Introduction to IT Security

(1)

Marek Rychly

[email protected]

Strathmore University, @iLabAfrica

&

Brno University of Technology, Faculty of Information Technology

Enterprise Security 30 November 2015

(2)

Outline

1

Course Content

Lectures, Assessments, Projects

Evaluation

Background on the Course

2

_{Introduction to IT Security}

IT Security

Defect, Vulnerability, Threat, Attack, Incident, . . .

Database Security in the Context of IT Security

(3)

Lectures

1 _{Introduction to IT Security}

(security terms/glossary, architecture, incidents, models)

2 _{Identity Management and Access Control}

(authentication and authorization, discretionary/mandatory access control, roles)

3 _{Database Application Security Models and Policies}

(security models for client-server and web-apps., system/data/user sec. policies)

4 _{Virtual Private Database, Security in Statistical Databases}

(security by views/triggers, application context, securing aggregation queries)

5 _{Database Security Issues and Features}

(transparent data encryption, inference/poly-instantiation)

6 _{Application Security}

(SQL-injection and other issues)

7 _{Database Auditing}

(data selection, manipulation, and control audits)

(4)

Course Content

Introduction to IT Security Oracle Database, Express Edition

Lectures, Assessments, Projects Evaluation

Background on the Course

Core Reading Materials

Hassan Afyouni.

Database Security and Auditing: Protecting Data Integrity and

Accessibility.

Cengage Learning, 2005.

ISBN 9781285700984.

URL https://books.google.com/books?id=WpyeAwAAQBAJ.

Ron Ben Natan.

Implementing Database Security and Auditing.

Elsevier Digital Press, 2005.

ISBN 978-1-55558-334-7.

URL http:

(5)

Evaluation

20%

assignment

(submitted to [email protected] by end of year 2015)

40%

project

(submitted to [email protected] by end of the study week, 26 Feb)

40%

final exam

(in the exam week, 29 February to 4 March 2016)

(6)

Course Content

Assignment (20%)

1

_{select one of relational database management systems (RDBMS),}

except for Oracle database

(see “Comparison of relational database management systems” at Wikipedia)

2

_{for the selected RDBMS, study documentation of its database}

security features and possible configurations

3

_{provide a summary}

1

_{of the database security features and}

possible configurations of the selected RDBMS that were

discussed in the first three lectures of this course

(identity management, access control, supported security models and policies)

(7)

Project (40%)

1

_{describe goals and objectives of db. security in a sample company}

(a made up company which needs to manage confidential data)

2

_{design identity management, secure data storage and access}

control solution for the company

(security model, policies, user management, roles, profiles, rights, etc.)

3

_{design auditing plans to support database security in the company}

(entities, actions, and users to audit, audit trail storage)

4

_{provide SQL scripts implementing the above mentioned security}

measures in a local instance of Oracle RDBMS

(create profiles, roles, users, tables and views in a virtual private database of encrypted data, audit functionality, etc.)

(8)

Course Content

Prior Knowledge and Skills

The course does not require any prior knowledge or skill except for

those covered by the ADES course. However, the following may help

you to understand the lectures:

1

_{operation system design principles}

(process and memory management, authentication and authorization, etc.)

2

basics of computer networking

(IP network, protocols, etc.)

3

_{general awareness of the current IT security news}

(common vulnerabilities and exposures, security patches, etc.)

4

_{ability to use Oracle database and (PL/)SQL}

(9)

Database Security

Definition (Database security)

The mechanisms that protect the database against intentional or

accidental threats.

Definition (Threat)

Any situation or event, whether intentional or accidental, that may

adversely affect a system and consequently the organization.

1

_{A database represents an essential corporate resource.}

(should be properly secured using appropriate controls)

2

_{Securing the database includes controlling physical, personal and}

organizational security.

(i.e., securing products/components, people, processes in the organization)

(10)

Course Content

Introduction to IT Security

Oracle Database, Express Edition

IT Security

Defect, Vulnerability, Threat, Attack, Incident, . . . Database Security in the Context of IT Security

Fundamental Questions for Information Security

What are you trying to protect or maintain?

(important assets to protect)

What are your business objectives and what do you need to

accomplish and support these objectives?

(required technologies or solutions to support the business)

Are your objectives compatible with your security architecture?

What risks are associated with inadequate security?

What are the implications of not implementing security?

Will you introduce new risks not covered by the current security?

How do you reduce that risks?

What is your tolerance for risk?

(11)

Information Security Conceptual Architecture

(adopted from “Information Security: A Conceptual Architecture Approach, Oracle”)

(12)

Course Content

IT Security

Confidentiality, Integrity, Availability (CIA)

and Non-repudiation

Protecting information systems from loss of

Confidentiality – ensure that information is not made available or

disclosed to unauthorized entities, individuals or processes.

Integrity – protect the accuracy and completeness of information.

Availability – keep information accessible and usable when an

authorized entity demands access.

Non-repudiation – provide an undeniable proof that an alleged

event or action actually happened or was carried out by a

particular entity in a particular origin.

(13)

Defence in Depth (aka Castle/Onion Approach)

multiple layers of security controls (defence)

(placed throughout an IT system from its public interface to internal data storage)

compromising outside layers do not cause significant damage

(there is no such thing as a perfect security layer, method, or product)

buy an organization time to detect and respond to an attack

(adopted from “Defense in Depth: Best Practices for Securing a Teradata Data Warehouse”)

(14)

Course Content

IT Security

Authentication, Authorization and Accounting (AAA)

Authentication is the verification of a user credentials.

(a way to restrict future actions to specific users with the valid credentials)

Can challenge the user for something they know (a password),

something they have (a token),

or something they are (biometrics).

Authorization is the verification that an action is allowed.

(determines which resources and operations the user is entitled to use and how; must occur after the successful authentication of the user)

Accounting is the process of keeping track of the user’s activity.

(15)

Vulnerability Assessment and Patch Management

VA tools to make inventory, audit, and to compare utilized systems

with known flaws and vulnerabilities.

Vulnerability Notes Database, Carnegie Mellon University (CERT)

Common Vulnerabilities and Exposures (CVE), NVD-US

Open Sourced Vulnerability Database, Open Security Foundation

PM to apply critical patch updates correcting vulnerabilities.

(e.g., Critical Patch Updates, Security Alerts and Third Party Bulletin by Oracle)

Hardening to reduce the surface of vulnerability in a system.

(a single-function lightweight system is more secure than a multi-purpose one)

by disabling unnecessary services, closing network ports

by removal of unnecessary software, modules, etc.

by locking unused user-names or logins

by using well-established secure configurations and frameworks

(PIE, PaX, SELinux, isa_harden Windows Server Policy, etc.)

(16)

Course Content

IT Security

Intrusion Detection and Prevention Systems (IDPS)

IDPS to address threats within the perimeter and internal network.

(identify and log malicious activity, attempt to block/stop it, and report it)

Firewalls provide a first, but not perfect, layer of defence (IPS).

(they usually work as packet-filters, are shallow in terms of what they look at)

Network based and host based intrusion detection systems.

(to detect an attack in network and on individual hosts)

by detection of statistical anomalies (statistical anomaly-based)

by checking signatures of protected assets (signature-based)

by running honey-pots to attract possible attackers

(17)

Information Security Auditing and Monitoring

Auditing is one of the most important security techniques.

(no security without audit, no need to audit without the need for security)

(adopted from “IBM Guardium”)

(18)

Course Content

IT Security

Defect, Vulnerability, Threat, Attack, . . .

“defects” are “vulnerabilities” that

can be exploited for “attacks”

“attacks” are comprised of

multiple steps, of “attack vector”

an “attack” is feasible for a “threat”

to traverse a “boundary” by

interacting with an “attack surface”

which possess a “vulnerability”

the “attack” results into an

“exploitation” that have a negative

“impact” on “business objectives”

involving “business assets”

“risk” is defined by a “probability”

of the “exploitation” and its

resulting “impact”

(adopted from “John Steven: Threat Modeling Vocabulary, Cigital”)

(19)

Attack: Tool, Vulnerability, Action, Target, Result

(adopted from “A common language for computer security incidents”)

(20)

Course Content

IT Security

Attack as Security Incident

(21)

Database Security in the Context of IT Security

Database security has to be enforced on all levels.

(people, applications, network, operating system, DBMS, data files, data)

Data requires highest level of protection.

(they should be in the core layer protected by the Defence in Depth approach)

All layers (security access points) should be secured.

(adopted from “Afyouni, H.: Database Security and Auditing, Protecting Data Integrity and Accessibility”)

(22)

Course Content

IT Security

Database Security Methodology

(23)

Database Security Model

(24)

Course Content

IT Security

Database Security Model: Authentication

Choose an appropriate (strong) authentication option.

(by a password stored encrypted in a db. server; by a token held by a user, including PKI; by a third party service, e.g., Kerberos, LDAP, operating sys., etc.)

Understand who gets system administration privileges.

(privileges may be defined outside of db. server, e.g., at the operating system level, so each OS administrator may easily act as db. administrator)

Choose, promote and verify the use of strong passwords.

(mixed-case letters, numbers, punctuation marks, minimal length, without dictionary words, different password for each account/service, etc.)

Implement account lockout after failed login attempts.

(forever/for a particular period, increasing delays between the failed attempts, etc.; lock a source of an attack, not the attacked account, to prevent a DoS attack)

Create and enforce password profiles.

(25)

Password Strength (credit: xkcd.com, R. Munroe)

(26)

Course Content

IT Security

Database Security Model: Authorization

Three dimensions: the authorization of a particular subject to

perform a particular action on a particular object.

the subject: a user, a group of users (a role)

the action is an authorization type (read, update, create, etc.)

the authorization object: a single or group of objects, or an entire db.

Choose an appropriate

access control model (ACM).

Mandatory Access Control (MAC) – subjects and objects labelled

(Biba: read up & write down; Bell-LaPadula: write up & read down)

Role Based Access Control (RBAC) – subjects authorized by roles

(role is a position an individual fills in an organization)

Discretionary Access Control (DAC)

(a user can set security level settings of his/her objects for other users)

Rule Based Access Control (RBAC or RB-RBAC)

(dynamically assign roles to users based on particular criteria, e.g., to allow access to objects during certain hours of the day only)

Control usage of the ACM by security policies and procedures.

(27)

Database Security Model: Encryption

All passwords stored in a database must be encrypted.

(a one-way-only/hash encryption is preferred, passwords cannot be stolen)

Also other data with critical confidentiality should be encrypted.

encrypted

at the application level and than stored in a database

(can be processed by an application/db. client and users while cannot be indexed and processed at the database level by a DBMS)

encrypted

at the database level and than stored in database files

(can be processed by a DBMS and authorized users while protected from unauthorized access at the operating system level)

encrypted

at the operating system level only

(can be read by an attacker who breaks into the operating system hosting a DBMS, directly, without an access to the database)

A DBMS should support

transparent data encryption (TDE) to

encrypt data at the database level.

(28)

Course Content

IT Security

Data Redaction and Data Encryption

(adopted from “Oracle Advanced Security”)

(29)

Database Security Model: Audit

Record

audit trails for particular user activities.

for received queries

(i.e., SELECT statements)

for Data Manipulation and Definition Lang. statements (DML&DDL)

(i.e., INSERT, UPDATE, DELETE, CREATE, ALTER, and DROP statements)

for Data Control Language statements (DCL)

(i.e., GRANT and REVOKE statements)

for database events

(e.g., login, logout, checkpoint, etc.)

for errors occurred

(especially for security errors, such as “bad login”, “insufficient privilege”, etc.)