Transcript securing data - The Open Group

Access to Data
 Getting up close and personal to data
 Paul Davie
CEO, Secerno
 Nick Ray
CEO, Express HR
Controlling data access:
DRM v. distributed services
 Jericho Forum Commandment #9
“Access to data should be controlled by security
attributes of the data itself”
 Approaches:
– Attributes held within the data (DRM/Metadata)
• Documents, spreadsheets, data on the move
– Attributes held in separate systems
• Database management systems
• Service-Oriented Architecture / Web Services
“In my opinion, database security is riddled with
holes and it’s the biggest problem we face in IT
today.
Database attacks offer the biggest potential for
fraudulent activity and damage to companies’
reputations and customer confidence”.
David Litchfield, NGSS
BlackHat Conference
Las Vegas, August 2006
(Slide A-02)
External Attack – It’s Personal
Rate of growth of SQL injection
2001
2002
2003
2004
2005
2006
 SQL injection remains the most serious type of
attack affecting databases, with 250% year on
year growth (Mitre).
Internal Attack – It’s Personnel
 One in 10 (of 300) of Glasgow's financial call
centres has been infiltrated by criminal gangs,
police believe
– “The scam works by planting staff inside offices or by
forcing current employees to provide sensitive customer
details”. (BBC Scotland, October 2006)
 Police in the southern Indian city of Bangalore say
they have arrested an employee in connection with
a financial scam operating from a HSBC call centre
– A data operator has been charged with hacking the
computer system which allegedly led to money being
stolen from customer accounts.
– HSBC said funds were taken from a "small number" of
customers in UK. (BBC, June 2006)
It is Easy and it Hurts
 Exploit
– 87% use legitimate user commands
– 78% authorised accounts (43% using their own IDs)
 Profile - diverse
– 23% in technical positions (17% with root access!)
– 39% unaware of the organisation’s security measures
 Motivation
– 81% financial gain
– 23% revenge
 Impact
– 91% financial loss (30% > $0.5m)
– 78% data modification or deletion
– 26% damage to reputation
The E-Crime Watch Survey 4
Security Where It Matters
(Slide A-04)
A False Sense of Security


Current database security emphasis:
–
–
–
–
–
Encryption
Identity management
Authentication
Auditing
Perimeter defences
–
–
–
Following established technologies
Driving platform provider enhancements
Creating false sense of security
Compliance driving decisions
Emphasis on who is accessing the data – not what
they are doing with it. Implicit trust.
Application–database interactions
SELECT * from dvd_stock where [catalog-no] = 'PHE8131'
User
?
User
User
Application
Database
Attacker
The database implicitly trusts its
applications – speaking in the agreed
language (SQL).
(Slide B-01)
Application Protocol Intrusion Protection and
Detection (APIPS, APIDS)
?
Application
?
APIPS
Database
APIDS
 JFC#4: Devices and applications must
communicate using open, secure protocols
– E.g. SQL for databases – but is SQL secure?
 JFC#5: All devices must be capable of maintaining
their security policy on an untrusted network
– Can we trust the applications that access our databases?
 Need to check what applications ask the DB to do:
– Application Protocol Intrusion prevention and detection
Database usage analysis
and APIPS policy building
Automatically
classified actual
usage
Protection against
unknown threats
Policies based on
changes to
measured
behaviour
(Slide B-20)
Application Vulnerabilities
 “Applications are really written badly… really badly”.
– Rohit Dhamankar at the SANS Top 20 2006 launch
 Qualys, quotes 100 new issues per week, with badly
written web applications being 60-70% of targets
 “This [OWASP] ‘Ten-Most-Wanted’ List acutely
scratches at the tip of an enormous iceberg. The
underlying reality is shameful: most system and
Web application software is written oblivious to
security principles, software engineering,
operational implications, and indeed common
sense.”
– Dr. Peter G. Neumann, Author of Computer-Related Risks
Taming the costs
 Organisations may have many hundreds of
instances of applications that have these
vulnerabilities.
– The cost of fixing them is simply too high to contemplate.
– This severely limits business agility.
 It costs between 10 and 100 times the original
development effort to fix these vulnerabilities in
deployed systems. The factor depends on when in
the development cycle the flaw was introduced
– Gartner quote an average of 50x
 Unless you can tame this cost, the benefits of
business agility are threatened by the cost of
making the applications sufficiently safe to conduct
the new business functions.
Database APIPS – Benefits
 Internal Security
– Reduces risk of unauthorized disclosure or corruption
– Detect unusual behaviour by authorized users
 External Security
–
–
–
–
Fast, accurate, scalable APIDS/APIPS
Avoids black-list and white-list pitfalls
Protection available against SQL-injection attacks
Reduces the urgency to apply security patches
 Audit & Compliance
– Automated learning can reduce training time
– Reduced cost of meeting compliance requirements
 Application Development
– Enables application design and performance improvement
Introducing expressHR
 Leading provider of recruitment process outsourcing
technology
– Temporary, permanent and contract staff for …
– Local authorities, major corporates, call centres,
warehouse, transport, social care, construction, hospitality
 expressHR’s Vendor Management System is an end-
to-end solution
– From creating vacancy to selection, vetting and placement
– From online timesheets to self-bill invoicing, and reporting
 expressHR’s ‘Software as a Service’
– Web-based solution connecting all parties in the process
expressHR platform connects…
Candidates
Corporate
Line
Managers
Recruitment
Agencies
Managed
Recruitment
Service
Temporary
Workers
expressHR platform connects…
Candidates
Line
Managers
Agencies
Temporary
Workers
Managed
Recruitment
Service
82,000
Candidates/Qtr
56,000
Placements/Qtr
£300m p.a.
Transactions
17m Timesheet
Hours / Qtr
15,000
Users
Problem: Protecting de-perimeterised dBs
 System contains critical personal 3rd-party data:
– Banking information, salaries, pay rates, charge rates,
CVs and other personal details
– Much of which must be protected by law
 expressHR’s “Software-as-a-Service” provides
business benefits to costs, speed and efficiency
 But raises unique security concerns
– Corporate responsibility
– Customer reputation and brand
 The de-perimeterised challenge is:
defending critical information against internal and
external threats
Approach: Database Micro-perimeter
?
Application
APIPS Database
 Deploy a micro-perimeter protection
– “Up close and personal” to critical dBs
 Understand, control and protect
– Application access to critical databases
dB APIPS: Understanding
Build up a rich UNDERSTANDING of
 Application-to-database behaviour
– Who is asking for what data and when?
– Why is the database system catalogue being queried?
 Security improvements
– Locate easily which database stored procedures should be
hardened to resist attack
 Software engineering/performance issues
– Why is ‘select * from …’ being used?
dB APIPS: Understand, Control & Protect
Use the understanding to:

Insist on database interactions conforming ONLY
to allowable behaviours
–

Automatically build a fine-grained security policy
–
–

Understand and measure exactly how the database is
being used, and the intent of applications - for informed
decision making
Reflecting how applications really use a database
Providing a continuous feedback loop based on actual
actual behaviour
Control the risk and secure the corporate assets
Solution: SQL IPS
User
Monitoring
Usage Analysis
User
User
Attacker
Application
SQL: IPS
Database
Case Study: Lessons Learned
 Ease of implementation
 Training the system to recognise the
application(s)
 What we found
 Business Benefit
 Next Steps
Conclusion: DB APIDS in action
 De-perimeterised businesses must balance:
– granting 3rd-party access to critical databases
– defending those critical business assets
 dB protection where you need it
– Close to your business asset …
 This is micro-perimeter dB security that:
– Understands they requests that made of DBs
– Allows only appropriate database queries
APIDS / APIPS in action