Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.

Chapter 1 Security Architecture

Mr C Johnston ICT Teacher

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 7 HARDENING SERVERS.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Information Systems Security Computer System Life Cycle Security.

Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Security Architecture

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Attacking Applications: SQL Injection & Buffer Overflows.

SEC835 Practical aspects of security implementation Part 1.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Additional Security Tools Lesson 15. Skills Matrix.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

10 Deadly Sins of Administrators about Windows Security Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign - CQURE:

Database Security and Data Protection Suseel Pachalla, CISSP.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Database Role Activity. DB Role and Privileges Worksheet.

Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.

Small Business Security Keith Slagle April 24, 2007.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Chapter 15: Reliability and Security in Database Servers Neyha Amar CS 157B May 6, 2008.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Module 7: Designing Security for Accounts and Services.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.

Defense In Depth: Minimizing the Risk of SQL Injection

Database and Cloud Security

Information Security Analytics

SQL Server Security & Intrusion Prevention

Recommended Practices & Fundamentals

Chapter One: Mastering the Basics of Security

Securing Data with SQL Server 2016

Introduction to SQL Server 2000 Security

Business Risks of Insecure Networks

Defense in Depth Web Server Custom HTTP Handler Input Validation

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile slides, etc.) are available to you in the slide master.

Grid Use this grid to align your copy, imagery and charts/graphs.

Jasmin Azemović, Ph.D, MVP, MCT Fakultet informacijskih tehnologija, Mostar SQL Server Threats and Countermeasuers

Inspirirani ljudima. Ugasite mobitele. Hvala.

Agenda SQL Server Security Model Threat Modeling Security during and after installation Threats from authorized users Physically data stealing Data transfer sniffing SQL code injection Auditing

SQL Server Security Model SQL Server security model is very granular. You can set it up from: Servers-side Database-side Table/Object/Column-level LoginAuthenticationAuthorization Server side Backup files, configuration...Database sideObjects and dataTables, views, columns

Threat modeling is a formalized process of describing security aspects of a system. Minimize the potential cost Minimize need to rework code Locate and eliminate security risks Threat Modeling System diagram Identify threats Mitigate Validate solution

Example of threat model

Security during and after installation Security Steps During Installation Service Accounts Types of Authentication Administrator Account Security Steps After Installation Using SQL Server Configuration Manager Working with Windows Firewall SQL Server Resources Consumers Types of SQL Server Consumers Password Issues Password Policy

Examples:

Threats from authorized users „Inner“ threats are more dangerous : False sense of security Do we trust our users ? User roll is not enough to ensure security and privacy elements

Examples: Read permission Database, Schema, Table,...  BI/Reporting  Power Users  Information consumers So where is problem here? User can read “private” tables !

Countermeasures Explicit deny on specific object(s) Table, column... DENY will override GRANT Don‘t use direct access... use views, sp‘s, schema‘s Don't allow ad-hoc queries in production Use: Policy Management Resource Governor

Physically Data Stealing This threat is ignored...why? Weak Points Inside/Outside of SQL Server envinroment

Two major areas where a database can be compromised Weak Points Inside SQL Server envinroment Inside threats Data files AttachDetach Backup files Copying

The area where risk is outside of SQL Server jurisdiction Weak Points Outside of SQL Server Outside threats File system Operating system Network

What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

What we can do on SQL Server? Client SQL Server Instance Client file system Communication Backup files SQL Server data files

What we can do on SQL Server? Client SQL Server Instance Client file system SQL Server data files Backup files Communication

What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

Countermeasures SQL Server countermeasures Table/column encryption Transparent Database Encryption-TDE Encrypted backups Using volume encryption BitLocker TrueCrypt Passwords on back-up archives (ZIP, RAR) Limiting the number of administrative staff Efficient audit policy Don‘t carry DB backups on your laptops, usb, sd cards...

Data Transfer Sniffing SQL Server uses classic client/server communication Anything can happen in the network environment: Communication monitoring Data sniffing Data tampering

Why a Firewall is Not Enough? Firewall is a necessary but not a sufficient security condition. Firewall will NOT help in these situations : Poorly written application Bad data access layer Input validation etc.

Countermeasures Server can use SSL to encrypt data transfer Encryption level is 40-bit or 128-bit SSL encryption does slow performance

SQL Code Injection SQL injection attack exploits vulnerabilities in input validation Occur when your application uses input to construct dynamic SQL statements to access the database Using the SQL injection attack, the attacker can execute custom commands in the database

Example: SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); ; DROP TABLE Customers -- SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --' SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); ; DROP TABLE Customers -- SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'

Countermeasures Perform thorough input validation. Your application should validate input prior to sending a request to the database. Use parameterized stored procedures or SQL parameters Use least privileged accounts to connect to the database.

Auditing Digital Evidence Methods for Collecting Data Securing Digital Evidence

Digital Evidence SQL Server Profler Triggers (DDL/DML) SQL Server Audit Other tools Digital evidence When?Who?What?

Finale facts Databases contain critical information for business; Database servers are kept private, sensitive and secure information; This is the last line of the defense

Inspirirani ljudima. Pitanja i odgovori.