NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC.

Slides:



Advertisements
Similar presentations
Security Issues and Challenges in Cloud Computing
Advertisements

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Mni Sose Intertribal Water Rights Coalition, Inc. Exchange network Project Presented by Rhonda Azure Mni Sose Treasurer.
1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
Tribal Natural Resources Integrated Data Environment EPA Information Exchange Node Client Overview 26 Apr 2007 Shoshone Bannock Tribes Fort Hall Reservation,
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
MongoDB Sharding and its Threats
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Beaches Data Flow Getting Notification Data Into PRAWNS Dennis Murphy Delaware DNREC (302)
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Software Security Testing Vinay Srinivasan cell:
Managed by UT-Battelle for the Department of Energy 1 Integrated Catalogue (ICAT) Auto Update System Presented by Jessica Feng Research Alliance in Math.
Tom Castiglia Hershey Technologies
Tunis International Centre for Environmental Technologies Small Seminar on Networking Technology Information Centers UNFCCC secretariat offices Bonn, Germany.
Attacking Applications: SQL Injection & Buffer Overflows.
National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.
OEI’s Services Portfolio December 13, 2007 Draft / Working Concepts.
Water Quality Exchange and Web Tools Utah Monitoring Council February 25 th, 2010 Presented by James Harris Division of Water Quality.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
The Client/Server Database Environment Ployphan Sornsuwit KPRU Ref.
Mainframe (Host) - Communications - User Interface - Business Logic - DBMS - Operating System - Storage (DB Files) Terminal (Display/Keyboard) Terminal.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Exchange Network Conference San Francisco, CA April 18, 2006 Network and Node 101.
ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Wireless and Mobile Security
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Web Server.
UNCLASSIFIED Service Oriented Architecture, Information Sharing and the FEA DRM 23 January 2006 Bryan Aucoin DNI CIO Chief Architect
Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.
Azure SQL Database Updates
Database and Cloud Security
SQL Server Security & Intrusion Prevention
Manuel Brugnoli, Elisa Heymann UAB
# 66.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Secure Software Confidentiality Integrity Data Security Authentication
Server Concepts Dr. Charles W. Kann.
Introduction to SQL Server 2000 Security
The Client/Server Database Environment
Creating Novell Portal Services Gadgets: An Architectural Overview
Lecture 2 - SQL Injection
Introduction of Week 11 Return assignment 9-1 Collect assignment 10-1
Presentation transcript:

NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC T: , © 2008 ResourceVue, LLC, All Rights reserved Integrated Data Environments for Natural Resource Management

1 NCAI 9 Apr 2008 NCAI Types of Data to be stored in database applications IT and Data Architectures Threats to data What to ask the database application vendor Examples of answers, solutions Discussion, Demonstration Agenda

2 NCAI 9 Apr 2008 NCAI Tribal Data Types Examples Departmental Data Tracking Haz Waste Land Use, Air etc… Water Resources Departmental Unique Data Tracking Contract, Grant Management Program Management etc… Finance Tribal Common Processes Tribal Business Applications EPA EN Node Clients Water Assets GIS Land Assets Air Ag

3 NCAI 9 Apr 2008 NCAI IT and Data Architectures  Databases typically run on servers that have basic protection Internet Explorer Web Firewall SW Code IIS DB (Oracle) IIS and Oracle can reside on the same server, where IIS communicates with the Oracle database through port 1521 Web Services ServerClient Client connects to IIS server over the Web and through a firewall using port 443 Users are authenticated using PKI certificates and strong passwords

4 NCAI 9 Apr 2008 NCAI Threats to Database Applications  80% of malicious activity on data comes from the inside… (Forester)  Typical database application threats are: –SQL Injection –Inference –Web page hi-jacks  Result: Unauthorized access to data

5 NCAI 9 Apr 2008 NCAI Threats to Database Applications  SQL Injection “…SQL injection attacks allow a malicious activity to execute arbitrary SQL code on the server. The attack is issued by including a string delimiter (') in an input field and following it with SQL instructions. If the server does not properly validate input, the instructions may be executed against the database. “ Malicious DB query

6 NCAI 9 Apr 2008 NCAI Threats to Database Applications  Inference –Inference occurs when users are able to piece together information at one security level to determine a fact that should be protected at a higher security level. Level 1 Level 2 Inference Tribal Member Name Allotment Ownership

7 NCAI 9 Apr 2008 NCAI Threats to Database Applications  Web page Hi-jacks A web page hi jack occurs when a malicious person tries to capture a URL/page name without going though any authentication. Authentication Web page Malicious User Hi-jack Database

8 NCAI 9 Apr 2008 NCAI What to ask the DB Developer  What tiers/layers do you have in your application, and what security is built in?  How do you handle SQL Injection attacks?  How do you handle Inference attacks?  How do you handle Web age Hijacks?  How do you handle User Security?

9 NCAI 9 Apr 2008 NCAI Example Answers  What tiers/layers do you have…… Internet Explorer IISTVUtilsDBUtilsDB The Internet Explorer client communicates to the IIS server through HTTPS The IIS server passes user requests to the TVUtils object, which returns HTML and DHTML The TVUtils object communicates with the DBUtils object using XML The DBUtils object retrieves information from and updates information in the Oracle database using an OLEDB connection Web Services Middle LayerData Layer

10 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle SQL Injection attacks? “Our middle layer performs a format check on the DB request…” DBUtilsDB Data LayerMiddle Is this request the correct format??? - NO: kick out - Yes: proceed

11 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle Inference attacks? “1. If a user does not have the permissions they can not get to the next page, and….. 2. Error messages no display any data.” Level 1 Level 2 Inference Tribal Member Name Allotment Ownership X

12 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle Web page Hijacks? “1. If a user does not have the permissions they can not get to the next page, and….. 2. each page checks the source of the request; if not authenticated, it throws a message: Authentication Web page Malicious User Hi-jack Database

13 NCAI 9 Apr 2008 NCAI Example Answers  How do you handle User Security? “We use a multi-factored security model: Realm: Separate data into virtual instances Rule:Restrict DB operations to what is needed, when.. Roles:Only allows users to perform the functions they need Policy: Written policies on the above

14 NCAI 9 Apr 2008 NCAI User Security Example  ResourceVue – Super Node

15 NCAI 9 Apr 2008 NCAI Mni Sose – Resourcevue Super Node Example MniSose Coalition DB Coalition Tribe 1 DB Omaha Coalition Tribe 3 DB Coalition Tribe 4 DB Coalition Tribe 5 DB Coalition Tribe 6 DB Coalition Tribe 7 DB Web Services Aggregated Multi-tribal Water Quality Data MniSose ‘Super-Node’ Node Client MniSose Portal DB Kickapoo Ponca Prairie Band Potawatomi Sac and Fox Santee Sioux Winnebago Web Services Aggregated Multi-tribal Environmental Data Services MniSose ‘Super-Node’ Node Client Local Data Server Spreadsheet Realm: Separate, Secure Tribal Databases Role: Individual Member Log In EPA EN Searches Reports Documents Roll-up Queries Rule: Only allow operations at certain hous

16 NCAI 9 Apr 2008 NCAI A Solution  Web based – currently hosted at Mni Sose, Rapid City Program Area Apps: Water, Air, Facilities Document Library Member access, security, admin Multi-Tribal Partitions

17 NCAI 9 Apr 2008 NCAI Role: Access to Water Assets  Surface and Ground Water Sources  Monitoring Stations Manage Baseline Data of Water Assets Manage Monitoring Stations

18 NCAI 9 Apr 2008 NCAI Role: Manage of EPA Transactions  Track each node client data submission history –EPA token ID, XML file (WQX)

19 NCAI 9 Apr 2008 NCAI The Process - Node Client Flow  Sample Process for Managing Water Quality Data Exchange Manage Monitoring Stations Water Resources Dept Reviewers Manage Baseline Data of Water Assets Import Data Into Central Repository Prepare EPA Data Exchange Format Invoke Node Client to Push Data Set to EPA Review and Assess Water Quality Data Water Quality Engineers Receive Data Set 410 EPA Gather Water Quality Samples Set Standards 400 DATASTOREPLANNINGDATASTOREPLANNING

20 NCAI 9 Apr 2008 NCAI Questions…..

21 NCAI 9 Apr 2008 NCAI  Bill Farr  ResourceVue, LLC  T: 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.