10-15-2008, Database SecurityOverview1) Introduction - Motivation1) Introduction - ScopeSlide 51) Introduction – Product Specific Books2) DB Security PlanSlide 8Slide 92) DB Security Plan - Document User Administration3) DB Access Control3) DB Access Control - Default Passwords3) DB Access Control - Password Cracking3) DB Access Control - Find all Privileges3) DB Access Control - Check for DBA Role3) DB Access Control - How are privileges granted3) DB Access Control - Disable Account3) DB Access Control - Launch OEM3) DB Access Control - Connect to a Database3) DB Access Control - Maintain User Accounts3) DB Access Control - Profiles3) DB Access Control - Security MS-Access3) DB Access Control - System Level: Open Exclusive3) DB Access Control - System Level Security (cont.)3) DB Access Control - MS-Access: User LevelSlide 265) DB Applications5) DB Applications - SQL InjectionSQL Injection - Solution6) Virtual Private Databases6) VPD, Example of Row Level Security w/ ViewsSlide 32Slide 336) VPD - Grant Execute on DBMS_RLSVPD - DefinitionSlide 366) VPD – Update Example6) VPD - Security Policy6) VPD - Summary7) Oracle Label Security (OLS)7) OLS and Multilevel Security7) Problem with Multilevel Security7) Oracle Label Security:7) OLS & VPD7) OLS LABEL has 3 Components7) OLS - More on 3 components7) OLS – Column added7) OLS - Levels7) OLS - Compartments7) OLS - GroupsSlide 517) OLS Conclusion8) Inference Threat9) Encryption: overview9) Encrypting Data-in-transitTools for packet sniffingMinimum Understanding of TCP/IP9) Encryption - Where to run Network Analyzer Packet ?Network Protocol Analyzer: examplesImplement Encryption,data-in-transitSecure Socket Layer (SSL)SSH TunnelsIPSecEncrypting Data-at-restSlide 65Encrypting at Application LayerEncryption at OS layerEncryption within DatabaseSummary10) Auditing2 main types of auditing:Example of Audit commandWhen to auditAudit w/ Triggers (generic solution)11) DatawarehousesDatawarehouse Trends & ProblemsDB Security AnimationsEnd of LectureCS 8630 Database Administration, Dr. Guimaraes10-15-2008, Database SecurityClassWill Start Momentarily…CS8630 Database AdministrationDr. Mario GuimaraesCS 8630 Database Administration, Dr. GuimaraesOverview1) Introduction2) DB Security Plan3) Database Access Control4) DBMS Security: Patching5) DB Application: SQL injection, Inference Threats6) Virtual Private Databases7) Oracle Label Security8) Inference Threats9) Encryption10) Auditing11) Datawarehouse12) Security AnimationsCS 8630 Database Administration, Dr. Guimaraes1) Introduction - Motivation•“Securing the DB may be the single biggest action an organization can take to protect its assets”David C. Knox“Effective Oracle Database 10g Security by Design”, McGraw Hill, 2004.ISBN 0-07-223130-0CS 8630 Database Administration, Dr. Guimaraes•Database system security must worry about DB + … –Secure Database–Secure applications –Secure DBMS–Secure operating system in relation to database system–Secure web server in relation to database system–Secure network environment in relation to database system1) Introduction - ScopeCS 8630 Database Administration, Dr. GuimaraesAUTHOR TEXT Publisher ISBNNatan, Ron Ben2005Implementing Database Security and AuditingElsevier Digital Press1-5558-334-2Afyouni, Hassan A., (2006)Database Security and AuditingThompson Course Technology0-619-21559-3Knox, David (2004)Effective Oracle Database 10g Security by DesignOracle Press 00722313001) Introduction - LiteratureCS 8630 Database Administration, Dr. Guimaraes1) Introduction – Product Specific Books•Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition.•Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.CS 8630 Database Administration, Dr. Guimaraes2) DB Security Planhttp://www.oreilly.com/catalog/orasec/chapter/ch07.htmlCS 8630 Database Administration, Dr. GuimaraesWhich is the most complex program/form to implement?If a data type is changed in the Customers table, what programs/forms may need modification?The Orders form accesses how many tables?The Employees table is accessed by how many programs/forms?2) DB Security PlanCS 8630 Database Administration, Dr. Guimaraes•DAC Versus MAC•Access Matrix Model: Harrison-Ruzzo-Ullman–Authorized state: Q = (S, O, A)–Conditions (dependent)•Data•Time•Context•HistoryO1 Oj OmS1A[S1,O1] A[S1,Oj] A[S1,Om]SiA[Si,O1] A[Si,Oj] A[Si,Om]SnA[Sn,O1] A[Sn,Oj] A[Sn,Om]Subjects Objects2) DB Security PlanCS 8630 Database Administration, Dr. Guimaraes2) DB Security Plan - Document User Administration•Part of the administration process•Reasons to document:–Provide a paper trail–Ensure administration consistency•What to document:–Administration policies, staff and management–Security procedures–Procedure implementation scripts or programs–Predefined roles descriptionCS 8630 Database Administration, Dr. Guimaraes3) DB Access Control•Default Users and Passwords–Users, Passwords•Default users/passwords–sys, system accounts – privileged, change default password–Sa (MS-SQL Server)–scott account – well-known account/password, change it-general password policies (length, domain, changing, protection)•People Having too many privileges–Privileges, Roles, Grant/Revoke•Privileges–System - actions–Objects – data•Roles (pre-defined and user-defined role)–Collections of system privileges (example: DBA role)•Grant / Revoke–Giving (removing ) privileges or roles to (from) usersCS 8630 Database Administration, Dr. Guimaraes3) DB Access Control - Default Passwords•Easiest way to log into an Oracle database is to use a default account with a known password [Finnigin]•http://www.petefinnigan.com/default/default_password_checker.htm•This site has scripts that will identify all default users and lets you know if they still have their default passwords. You may download these scripts.CS 8630 Database Administration, Dr. Guimaraes3) DB Access Control - Password Cracking•At http://www.toolcrypt.org/index.html there are tools that you can download to crack the passwords. You need to verify this against the DB, because you can be sure that the hacker has these tools.CS 8630 Database Administration, Dr. Guimaraes3) DB Access Control - Find all