Back-End Data Security Three Things and Three Places… Not Just the Database!
Author Page Infrastructure and security architect Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security
Contact Information K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat
Agenda A Solid INFOSEC Model The “Insider” Threat Three Things and Three Places Applying the Things to Places Two Examples to Consider
Information Security’s C-I-A Triad It’s easy to focus on Confidentiality and Integrity, but Availability is important. If users can’t use the system, the system is worthless.
Principle of Least Privilege The permission to do the job. Nothing more. Threatens confidentiality. Threatens integrity. Nothing less. Threatens availability.
The Insider Threat The vast majority aren’t the problem. Sometimes you have bad people. Sometimes people turn bad. OR – An adversary can act like an insider.
My Miss Emma Example Miss Emma may be the purest soul walking today. You can’t just think about Miss Emma. What if Miss Emma falls to a phishing attack? SC DOR or Anthem compromise Attacks against Defense Industry contractors. RSA Compromise Aurora attacks Assume that a user account will be compromised
Three Things to Worry About Unauthorized Data Access Unauthorized Data Change Unauthorized Process Change
Three Places to Worry About Source In-Flight Destination
Places: Web Servers / Services Are they vulnerable to SQL Injection? What and who connect to them? Are they using HTTPS? What else is on the same web server?
Places: File System Questions Who has ability to modify the files? Who has ability to read the files? What processes can touch the files? Can you detect file tampering?
Places: Database Questions Who can read the data? Who can modify the data? Can you verify data integrity?
Places: Network Questions Is sensitive data being sent across? If so, is it encrypted? If you're using SSL, who controls the CA? If it isn't encrypted, is someone watching?
Example: SSIS Packages Who can update the packages? Are you checking for updates? Can you detect an unauthorized update? How about during the ETL process?
Example: Web Services Who can administer the web server? Who can change the code? Can you detect a change? Can you reverse the change?
Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat
Thank You! Questions? K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Tech/Sec blog: http://truthsolutions.wordpress.com/ Prof. Dev. blog: http://gkdba.wordpress.com/ Center for Internet Security: http://cisecurity.org/