Database Security – Issues and Best Practices

Outline • Intro to Database Security

•Need for Database Security

•Database Security Fundamentals

•Database Security Issues • OWASP Top 10 – A1:2017– Injection

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Database Security Mechanisms

•Database Security Best Practices

2

Intro to Database Security

3

Intro to Database Security • How does a web application work?

4

Client

Server

Involves databases

Intro to Database Security (contd.) •Database • A database is “an organized collection of structured information, or

data, typically stored electronically in a computer system” • It includes: the data, the DBMS, & applications that use them

•Database Management Systems (DBMS): • DBMS serve “as an interface between the database and its end

users or programs, allowing users to retrieve, update, and manage how the information is organized and optimized”

5

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Management Systems (DBMS) (continued): • DBMS also facilitate “oversight and control of databases, enabling a

variety of administrative operations such as performance monitoring, tuning, and backup and recovery” • Types: • Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,

Cloud, Autonomous, etc.

• Examples: • Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.

6

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Tutorial for Beginners – Lucidchart

7

Source: Lucidchart – Database Tutorial for Beginners – https://www.youtube.com/watch?v=wR0jg0eQsZA

Intro to Database Security (contd.) •Database security refers to “the range of tools, controls, and

measures designed to establish and preserve database confidentiality, integrity, and availability” (IBM, 2019) •Database security involves protection of • The data in the database • The database management system (DBMS) itself • Any associated applications (including web applications) • The physical and/or virtual database server farms and their

underlying hardware • The computing and/or network infrastructure used to access

the database (IBM, 2019)

8

Intro to Database Security (contd.) •Database security involves securing data • At rest • Using techniques such as encryption • Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for

securing database instances, automated backups, and snapshots at rest • In flight • Using protocols such as Transport Layer Security (TLS) • Example: Amazon RDS uses TLS from the web application to encrypt a

connection to a database instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL to protect data in flight

9

Need for Database Security

10

Need for Database Security •As per Oracle (2022): • Data breaches are “happening everywhere these days, and hackers

are getting more inventive. It’s more important than ever to ensure that data is secure but also easily accessible to users”

•As per IBM (2019): • The consequences of data breaches include the following: • Compromised intellectual property • Damaged brand reputation • Loss of business continuity • Fines or penalties for non-compliance • Expenses related to repairing breaches

11

Need for Database Security (contd.) •As per the IBM (2021) Cost of a Data Breach Report: • The average total cost of a data breach in 2021 was $4.24M • The highest country average cost of a data breach was $9.05M for

U.S. • The highest industry average cost of a data breach was $9.23M

(healthcare) • The cost per lost or stolen record was $161 • The time to identify and contain a data breach was 287 days

12

Need for Database Security (contd.) •As per IBM (2021), the four cost components are:

13

Need for Database Security (contd.) • Data breaches typically involve unauthorized access of company

databases (Privacy Rights Clearinghouse, 2020)

14

Database Security Fundamentals

15

Database Security Fundamentals •Oracle Database Security – Oracle France

Source: Oracle France – Database Security – https://www.youtube.com/watch?v=GXF3T4g2tJg

16

Database Security Fundamentals (contd.)

•As per Oracle (2021), effective database security involves using the following powerful preventive and detective security controls: • Transparent Data Encryption (TDE) • Encryption key management • Privileged user and multifactor access control • Data classification and discovery • Database activity monitoring and blocking • Consolidated auditing and reporting • Data masking

17

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) • Helps prevent attacks that attempt to bypass the database and read

sensitive information from data files at the operating system level, from database backups, or from database exports by encrypting data in the database layer

18

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) (continued)

• It is transparent because the encryption and decryption processes do not require any application changes, and the application users do not have to directly deal with encrypted data • It supports tablespace encryption and column encryption

19

Database Security Fundamentals (contd.)

•Encryption Key Management • TDE uses a two-tier key management architecture • Consists of data encryption keys and a master encryption key • Enables rotation of master keys without having to re-encrypt all of the

sensitive data • Oracle Database 18c introduced support for Bring Your Own Key (BYOK)

• Data encryption keys • Are managed automatically by the database

• The master encryption key • Is used to encrypt the data encryption keys • Is stored and managed outside of the database within an Oracle Wallet or in

an Oracle Key Vault

20

Database Security Fundamentals (contd.)

•Privileged User and Multifactor Access Control – Oracle Database Vault

Source: Oracle – Database Vault – https://www.youtube.com/watch?v=AomjVCdUp6k

21

Database Security Fundamentals (contd.)

•Data Classification and Discovery • Oracle Label Security enforces data access requirements and

records data classification levels at the database row level • Automated discovery of sensitive columns and parent-child

relationships • The discovery process uses built-in extensible patterns such as

credit card numbers and national identifiers to check metadata and column data to identify sensitive columns • The discovery results are stored as an application data model, which

is reusable across multiple databases

22

Database Security Fundamentals (contd.)

•Database Activity Monitoring and Blocking • Oracle Database Firewall provides a first line of defense for

databases

23

Database Security Fundamentals (contd.)

•Consolidated Auditing and Reporting • Oracle Audit Vault consolidates audit data from databases,

operating systems, and directories

24

Database Security Fundamentals (contd.)

•Data Masking • Oracle Data Masking provides a flexible option to discover, mask

and subset sensitive data, enabling the data to be safely shared across non-production environments • Non-production environments such as test and development

systems are the potential targets for a cyber attack as they generally contain copies of production data • Compliance costs are lowered as masked non-production databases

are out of the scope for the audit teams • Sensitive data such as credit card numbers, national identifiers, and

other personally identifiable information (PII) can be masked using predefined masking formats

25

Database Security Issues

26

Database Security Issues •Specific database security issues include: • Cloud database configuration errors • SQL injection • Weak authentication • Privilege abuse / excessive privileges • Inadequate logging / weak auditing / • Unpatched services • Insecure system architecture • Inadequate backups

Source: BCS.org – The Chartered Institute for IT – https://www.bcs.org/articles-opinion-and-research/top-ten-database-

attacks

27

Database Security Issues (contd.)

•OWASP Top 10 – A1:2017–Injection

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

28

Database Security Issues (contd.)•Common database security vulnerabilities:

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

29

Database Security Issues (contd.)

•OWASP Top 10: SQL Injection – Security Innovation

Source: Security Innovation – OWASP Top 10: SQL Injection – https://www.youtube.com/watch?v=X34cKt8RfJs

30

Database Security Issues (contd.)

•OWASP Top 10 – A3:2017–Sensitive Data Exposure

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

31

Database Security Issues (contd.) •Common database security vulnerabilities:

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

32

Database Security Attacks

33

Database Security Attacks •Most common database security attacks include:

Source: OWASP – Attacks – https://owasp.org/www-community/attacks/

Attack Type Description

SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data

Denial of Service Storing too much information in a user session object, such as large quantities of data retrieved from the database, can cause DoS issues

Brute Force The attacker makes requests to a server using pre-configured values and then analyzes the response

Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data

34

Database Security Attacks (contd.) •As per IBM (2022), some of the most common database

security attacks include: Attack Type Description

Insider Threats Abuse of privileged access by a malicious insider, a negligent insider, or an infiltrator

Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors

SQL Injection Insertion of arbitrary SQL attack strings into database queries served by web applications

Buffer Overflow A process attempts to write more data to a fixed-length block of memory than it is allowed to hold

35

Database Security Attacks (contd.) •Common database security attacks (continued):

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

Attack Type Description

DoS/DDoS The attacker floods the database server with so many requests that the server can no longer fulfil legitimate requests from actual users

Malware Software written specifically to exploit vulnerabilities or otherwise cause damage to the database

Attacks on Backups Organizations fail to protect backup data with the same stringent controls used to protect the database itself

36

Database Security Best Practices

37

Database Security Best Practices •OWASP recommends the following best practices: • Connect to the database securely • Prevent unencrypted traffic at the transport layer • Configure databases to always require authentication • Never store database credentials in the application source code

especially if they are unencrypted • Apply the principle of least privilege to the permissions assigned to

database user accounts • Harden the underlying operating system for the database server

Source: OWASP – Database Security Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Che

at_Sheet.html

38

Database Security Best Practices (contd.)

•Best practices to secure databases (as per IBM): • Consider physical security if the database is not in the cloud • Restrict number of users, their permissions, and network access to the

minimum levels necessary • Focus on end user account/device security • Use best-in-class encryption to protect the data while at rest and in transit • Keep the DBMS version up to date and apply patches as soon as they are

issued • Use best practices for application/web server security • Secure backups / log all operations / perform audits regularly

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

39

Database Security Best Practices (contd.) •Use the following database security best practices: • Best practices to protect against SQL Injection:

• Primary defenses: • Use prepared statements with parameterized queries • Use stored procedures • Allow-list input validation • Escape all user supplied input

• Additional defenses: • Enforce least privilege • Perform allow-list input validation as a secondary defense

Source: OWASP – SQL Injection Prevention Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preve

ntion_Cheat_Sheet.html

40

Recap • Database security issues continue to be among the OWASP Top 10 list

of web application security risks • This is due to weaknesses in database mechanisms such as dynamic

queries, input validation, key management, access control, configuration, logging, auditing, backups, etc. • Hackers are able to exploit the weaknesses using attacks such as SQL

injection, DoS, brute force, ransomware, etc. • Best practices to protect databases include understanding what types

of data needs to be protected, understanding regulatory compliance, discovering/classifying databases based on data sensitivity, using data masking, monitoring, auditing, encryption, access control, parameterized queries, stored procedures, allow-list input validation, hardening, etc.

41

Thank you!!!

42

Browser Security – Issues and Best Practices

Outline • Intro to Browser Security

•Need for Browser Security

•Browser Security Fundamentals

•Browser Security Issues • OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Browser Security Mechanisms

•Browser Security Best Practices

2

Intro to Browser Security

3

Intro to Browser Security • How does a web application work?

4

Client

Server

Involves browsers

Intro to Browser Security (contd.)

•Browser • A browser is “an application that finds and displays web pages”. • It coordinates communication between your computer and the web

server where a particular website “lives” by: • Accepting a website address as a URL • Submitting a request to the server to retrieve the content for the page • Processing the code (HTML, CSS, JavaScript, etc.) from the server • Loading active content (Flash, ActiveX, etc.) needed by the page • Displaying the complete, formatted web page • Repeating the process for every single user interaction with the page

5

Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022

Intro to Browser Security (contd.)

•Examples: • Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari,

Opera, etc. •Browser Market Share as of February 2022:

6

Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php

Intro to Browser Security (contd.) • Browser security refers to “how differences in design and

implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) • Browser security involves the following: • Protection against common client-side attacks • Protection against phishing • Management of browser extensions • Use of adequate cryptography protocols

7

Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

Intro to Browser Security (contd.) • Bro