Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales.

Slides:



Advertisements
Similar presentations
PAM4Exchange Date Metalogix – Training Documentation.
Advertisements

Patch Management Patch Management in a Windows based environment
Module XIV SQL Injection
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Yahoo! In South America South America Interconnection LACNIC XIII 2010.
© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.
© 2009 Virtual Computer Inc. – Company Confidential1 Maintaining a Desktop SLA.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
1 System Level Verification of OCP-IP based SoCs using OCP-IP eVC Himanshu Rawal eInfochips, Inc.,4655 Old Ironsides Drive, Suite 385,Santa Clara, CA
Data. Insight. Action. © DataXu, Inc. Privileged & Confidential1.
ProQuest Confidential1 ProQuest Agricultural Journals Marika Janouskova Area Sales Manager.
CONFIDENTIAL1 Good Afternoon! Let's get started learning about COMPARING AND ORDERING DECIMALS Choose the letter of the point that corresponds to each.
Introducing ClientTrack 13 1Company Confidential WEBINAR SERIES | August 15, 2013 Presentation will be recorded Callers muted Written questions are welcome.
13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Understand Database Security Concepts
SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Cryptography and Network Security Chapter 20 Intruders
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Database Security Managing Users and Security Models.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Introduction to Application Penetration Testing
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc.
Database Security CIS 764 Presentation Mazharuddin Mohammad.
Attacks Against Database By: Behnam Hossein Ami RNRN i { }
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Profiles, Password Policies, Privileges, and Roles
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
System Hacking Active System Intrusion. Aspects of System Hacking System password guessing Password cracking Key loggers Eavesdropping Sniffers Man in.
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
Database Role Activity. DB Role and Privileges Worksheet.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
CERN IT Department CH-1211 Genève 23 Switzerland t Security Overview Luca Canali, CERN Distributed Database Operations Workshop April
TCOM Information Assurance Management System Hacking.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Retina Network Security Scanner
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Асоциация за информационна сигурност Мрежова сигурност 1 изборен курс във ФМИ на СУ понеделник, зала 325, ФМИ, 19:00 четвъртък, зала 200,
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Module 7: Designing Security for Accounts and Services.
Chapter 5 Managing Multi-user Databases 1. Multi-User Issues Database Administration Concurrency Control Database Security Database Recovery Page 307.
Understanding Security Policies Lesson 3. Objectives.
9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.
Information Security Analytics
Critical Security Controls
Penetration Test Debrief
E-commerce Application Security
Managing Multi-user Databases
Audit Findings: SQL Database
The Dirty Business of Auditing
Information Security Awareness
Microsoft Ignite /18/2019 7:21 AM
SharePoint Server Assessment Results
6. Application Software Security
Presentation transcript:

Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales

Application Security Inc. All rights reserved. Confidential2Agenda  Data, Databases, Data Theft  Database Attack Examples – Oracle: Stealth Password Cracking – SQL Server: Escalate a Database Owners Privileges to Sys Admin – Sybase: Escalate Any User’s Privileges to Sys Admin – DB2: Create Remote OS Admin Users  Database Security Top 10 Checklist  How to Protect Your Databases with DbProtect

Application Security Inc. All rights reserved. Confidential3 Data, Databases, Data Theft Over 90% of records stolen from databases (Verizon DBIR) Over 330,000,000 records stolen in 2011 (DataLossDB) Over 330,000,000 records stolen in 2011 (DataLossDB) Too many organizations have failed to take database security seriously.

Application Security Inc. All rights reserved. Confidential4 Did You Know?

Application Security Inc. All rights reserved. Confidential5 So….Is Anyone Actually Surprised?

Application Security Inc. All rights reserved. Confidential6 Default and Weak Passwords Not only DBMS have own default accounts, but applications install them too Default accounts are never good Just google “ password cracker” – dozens of them out there Names, places, dictionary words make poor passwords Rainbow tables make anything under 7 or 8 characters weak Weak passwords can be cracked If you’re not watching, an attacker can guess passwords all day Database login activity seldom monitored

Application Security Inc. All rights reserved. Confidential7 User/Password the Same: DBSNMP Default Account Examples User: sys / Password: change_on_install User: scott / Password: tiger User: SA / Password: null User: db2admin / Password: db2admin User: db2as / Password: ibmdb2 User: root / Password: null User: admin / Password: admin User: SA / Password: null User/Password the Same: DATABASE SECURITY NOT MY PROBLEM

Application Security Inc. All rights reserved. Confidential8 Attacking Oracle  Attack Target: – Oracle 11g Release 2  Privilege Level: – Any user on the network  Outcome: – Obtain any user’s password (login as SYS)  Vulnerabilities Exploited: – Oracle Stealth Password Cracking  Reported by: – Esteban Martinez Fayo - Team SHATTER - AppSecInc  Patched by Vendor: – Oct 2012 CPU

Application Security Inc. All rights reserved. Confidential9 Attacking Oracle: Failed Login + Packet Capture

Application Security Inc. All rights reserved. Confidential10 Attacking Oracle: Run Password Brute Force Tool

Application Security Inc. All rights reserved. Confidential11 Attacking Oracle: Login As SYS

Application Security Inc. All rights reserved. Confidential12 Attacking Oracle

Application Security Inc. All rights reserved. Confidential13 Attacking MS SQL Server: SQL Injection  Attack Target: – Microsoft SQL Server 2008  Privilege Level: – CREATE DATABASE  Outcome: – Full control of SQL Server (become SA)  Vulnerabilities Exploited: – Privilege escalation via SQL injection in RESTORE function  Reported By: – Martin Rakhmanov – Team SHATTER – AppSecInc  Patched By Vendor: – Unpatched

Application Security Inc. All rights reserved. Confidential14 Attacking Sybase  Attack Target: – Sybase ASE v15.5  Privilege Level: – Login only  Outcome: – Full control of Sybase server (become SA)  Vulnerabilities Exploited: – Privilege escalation via SQL injection in DBCC IMPORT_METADATA  Reported by: – Martin Rakhmanov - Team SHATTER - AppSecInc  Patched by Vendor: – Sybase ASE 15.7 ESD #2 (Sept 2012)

Application Security Inc. All rights reserved. Confidential15 Attacking DB2  Attack Target: – IBM DB2 LUW v9.7 (Windows only)  Privilege Level: – Login only  Outcome: – Full control of database and the server it runs on (become OS admin)  Vulnerabilities Exploited: – Arbitrary Code Execution in SQLJ.DB2_INSTALL_JAR  Reported by: – Martin Rakhmanov - Team SHATTER - AppSecInc  Patched by Vendor: – DB2 9.1 FixPack 12 – August 2012

Application Security Inc. All rights reserved. Confidential16 Database Security Top 10 Checklist 1: Inventory Databases2: Tag Critical Systems3: Change Default Passwords4: Implement Strong Password Controls5: Enact and Enforce Patch Management Policies6: Maintain and Enforce Configuration Standards7: Document and Enforce Least Privilege Controls8: Audit Privileged Access9: Monitor For and Respond To Attacks10: Encrypt Sensitive Data – At Rest and In Motion

Application Security Inc. All rights reserved. Confidential17 A Process To Secure Your Databases Precision Security DbProtect

Application Security Inc. All rights reserved. Confidential18 Team SHATTERSecurity Heuristics of Application Testing Technology for Enterprise Research Top 10 Database Vulnerabilities exclusive/top-10-database-vulnerabilities-and-misconfigurations/ BookPractical Oracle Security By Josh Shaul CTO, Application Security, Inc.References Josh Shaul Chief Technology Officer Application Security, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.