Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

Published byGervase Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile."— Presentation transcript:

1 Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile slides, etc.) are available to you in the slide master.

2 Grid Use this grid to align your copy, imagery and charts/graphs.

3 Jasmin Azemović, Ph.D, MVP, MCT Fakultet informacijskih tehnologija, Mostar jasmin@edu.fit.ba, www.youtube.com/mvpdba SQL Server Threats and Countermeasuers

4 Inspirirani ljudima. Ugasite mobitele. Hvala.

5

6 Agenda SQL Server Security Model Threat Modeling Security during and after installation Threats from authorized users Physically data stealing Data transfer sniffing SQL code injection Auditing

7 SQL Server Security Model SQL Server security model is very granular. You can set it up from: Servers-side Database-side Table/Object/Column-level LoginAuthenticationAuthorization Server side Backup files, configuration...Database sideObjects and dataTables, views, columns

8 Threat modeling is a formalized process of describing security aspects of a system. Minimize the potential cost Minimize need to rework code Locate and eliminate security risks Threat Modeling System diagram Identify threats Mitigate Validate solution

9 Example of threat model

10 Security during and after installation Security Steps During Installation Service Accounts Types of Authentication Administrator Account Security Steps After Installation Using SQL Server Configuration Manager Working with Windows Firewall SQL Server Resources Consumers Types of SQL Server Consumers Password Issues Password Policy

11 Examples:

12 Threats from authorized users „Inner“ threats are more dangerous : False sense of security Do we trust our users ? User roll is not enough to ensure security and privacy elements

13 Examples: Read permission Database, Schema, Table,...  BI/Reporting  Power Users  Information consumers So where is problem here? User can read “private” tables !

14 Countermeasures Explicit deny on specific object(s) Table, column... DENY will override GRANT Don‘t use direct access... use views, sp‘s, schema‘s Don't allow ad-hoc queries in production Use: Policy Management Resource Governor

15

16 Physically Data Stealing This threat is ignored...why? Weak Points Inside/Outside of SQL Server envinroment https://www.privacyrights.org/

17 Two major areas where a database can be compromised Weak Points Inside SQL Server envinroment Inside threats Data files AttachDetach Backup files Copying

18 The area where risk is outside of SQL Server jurisdiction Weak Points Outside of SQL Server Outside threats File system Operating system Network

19 What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

20 What we can do on SQL Server? Client SQL Server Instance Client file system Communication Backup files SQL Server data files

21 What we can do on SQL Server? Client SQL Server Instance Client file system SQL Server data files Backup files Communication

22 What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

23 What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

24 What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

25 What we can do on SQL Server? Client SQL Server Instance Client file system Backup files Communication SQL Server data files

26 Countermeasures SQL Server countermeasures Table/column encryption Transparent Database Encryption-TDE Encrypted backups Using volume encryption BitLocker TrueCrypt Passwords on back-up archives (ZIP, RAR) Limiting the number of administrative staff Efficient audit policy Don‘t carry DB backups on your laptops, usb, sd cards...

27

28 Data Transfer Sniffing SQL Server uses classic client/server communication Anything can happen in the network environment: Communication monitoring Data sniffing Data tampering

29 Why a Firewall is Not Enough? Firewall is a necessary but not a sufficient security condition. Firewall will NOT help in these situations : Poorly written application Bad data access layer Input validation etc.

30 Countermeasures Server can use SSL to encrypt data transfer Encryption level is 40-bit or 128-bit SSL encryption does slow performance

31 SQL Code Injection SQL injection attack exploits vulnerabilities in input validation Occur when your application uses input to construct dynamic SQL statements to access the database Using the SQL injection attack, the attacker can execute custom commands in the database

32 Example: SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); ; DROP TABLE Customers -- SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --' SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); ; DROP TABLE Customers -- SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'

33 Countermeasures Perform thorough input validation. Your application should validate input prior to sending a request to the database. Use parameterized stored procedures or SQL parameters Use least privileged accounts to connect to the database.

34 Auditing Digital Evidence Methods for Collecting Data Securing Digital Evidence

35 Digital Evidence SQL Server Profler Triggers (DDL/DML) SQL Server Audit Other tools Digital evidence When?Who?What?

36 Finale facts Databases contain critical information for business; Database servers are kept private, sensitive and secure information; This is the last line of the defense

37 Inspirirani ljudima. Pitanja i odgovori.

38

39

Download ppt "Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.

Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.
Chapter 1 Security Architecture

Chapter 1 Security Architecture
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

Similar presentations

Ads by Google