This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Building a database security program
1. BUILDING A DATABASE SECURITY
PROGRAM
Matt Presson
@matt_presson
Sr. Information Security Analyst, Leading Multi-National Insurance Brokerage
2. WHO AM I?
Sr. Information Security Analyst
Focus mainly on Application Security and
related issues
Recently focused on designing a database
security program
3. OBJECTIVE
Why database security is important
The process of developing the program
What to watch out for
NOT giving a blueprint!
6. WHY DATABASE SECURITY?
It stores your most sensitive data
Traditional controls are not adapted to new
attacks
Firewalls
IDS, IPS
AV, HIDS and HIPS
Full Disk Encryption
Breaches are still happening!
9. PLANNING
Determine stakeholders
People with a vested interest in keeping data safe
Not just a part of the security department
Critical business leaders
Compliance/Audit organization
Application support managers
Determine your goals and areas of focus
Address current business issues and concerns Planning
Unique to each organization
Determine
Stakeholders
Goals & Focus
Areas
Standards &
Policies
10. PLANNING
Standards and Policies
Build configurations
Password complexity
Access control
Permissions management
Data classification
Planning
Determine
Stakeholders
Goals & Focus
Areas
Standards &
Policies
11. PLANNING
Data Classification
Different levels of assurance for different data types
Keep it SIMPLE!
Example (security viewpoint):
Confidential – e.g. HR data, Financials, etc.
Internal – e.g. Org Charts
Public – Released earnings info, Company tweets, etc.
Planning
Determine
Stakeholders
Goals & Focus
Areas
Standards &
Policies
14. DISCOVERY AND ASSESSMENT
Focus at the application layer
Gather a manageable list of business critical
apps
What are your most important systems?
What applications have the largest impact on your ability
to do business?
What systems do our auditors/regulators care about
most?
Discover and
Assess
Secure
Monitor
Access
Secure
Infrastructure
15. SECURE ACCESS
Minimize the number of accounts
Get a list of accounts from DBA
Group the accounts by usage, e.g. Applications,
DBAs, Individuals (normal and admin)
Reduce the number of admin accounts
Talk to the person – determine what the real need is
Minimize account permissions
Can you use a view? Discover and
Assess
What about a stored procedure?
Secure
Monitor
Access
Secure
Infrastructure
16. SECURE ACCESS
Control where accounts access from
Are web and application servers ok?
Should DBAs have access directly from their
workstations?
Should employees have access from their
workstations?
Do you need terminal servers or bastion hosts?
Should a database be accessible
Discover and
Assess
from the Internet?
Secure
Monitor
Access
Secure
Infrastructure
17. SECURE INFRASTRUCTURE
Ensure you are up-to-date on OS patches
Free / Commercial scanners
Windows Update
*nix distro repositories
Don’t forget about the DB software itself!
MySQL authentication bypass – CVE-2012-2122
Oracle TNS Poisoning – CVE-2012-1675
SQL Server 2003 Local Administrator Discover and
Assess
group
Secure
Monitor
Access
Secure
Infrastructure
18. MONITORING
Watch what your employees are doing
Built-in transaction logs or auditing solutions
Third-party tools
Database triggers
Have different levels of monitoring
Failed logins for everyone
All activity by privileged accounts
Individual account activity
Discover and
Assess
outside of “the norm” Monitor
Secure
Access
Secure
Infrastructure
19. MONITORING
Watch for specific events
Access outside of the normal activity period
Failed login attempts
Returning too much sensitive data
Abnormally high number of requests
SQL injection attempts
Discover and
Assess
Secure
Monitor
Access
Secure
Infrastructure
22. ONGOING MANAGEMENT
Periodically audit completed systems
Work with your DBAs
Collaborate with internal audit
Keep your documentation current
Review updated vendor documents
Discuss upcoming migration plans with technology
teams
Ongoing
Management
Periodic Audits
Review / Update
Standards
Review / Update
Policies
23. SUMMARY
We have to protect the data
Engage with the business
Determine their concerns
Address their issues
Become a business partner/enabler
Secure your most critical systems first
Don’t forget about the infrastructure
Monitor, monitor, monitor
Stay current