Back-End Data Security

Slides:



Advertisements
Similar presentations
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Advertisements

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Security Issues and Challenges in Cloud Computing
Securing the Borderless Network March 21, 2000 Ted Barlow.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
That’s Really not the Point… haroon meer | charl van der walt SensePost.
Storage Security and Management: Security Framework
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Dell Connected Security Solutions Simplify & unify.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
COMP1321 Networks in Organisations Richard Henson March 2014.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)
OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002.
Small Business Security Keith Slagle April 24, 2007.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Lecture 1 Page 1 CS 236 Online What Are Our Security Goals? CIA Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
INTRO TO SQL SERVER SECURITY By Robert Biddle
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Computer Security By Duncan Hall.
Access The L Line The Express Line to Learning 2007 L Line L © Wiley Publishing All Rights Reserved.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
E-Commerce & Bank Security By: Mark Reed COSC 480.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
By Robert Biddle.  Working with SQL Server for 8 years  Data Architect for Hilton Grand Vacations  Certified MCITP Database Administrator MCITP Database.
Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.
Defense In Depth: Minimizing the Risk of SQL Injection
Building a Home Grown Auditing Infrastructure for SQL Server
Securing Network Servers
SQL Server Security & Intrusion Prevention
Information Security, Theory and Practice.
Manuel Brugnoli, Elisa Heymann UAB
# 66.
Performing a SQL Server Security Risk Assessment
Security Standard: “reasonable security”
Secure Software Confidentiality Integrity Data Security Authentication
Protecting Data Across the Environment
Information Security Session November 11, 2004
Cybersecurity Awareness
Join In Be Secure Presentation
The Dirty Business of Auditing
Information Security Awareness
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Protecting Against Common Web Application Vulnerabilities
What Are Our Security Goals?
Module 4 System and Application Security
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Least-Privilege Isolation: The OKWS Web Server
Exploring the latest T-SQL enhancements
Exploring the latest T-SQL enhancements
Election Security Presented by: michelle K. tassinari Director and Legal counsel Elections division Office of the secretary of the commonwealth.
Presentation transcript:

Back-End Data Security Three Things and Three Places… Not Just the Database!

Author Page Infrastructure and security architect Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security

Contact Information K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com

Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat

Agenda A Solid INFOSEC Model The “Insider” Threat Three Things and Three Places Applying the Things to Places Two Examples to Consider

Information Security’s C-I-A Triad It’s easy to focus on Confidentiality and Integrity, but Availability is important. If users can’t use the system, the system is worthless.

Principle of Least Privilege The permission to do the job. Nothing more. Threatens confidentiality. Threatens integrity. Nothing less. Threatens availability.

The Insider Threat The vast majority aren’t the problem. Sometimes you have bad people. Sometimes people turn bad. OR – An adversary can act like an insider.

My Miss Emma Example Miss Emma may be the purest soul walking today. You can’t just think about Miss Emma. What if Miss Emma falls to a phishing attack? SC DOR or Anthem compromise Attacks against Defense Industry contractors. RSA Compromise Aurora attacks Assume that a user account will be compromised

Three Things to Worry About Unauthorized Data Access Unauthorized Data Change Unauthorized Process Change

Three Places to Worry About Source In-Flight Destination

Places: Web Servers / Services Are they vulnerable to SQL Injection? What and who connect to them? Are they using HTTPS? What else is on the same web server?

Places: File System Questions Who has ability to modify the files? Who has ability to read the files? What processes can touch the files? Can you detect file tampering?

Places: Database Questions Who can read the data? Who can modify the data? Can you verify data integrity?

Places: Network Questions Is sensitive data being sent across? If so, is it encrypted? If you're using SSL, who controls the CA? If it isn't encrypted, is someone watching?

Example: SSIS Packages Who can update the packages? Are you checking for updates? Can you detect an unauthorized update? How about during the ETL process?

Example: Web Services Who can administer the web server? Who can change the code? Can you detect a change? Can you reverse the change?

Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat

Thank You! Questions? K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Tech/Sec blog: http://truthsolutions.wordpress.com/ Prof. Dev. blog: http://gkdba.wordpress.com/ Center for Internet Security: http://cisecurity.org/