Presentation is loading. Please wait.

Presentation is loading. Please wait.

Back-End Data Security

Published byBrent Barnett Modified over 6 years ago

Similar presentations

Presentation on theme: "Back-End Data Security"— Presentation transcript:

1 Back-End Data Security
Three Things and Three Places… Not Just the Database!

2 Author Page Infrastructure and security architect
Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security

3 Contact Information K. Brian Kelley Infrastructure/Security Blog: Personal Development Blog:

4 Goals Get you in an adversary mindset
Consider areas traditionally neglected Understand the “insider” threat

5 Agenda A Solid INFOSEC Model The “Insider” Threat
Three Things and Three Places Applying the Things to Places Two Examples to Consider

6 Information Security’s C-I-A Triad
It’s easy to focus on Confidentiality and Integrity, but Availability is important. If users can’t use the system, the system is worthless.

7 Principle of Least Privilege
The permission to do the job. Nothing more. Threatens confidentiality. Threatens integrity. Nothing less. Threatens availability.

8 The Insider Threat The vast majority aren’t the problem.
Sometimes you have bad people. Sometimes people turn bad. OR – An adversary can act like an insider.

9 My Miss Emma Example Miss Emma may be the purest soul walking today.
You can’t just think about Miss Emma. What if Miss Emma falls to a phishing attack? SC DOR or Anthem compromise Attacks against Defense Industry contractors. RSA Compromise Aurora attacks Assume that a user account will be compromised

10 Three Things to Worry About
Unauthorized Data Access Unauthorized Data Change Unauthorized Process Change

11 Three Places to Worry About
Source In-Flight Destination

12 Places: Web Servers / Services
Are they vulnerable to SQL Injection? What and who connect to them? Are they using HTTPS? What else is on the same web server?

13 Places: File System Questions
Who has ability to modify the files? Who has ability to read the files? What processes can touch the files? Can you detect file tampering?

14 Places: Database Questions
Who can read the data? Who can modify the data? Can you verify data integrity?

15 Places: Network Questions
Is sensitive data being sent across? If so, is it encrypted? If you're using SSL, who controls the CA? If it isn't encrypted, is someone watching?

16 Example: SSIS Packages
Who can update the packages? Are you checking for updates? Can you detect an unauthorized update? How about during the ETL process?

17 Example: Web Services Who can administer the web server?
Who can change the code? Can you detect a change? Can you reverse the change?

18 Goals Get you in an adversary mindset
Consider areas traditionally neglected Understand the “insider” threat

19 Thank You! Questions? K. Brian Kelley
Twitter: @kbriankelley Tech/Sec blog: Prof. Dev. blog: Center for Internet Security:

Download ppt "Back-End Data Security"

Similar presentations

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei
That’s Really not the Point… haroon meer | charl van der walt SensePost.

That’s Really not the Point… haroon meer | charl van der walt SensePost.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M030 12 th December, 2008.

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
COMP1321 Networks in Organisations Richard Henson March 2014.

COMP1321 Networks in Organisations Richard Henson March 2014.

Similar presentations

Ads by Google