Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC.

Published byBernice Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC."— Presentation transcript:

1 NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC T: 801-458-5900, bfarr@topvue.combfarr@topvue.com © 2008 ResourceVue, LLC, All Rights reserved Integrated Data Environments for Natural Resource Management

2 1 NCAI 9 Apr 2008 NCAI Types of Data to be stored in database applications IT and Data Architectures Threats to data What to ask the database application vendor Examples of answers, solutions Discussion, Demonstration Agenda

3 2 NCAI 9 Apr 2008 NCAI Tribal Data Types Examples Departmental Data Tracking Haz Waste Land Use, Air etc… Water Resources Departmental Unique Data Tracking Contract, Grant Management Program Management etc… Finance Tribal Common Processes Tribal Business Applications EPA EN Node Clients Water Assets GIS Land Assets Air Ag

4 3 NCAI 9 Apr 2008 NCAI IT and Data Architectures  Databases typically run on servers that have basic protection Internet Explorer Web Firewall SW Code IIS DB (Oracle) IIS and Oracle can reside on the same server, where IIS communicates with the Oracle database through port 1521 Web Services ServerClient Client connects to IIS server over the Web and through a firewall using port 443 Users are authenticated using PKI certificates and strong passwords

5 4 NCAI 9 Apr 2008 NCAI Threats to Database Applications  80% of malicious activity on data comes from the inside… (Forester)  Typical database application threats are: –SQL Injection –Inference –Web page hi-jacks  Result: Unauthorized access to data

6 5 NCAI 9 Apr 2008 NCAI Threats to Database Applications  SQL Injection “…SQL injection attacks allow a malicious activity to execute arbitrary SQL code on the server. The attack is issued by including a string delimiter (') in an input field and following it with SQL instructions. If the server does not properly validate input, the instructions may be executed against the database. “ Malicious DB query

7 6 NCAI 9 Apr 2008 NCAI Threats to Database Applications  Inference –Inference occurs when users are able to piece together information at one security level to determine a fact that should be protected at a higher security level. Level 1 Level 2 Inference Tribal Member Name Allotment Ownership

8 7 NCAI 9 Apr 2008 NCAI Threats to Database Applications  Web page Hi-jacks A web page hi jack occurs when a malicious person tries to capture a URL/page name without going though any authentication. Authentication Web page Malicious User Hi-jack Database

9 8 NCAI 9 Apr 2008 NCAI What to ask the DB Developer  What tiers/layers do you have in your application, and what security is built in?  How do you handle SQL Injection attacks?  How do you handle Inference attacks?  How do you handle Web age Hijacks?  How do you handle User Security?

10 9 NCAI 9 Apr 2008 NCAI Example Answers  What tiers/layers do you have…… Internet Explorer IISTVUtilsDBUtilsDB The Internet Explorer client communicates to the IIS server through HTTPS The IIS server passes user requests to the TVUtils object, which returns HTML and DHTML The TVUtils object communicates with the DBUtils object using XML The DBUtils object retrieves information from and updates information in the Oracle database using an OLEDB connection Web Services Middle LayerData Layer

11 10 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle SQL Injection attacks? “Our middle layer performs a format check on the DB request…” DBUtilsDB Data LayerMiddle Is this request the correct format??? - NO: kick out - Yes: proceed

12 11 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle Inference attacks? “1. If a user does not have the permissions they can not get to the next page, and….. 2. Error messages no display any data.” Level 1 Level 2 Inference Tribal Member Name Allotment Ownership X

13 12 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle Web page Hijacks? “1. If a user does not have the permissions they can not get to the next page, and….. 2. each page checks the source of the request; if not authenticated, it throws a message: Authentication Web page Malicious User Hi-jack Database

14 13 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle User Security? “We use a multi-factored security model: Realm: Separate data into virtual instances Rule:Restrict DB operations to what is needed, when.. Roles:Only allows users to perform the functions they need Policy: Written policies on the above

15 14 NCAI 9 Apr 2008 NCAI User Security Example  ResourceVue – Super Node

16 15 NCAI 9 Apr 2008 NCAI Mni Sose – Resourcevue Super Node Example MniSose Coalition DB Coalition Tribe 1 DB Omaha Coalition Tribe 3 DB Coalition Tribe 4 DB Coalition Tribe 5 DB Coalition Tribe 6 DB Coalition Tribe 7 DB Web Services Aggregated Multi-tribal Water Quality Data MniSose ‘Super-Node’ Node Client MniSose Portal DB Kickapoo Ponca Prairie Band Potawatomi Sac and Fox Santee Sioux Winnebago Web Services Aggregated Multi-tribal Environmental Data Services MniSose ‘Super-Node’ Node Client Local Data Server Spreadsheet Realm: Separate, Secure Tribal Databases Role: Individual Member Log In EPA EN Searches Reports Documents Roll-up Queries Rule: Only allow operations at certain hous

17 16 NCAI 9 Apr 2008 NCAI A Solution  Web based – currently hosted at Mni Sose, Rapid City Program Area Apps: Water, Air, Facilities Document Library Member access, security, admin Multi-Tribal Partitions

18 17 NCAI 9 Apr 2008 NCAI Role: Access to Water Assets  Surface and Ground Water Sources  Monitoring Stations Manage Baseline Data of Water Assets Manage Monitoring Stations

19 18 NCAI 9 Apr 2008 NCAI Role: Manage of EPA Transactions  Track each node client data submission history –EPA token ID, XML file (WQX)

20 19 NCAI 9 Apr 2008 NCAI The Process - Node Client Flow  Sample Process for Managing Water Quality Data Exchange Manage Monitoring Stations Water Resources Dept Reviewers Manage Baseline Data of Water Assets Import Data Into Central Repository Prepare EPA Data Exchange Format Invoke Node Client to Push Data Set to EPA Review and Assess Water Quality Data 100 200 110 120 300 Water Quality Engineers Receive Data Set 410 EPA Gather Water Quality Samples 210 130 Set Standards 400 DATASTOREPLANNINGDATASTOREPLANNING

21 20 NCAI 9 Apr 2008 NCAI Questions…..

22 21 NCAI 9 Apr 2008 NCAI  Bill Farr  ResourceVue, LLC  T: 801-458-5900  Email: bfarr@topvue.com

Download ppt "NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC."

Similar presentations

Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Mni Sose Intertribal Water Rights Coalition, Inc. Exchange network Project Presented by Rhonda Azure Mni Sose Treasurer.

Mni Sose Intertribal Water Rights Coalition, Inc. Exchange network Project Presented by Rhonda Azure Mni Sose Treasurer.
1 SWE 205 - Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)

1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
Tribal Natural Resources Integrated Data Environment EPA Information Exchange Node Client Overview 26 Apr 2007 Shoshone Bannock Tribes Fort Hall Reservation,

Tribal Natural Resources Integrated Data Environment EPA Information Exchange Node Client Overview 26 Apr 2007 Shoshone Bannock Tribes Fort Hall Reservation,
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.

Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved. 1 28 Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Beaches Data Flow Getting Notification Data Into PRAWNS Dennis Murphy Delaware DNREC (302) 739-3490

Beaches Data Flow Getting Notification Data Into PRAWNS Dennis Murphy Delaware DNREC (302)
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.

Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.

Similar presentations

Ads by Google