Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security Yuli Stremovsky. Agenda Database Security What is GreenSQL ? Management Console Demo GreenSQL Roadmap.

Published byWarren Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Database Security Yuli Stremovsky. Agenda Database Security What is GreenSQL ? Management Console Demo GreenSQL Roadmap."— Presentation transcript:

1 Database Security Yuli Stremovsky

2 Agenda Database Security What is GreenSQL ? Management Console Demo GreenSQL Roadmap

3 Hackers have become professional There are business models that finance them SQL Injection attacks are becoming increasingly sophisticated and difficult to combat. It uses stealth techniques to go unnoticed for as long as possible. Hackers create much more SQL Injection attacks The need

4 Pricelist

5 Oct 2009 - One of NASA's was vulnerable to a SQL injection attacks. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security. Mar 2009 & Nov 2009 - SQL injection attack exposes sensitive customer data on Symantec web server. Nov 2009 - Russian cyber gang uses SQL injection attack crack deep inside the network of a giant U.S. debit and credit-card processor. Nov 2009 - An SQL injection flaw has been detected on the Yahoo! Website. The vulnerability was on the Yahoo job section. Dec 2009 - Wall Street Journal website, Intel, Apple Latest Victims

6 Replication Backup Wiki Blog Reporting Testing Forums High privileged users Application Users Administrators Casual users Application connections User connections CMS Database Monitoring Financial data Private data Customer data E-commerce Who uses the Database ?

7 Hundreds of websites are on the same database server - hundreds of attack vectors If your neighbor's web site database is vulnerable, then so are you, no matter how carefully you've vetted your own code. Using Shared Hosting Services ? You are under attack !!!

8 Legitimate Query: SELECT * from users WHERE username = ‘admin’ and password = ‘123’ Injected SQL code: SELECT * from users where username = ‘admin’ and password = ‘XXX’ or ‘1’=‘1’ What is SQL Injection?

9 Bypass login page DOS - Deny of service Install web shell Iframe injection Access system files Install db backdoor Theft of sensitive information / credit cards Additional step of the attack: – Attack computers on the LAN SQL Injection after effect

10 Automated SQL Injection Injecting User visits infected site/page Trojan horse drive by installation Your PC is controlled by black hat hackers – Send SPAM – Records all login information – Records all transactions with bank websites – Online money transfer How iframe injection works

11 Buzus Trojan

12 Open Source project Started at 2007 Hosted at sourceforce More than 30,000 downloads Version 1.2 - 3k downloads in it’s first month GreenSQL History

13 GreenSQL is a database firewall solution Protects against SQL injections and other known and unknown Database attacks Cool web based management interface MySQL / PostgreSQL built in support What is GreenSQL

14 Database Firewall

15

16 SQL Proxy Risk Matrix Calculation SQL Queries /WL/Policy Good / Block/ Warn / Learn Forward and Integration GreenSQL – High Level Architecture DB Server 1DB Server 2DB Server 3DB Server N

17 Reverse Proxy Number of databases Number of backend DB servers Deployment options: – Can be installed together with the DB server – Can be installed on dedicated server / VPS How it works?

18 Replication Backup Wiki Blog Reporting Testing Forums High privileged users Application Users Administrators Casual users Application connections User connections CMS Database Monitoring Ecommerce Using the Database Securely

19 GreenSQL management console

20 Multiple Databases / Proxies

21 Alert Example

22 GreenSQL Advantages Multiple modes – IDS/IPS / learning / Firewall Easy to use Pattern Recognition (signatures) Heuristics (risk calculation) Open Source

23 GreenSQL Advantages – Cont’ Cross Platform (any Linux and Unix system) Rapid Deployment (pre built packages) Well established (30,000 downloads and counting) Web application independent The only free security solution for MySQL The only security solution for PostgreSQL User Friendly WEB GUI/Management tool

24 GreenSQL IPS / IDS Sensitive tables Multiple queries ( ; / UNION ) SQL comments Empty password SQL tautology - true statements (1=1) Administrative commands Information disclosure commands

25 But, I’m a kick ass developer So why should I use GreenSQL Legacy code Not only Web application and web services use your database Protects the database console access 0 day database attacks prevention No direct access to the database machine

26 http://demo.greensql.net/ http://www.greensql.net/sql-injection-test GreenSQL: Demonstration

27 Native Joomla / Drupal / Wordpres plugins Integrated GreenSQL Console as CMS plugin ( you will use Joomla Admin to manage GreenSQL ) Web user name / IP address reporting in GreenSQL alerts Auditing Open Source Roadmap

28 GreenSQL Optimization E-mail Submission Service portal Software Updates Consulting Installation Support GreenSQL Support Program

29 Questions

30 Thank You Yuli Stremovsky yuli@greensql.com http://blog.greensql.com http://twitter.com/greensql

Download ppt "Database Security Yuli Stremovsky. Agenda Database Security What is GreenSQL ? Management Console Demo GreenSQL Roadmap."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting

Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
CONDO MANAGER The Leader in Association Accounting and Management Software Mailing Address: P.O. Box 26844 Charlotte, North Carolina 28221 Web Site www.condomanager.com.

CONDO MANAGER The Leader in Association Accounting and Management Software Mailing Address: P.O. Box Charlotte, North Carolina Web Site
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Web Services Presentation. Site Management Console (SMC)

Web Services Presentation. Site Management Console (SMC)
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Web Server Administration

Web Server Administration
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Sample School Website Sydney Region ITSU School Support 2007.

Sample School Website Sydney Region ITSU School Support
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google