes:
SELECT Count(*) FROM UsersTableWHERE UserName=Mary
AND Password=qwerty;
-
8/10/2019 Material clase Seg DB.pdf
70/78
However, if a user enters the following as a username: OR 1=1 -- the SQL
query becomes:
SELECT Count(*) FROM UsersTable
WHERE UserName= OR 1=1 - -
Data Base Vulnerability
AND Password=;
The expression 1 = 1 is true for every row in the table causing the OR clauseto return a value of true. The double hyphens comment out the rest of theSQL query string. This query will return a count greater than zero,
assuming there is at least one row in the users table, resulting in what
appears to be a successful login. In fact, it is not. Access to the system wassuccessful without a user having to know either a username or password.
-
8/10/2019 Material clase Seg DB.pdf
71/78
Extensive user and group privileges
Organizations need to ensure privileges are not given to users who will
Data Base Vulnerability
. ,Rothacker recommends only making users part of groups or roles and
administering the rights through those roles, which can be managedcollectively more easily than if users were assigned direct rights.
-
8/10/2019 Material clase Seg DB.pdf
72/78
Unnecessarily enabled database features
Every database installation comes with add-on packages of all shapes andsizes that are mostly going to go unused by any one organization. Since thename of the game in database security is to reduce attack surfaces,enterprises need to look for packages that don't use and disable or uninstall
Data Base Vulnerability
. - ,
but it also simplifies patch management. When it'those packages need thepatching, your organization won't need to scramble.
.
-
8/10/2019 Material clase Seg DB.pdf
73/78
Broken configuration management
Similarly, databases have a panoply of many different configuration choices-
Data Base Vulnerability
functionalities. Organizations need to be on the lookout for unsafe
configurations that could be enabled by default or turned on for convenience ofDBAs or application developers.
-
8/10/2019 Material clase Seg DB.pdf
74/78
Buffer overflows
Another hacker favorite, buffer overflow vulnerabilities, are exploited by
Data Base Vulnerability
expecting--say, by adding 100 characters into an input box asking for a SSN.
Database vendors have worked hard to fix the glitches that allow these attacksto occur. This is yet another reason why patching is so critical.
-
8/10/2019 Material clase Seg DB.pdf
75/78
Privilege escalation
Similarly, databases frequently sport common vulnerabilities that allow
Data Base Vulnerability
and gain access to administrator rights. For example, an attacker might
misuse a function that runs under a sysdba, Rothacker explains. As thesevulnerabilities are uncovered, administrators need to reign them in with timelyupdates and patching.
-
8/10/2019 Material clase Seg DB.pdf
76/78
Denial-of-service attack
SQL Slammer provided a very illuminating illustration of how attackers can use
Data Base Vulnerability
.Even more illuminating is the fact that when Slammer went down in 2003, a
patch already was out there that addressed the vulnerability it attacked. Evenseven years later, SQL Slammer is still around and picking on unpatchedservers.
-
8/10/2019 Material clase Seg DB.pdf
77/78
Unpatched databases
This could be repetitive, but it bears repeating. So many database' '
Data Base Vulnerability
will break their databases. But the risk of getting hacked today is way higher
than the risk of applying a patch that will go haywire, Rothacker says. Thatmight not have been true five years ago, but vendors have become muchmore rigorous with their testing.
-
8/10/2019 Material clase Seg DB.pdf
78/78
Unencrypted sensitive data at rest and in motion
Perhaps it is a no-brainer, but organizations should never store sensitive datain clear text within a database table. And all connections to the databaseshould always use encryption.
Data Base Vulnerability
Encryption is an important part of housing sensitive data. Network traffic
should also be encrypted to ensure that the passwords used to accesssensitive, critical data cannot be seen by traffic.
Any information that goes over the network or stored in the database shouldbe encrypted and kept from prying eyes. Some network configurations anddatabase management systems might allow for critical information to be sent
in clear text. To ensure this doesnt occur, make sure you have the latestversion of software and turn off text indexing.