Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inside the Mind of a Database Hacker

Published byDaniela Ford Modified over 6 years ago

Similar presentations

Presentation on theme: "Inside the Mind of a Database Hacker"— Presentation transcript:

1 Inside the Mind of a Database Hacker
Mark Fallon Architect/Security Lead Database

2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

3 What is this used for? Designer’s View Currency token Hackers View
Lever Screwdriver 0.200 oz weight Magic Prop History lesson Decision maker Weapon Force open an electrical fuse

4 Attack Surface Employees Developers Partners Data Lakes Internal Apps
Suppliers Dev / Test External Apps Database Customers Admins Backups

5 Attack Vectors Verizon Data breach Report (2018)
48% Featured hacking 30% Included malware 17% Errors as casual events 17% Were social attacks 12% Involved privilege misuse 11% Involved physical actions Source:

6 Old Bugs Live On Source:

7 I’m in, now what? Elevation of Privilege / Completion of Mission

8 Aims Depends on motivation Three main aims: Retrieve Data Modify Data
Elevate Privileges and Pivot

9 Retrieve Data Reading the data may be enough
PII, Credentials, Document retrieval etc. Data retrieval method depends on access vector Direct SQL connection Lost credentials / SQL Injection May be signaled by high loads / volume of data Indirect exfiltration Blind SQL injection – leveraging requests with side effects May be signaled by volume of requests Direct Copy APT collating files and then shipping them out

10 Modify Data Adding or modifying transactions
Balance adjustments Transfer funds Grant Privileges ….. Harder to do with a SQL injection issue Attacker needs to understand schema and business logic Scanning of metadata may be a signal Auditing needed to monitor sensitive tables

11 Elevate Privilege and Pivot
System privileges, ability to change non-schema objects Ability to modify objects or settings across schema / system Non-public object privileges Grants on SYS owned packages Access to the OS ACLs / Directory Objects / External Jobs / Java Privileges Access to other systems Dblinks, inside the same firewall

12 Equifax & other Stories
Initial breach through web application Known vulnerability in Apache Struts component Patch released March 6th, attack started March 10th Hackers setup Web Shells to maintain access Deloitte Credentials stolen for server in Microsoft cloud After news broke researchers had a look a both firms Trivial username/password for other systems Credentials, passwords other details found on GitHub, Google Docs Unprotected RDP (Remote Desktops) discovered

13 Equifax

14 What Can I Do?

15 Security Needs to be a Collaboration
Database Security Application Security Network Security End-point Security Process Employee Education Physical Security Supply Chain Security

16 Impact Loss of business Fines / Compensation Resignation / Firings
Recovery Reputation Fines / Compensation HIPAA GDPR Class actions …… Resignation / Firings

17 What can I do? Backup your data Identify your assets
Know what data you have and where it is copied to Secure all databases Make sure that there are no insecure settings, default passwords etc. Make sure all databases are patched and there is a patching plan in place Reduce your attack surface Remove unnecessary copies of data Backup your data Ensure you can recover from the backups Start with encryption Backups, Networks and Tablespaces

18 What can I do? Monitor your systems Enable auditing Make sure that the audit records are actually useful / been looked at. Start to mitigate the risk from password loss / weak passwords User profiles Deploy Database Vault, Train DBAs on best practices Remove unnecessary privileges Strong Authentication for privileged users Compartmentalize Ensure a breach of one database is not a breach of all Use lockdown profiles with Pluggable Databases

19 What can I do? Work with application development
Deploy AVDF (Audit Vault Database Firewall) See if Redaction is applicable to current applications Develop application with RAS (Real Application Security)

20 Solutions Problem Technology Poor configuration DBSAT, Cloud Control
Identify Assets Cloud Control, Sensitive Data Discovery Spreading of production data Masking Stolen Credentials Database Vault, Privilege Analysis, RAS, Strong Authentication Application Vulnerabilities AVDF (Audit Vault Database Firewall) Infrastructure Compromise TDE / Network Encryption / Key Vault Insider Redaction / RAS / VPD / OLS Abuse of privileges (Insider / stolen) Privilege Analysis / Database Vault / AVDF System Monitoring AVDF

21 Database Security Sessions at Oracle Open World 2018
Title Location Date & Time TRN4109 Inside the Head of a Database Hacker MW 3006 Mon 3:45 PM PRM4102 Introducing Oracle Data Security Cloud Service for Oracle Databases Tue 12:30 PM PRM4108 Autonomous and Beyond: Security in the Age of the Autonomous Database Tue 5:45 PM PRO4111 Data Security in the GDPR Era Wed 11:15 PM CON6575 Database Security Assessment Tool: Know Your Security Posture Before Hackers Wed 12:30 PM TRN4106 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Wed 4:45 PM TIP4104 Appdev: Building Secure Database Applications Quickly in the Cloud Era Thu 11:00 AM PRO4110 Detecting and Blocking Attacks with Oracle Audit Vault and Database Firewall Thu 12:00 PM TIP4112 Recent Database Security Innovations You Might Not Be Using, but Should Be Thu 1:00 PM

Download ppt "Inside the Mind of a Database Hacker"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Your customer as a segment of one That changes every second! Hein Van Der Merwe Chief.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Your customer as a segment of one That changes every second! Hein Van Der Merwe Chief.
Internet of Things Security Architecture

Internet of Things Security Architecture
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith
The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.

The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit PaaS from an Applications Perspective Charles McGuinness Director,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit PaaS from an Applications Perspective Charles McGuinness Director,
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
A New IMS-Like Architecture for Enterprise Applications Reid Stidolph Master Principle Solutions Architect Communications Global Business Unit October.

A New IMS-Like Architecture for Enterprise Applications Reid Stidolph Master Principle Solutions Architect Communications Global Business Unit October.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.

Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit Preview the Plans for JD Edwards World A9.4 Release David Greiner,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit Preview the Plans for JD Edwards World A9.4 Release David Greiner,
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Similar presentations

Ads by Google