Richard Austin, MS, CISSP, MCSEDATA IN THE CROSSHAIRSRichard Austin, MS, CISSP, MCSEWhy most database administrators shouldn’t be able to sleep at night1Data in the CrosshairsBioBioRichard is a 30+ year veteran of the IT industry in positions ranging from Richard is a 30+ year veteran of the IT industry in positions ranging from software developer to security architect. Before beginning a career as a university instructor and independent cybersecurity consultant, he was focused on technology and processes for successfully protecting the 14PB storage area network infrastructure within the global IT 4 g gorganization of a Fortune 25 company. He earned a MS degree with a concentration in information security from Kennesaw State University, a National Center of Academic Excellence in Information Assurance Education and serves as a part‐Excellence in Information Assurance Education, and serves as a parttime faculty in their CSIS department where he teaches in the Information Security and Assurance program. He holds the CISSP certification and is an active member of SNIA's Security Technical Working Group He is a Senior Member of both the Security Technical Working Group. He is a Senior Member of both the IEEE and ACM and also belongs to the IEEE Computer Society, CSI, HTCIA, ISSA (where he serves on their International Ethics Committee) and the Atlanta Chapter of Infragard. He is a frequent writer and presenter on storage networking security and digital forensics.presenter on storage networking security and digital forensics.2Data in the CrosshairsLet’s talk riskLet s talk risk),,( avtfR= Risk is a function of:àThreat what a threat agent may be able to do to àThreat –what a threat agent may be able to do to your assetà Vulnerability –a defect in policy, technology, etc, ypy, gy, ,that exposes the assetà Asset –the item of value you’re supposed to protect3Data in the CrosshairsDatabases and Asset ValueDatabases and Asset ValueDb h if i Databases concentrate the information valuable to the organization in a centralized placeplace Databases provide standard access methods d tl t t th li ti th t and protocols to support the applications that depend on themDtb i th d hi h l Databases, in other words, are high value targets4Data in the CrosshairsDatabases as Attack VectorsDatabases as Attack VectorsN l db lbl Not only are databases valuable targets because of the information they contain but their standard interfaces and capabilities their standard interfaces and capabilities provide vectors for other forms of attack on the organizationthe organization For example, most DBMS’s provide a facility to open a command shellto open a command shell.à If an attacker can access this capability, they can execute commands of their choosing on the hostexecute commands of their choosing on the host5Data in the CrosshairsWeaponizinga VulnerabilityWeaponizinga VulnerabilityThe warhead “gets you in”The warhead gets you inà Exploit of a vulnerability may allow you to execute code of your choosing The payload accomplishes your purposeà Download and install a root kit that allows remote access to the systemy6Data in the CrosshairsNot all vulnerabilities are Not all vulnerabilities are technicalV l bili i l ild df i li i Vulnerabilities also include defects in policies and proceduresAll i db b dl d ih bl k àAllowing a database to be deployed with blank or default passwordsàAllowing a database to be deployed with weak àAllowing a database to be deployed with weak passwords http://www.petefinnigan.com/oracle_password_cracker.htm7Data in the CrosshairsNon‐Technical NonTechnical VulnerabilitiesDb ih di f l iilDatabases with poor design for least privilegeà Writer –can read and write anythingRd d hiàReader –can read anything “Development” users and capabilitiesà These are back doors and have no place in a production databaseData in the Crosshairs8OWASP Top 10OWASP Top 10Data in the Crosshairs9Recent Example: SANS ISCRecent Example: SANS ISCData in the Crosshairs10Recent ExampleRecent ExampleData in the Crosshairs11Code ReviewCode ReviewHoward, M. A. (2006). A Process for Performing Security Code Reviews. IEEE Security & Privacy, (4)4, p. 78Secu ty & acy,(4)4, p 78Attackers Adapt, Innovate Attackers Adapt, Innovate and Overcome Our DefensesAtt k it t ith df Attackers are quite au courant with our defenses and they adaptOne ne attack form is called SQL Sm gglingOne new attack form is called SQL Smugglingà SQL Injection attacks that can evade detection, as a result of different interpretations of the malicious result of different interpretations of the malicious data. Specifically, protective mechanisms – including data validation by the application, Web Application Firewalls (WAF) IDS etc will not recognize or block Firewalls (WAF), IDS, etc. –will not recognize or block the malicious input; however, the database server will in fact accept the submitted input as valid commands.‐‐ Avi Douglen, COMSEC ConsultingData in the Crosshairs13ExampleExampleTaken from AviDouglen “SQL Smuggling”Taken from AviDouglen, “SQL Smuggling”Data in the Crosshairs14Google SearchGoogle Searchhttp://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_‐Guard‐Against‐SQL‐Injection‐Attacks.aspxData in the Crosshairs15Stored AttacksStored AttacksData in the Crosshairs16From Sam Ng’s “Advanced Topics on SQL Injection Protection” OWASP 2006Ng’s Second Order AttackNg s Second Order AttackData in the Crosshairs17My database isn’t importantMy database isn t importantThi i hi d d’ h This is a common whine and doesn’t wash because the database information isn’t the only source of valueonly source of valueà The database may be used as an attack vector to compromise other systems with more valuable compromise other systems with more valuable information or to turn the system into a BOTData in the Crosshairs18What can we do?What can we do?Si df il Security defenses are not magical totems that can be erected to scare off evil attackersS fl l kSecurity professionals must actively track new developments and exploits to ti ll fi th i df t t th continually refine their defenses to meet the current threats"From the character the institutions the situation and the From