Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Published byBernard Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox."— Presentation transcript:

1 Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox

2  Database Security - protection from malicious attempts to steal (view) or modify data.

3  Bank accounts  Credit card, Salary, Income tax data  University admissions, marks/grades  Land records, licenses  Data = crown jewels for organizations  Recent headlines:  Personal information of millions of credit card users stolen  Criminal gangs get into identity theft  Web applications been hacked due to the database vulnerabilities

4 1) DB Security Plan 2) Database Access Control 3) DBMS Security: Patching 4) DB Application: SQL injection, Inference Threats 5) Virtual Private Databases 6) Oracle Label Security 7) Inference Threats 8) Encryption 9) Auditing 10) Datawarehouse 11) Security Animations

5  Default Users and Passwords  Users, Passwords  Default users/passwords  sys, system accounts – privileged, change default password  Sa (MS-SQL Server)  scott account – well-known account/password, change it -general password policies (length, domain, changing, protection)  People Having too many privileges  Privileges, Roles, Grant/Revoke  Privileges  System - actions  Objects – data  Roles (pre-defined and user-defined role)  Collections of system privileges (example: DBA role)  Grant / Revoke  Giving (removing ) privileges or roles to (from) users

6 GRANT privilege_name ON object_name TO role_name; REVOKE privilege_name ON object_name FROM role_name;

7  Some important database priveleges:  Select  Insert  Update  Delete  Index  Alter  Create database  Drop database  All  Usage

8  Applications are often the biggest source of insecurity  OWASP Top 10 Web Security Vulnerabilities 1. Unvalidated input 2. Broken access control 3. Broken account/session management 4. Cross-site scripting (XSS) flaws 5. Buffer overflows 6. (SQL) Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial-of-service 10. Insecure configuration management Database Application Program

9  SQL Injection  Definition – inserting malicious SQL code through an application interface  Often through web application, but possible with any interface  Typical scenario  Three-tier application (web interface, application, database)  Overall application tracks own usernames and passwords in database (advantage: can manage users in real time)  Web interface accepts username and password, passes these to application layer as parameters

10  Example: Application Java code contains SQL statement:  String query = "SELECT * FROM users table " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ;  Note: String values must be single quoted in SQL, so application provides this for each passed string parameter  Expecting one row to be returned if success, no rows if failure  Common variant – SELECT COUNT(*) FROM …

11  Attacker enters:  any username (valid or invalid)  password of: Aa‘ OR ‘ ‘ = ‘  Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;  Note: WHERE clause => F and F or T => F or T => T  AND has higher precedence than OR  All user/pass rows returned to application  If application checking for 0 vs. more than 0 rows, attacker is in

12  How to resolve this?  First (Attempted) Solution: Check Content  Client code checks to ensure certain content rules are met  Server code checks content as well  Specifically – don’t allow apostrophes to be passed  Problem: there are other characters that can cause problems  --// SQL comment character  ;// SQL command separator  %// SQL LIKE subclause wildcard character  Which characters do you filter (blacklist) / keep (whitelist)?

13  Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing, 2(1), 2-18  Defense Information Systems Agency. (2004). Database security technical implementation guide, 7(1). Department of Defense. Retrieved January 31, 2010, from http://www.databasesecurity.com/dbsec/databa se-stig-v7r1.pdf http://www.databasesecurity.com/dbsec/databa se-stig-v7r1.pdf  Wilhelm Burger Mark J.Burge(2010) Digital Image Processing—An Algorithmic Introduction Using Java

14 Thank you !

Download ppt "Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Database Management System

Database Management System
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Database Security Overview Blake Middleton CSE 7330 – Fall 2009.

Database Security Overview Blake Middleton CSE 7330 – Fall 2009.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security and Integrity

Security and Integrity
Database System Security UW-Stout Information and Cyber Security Workshop 8/24/2006 Paul Wagner,

Database System Security UW-Stout Information and Cyber Security Workshop 8/24/2006 Paul Wagner,
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google