Skip to main content

Current database hacks, analysis, prevention measures

by Jeff Scheidel, Oracle


NOTE: hackers hangout in Support forums/blogs for employee information for insider information for software with known bugs. (Google Alerts)

Advanced Persistent Threat
  • Smart People
  • Dedicated People
  • People With A Purpose
  • Patient, have a purpose, will find a way in, and then Sell info to someone else. 
Monitor service accounts!
  • they contain more privs
  • control applications

Do you appreciate the threat?
  • Some people get it
    • Understand the risks
      • how do you assess the risk
      • how do you midigate the risk
  • Some don't
    • concerned about security
    • concerned about compliance (not the same as security!)
    • Can't protect what you don't know
      • "I don't think we ever tried to be hacked"
Compliance standards
  • NERCIP  is identify focused
  • PCI, HIPPA, FERPA is data centric
Principles of Access
  • Least Privilege
    • Do you have the privs you need? 
    • Do you have MORE privs than you need? 
    • Do you use the priv you have? 
  • Validation
    • What privs do you have? 
    • Why do you have those privs? 
Never Let an auditor tell you something you don't already know. 
  • 69% of data breeches found by external sources -- Verizon Report
Common Sense Policies (What can you do?) 
  • Email
  • Account sharing
  • configurations
  • Least Privilege
  • Awareness
  • Third Party Security
  • Data on Devices
    • data encryption on laptops
  • Patches/Updates
Common Sense Defenses
  • Risk Assessment
  • Database
  • Privileged Users
    • trust your DBAs, not their accounts
  • Apps and web Services
  • strong authentication
    • multi factor auth raises security by order of magnitude
  • intelligent Authorizing
Database Security Approaches
  • Preventive
    • encryption (if you do NOTHING else)
      • encrypt sensitive fields
      • transparent data encryption
    • redaction 
      • leave privledge at field level
    • masking
      • replace sensitive application data
      • make sure reference integrity is concerned
      • Application templates available(?)
    • privileged user controls
      • limit database access to application data (for DBAs)
      • multi-factor SQL command rules
      • segregation of duties
        • Application DBA
        • Security DBA
        • Development DBA
  • Detective 
    • Activity Monitoring
      • identify SQL from non-applications 
    • database firewall
    • auditing and reporting
  • Administrative
    • priv analysis
    • sensitive data discovery
    • configuration management
Document exception processes, so there are NO exceptions. 

Comments