Database security issues
null0x00
9,641 views
21 slides
Jul 04, 2013
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
null Mumbai Chapter - June 2013 Meet
Slide Content
Ravi Kant Rai
Database Security Issues
Database Security Issues
Major Security Vulnerabilities
Bugs in database software components (e.g. buffer overflows)
left un-patched
Lack of network isolation (external and internal)
Improper security configuration
Use of default user accounts and passwords
Use of null passwords
Excessive privileges
Bugs in database software components (e.g. buffer overflows)
left un-patched
Lack of network isolation (external and internal)
Improper security configuration
Use of default user accounts and passwords
Use of null passwords
Excessive privileges
Major Threats
Application Vulnerability
Internal Employees
Application Vulnerability
Internal Employees
Mitigating Risk
Application Vulnerabilities
Application Vulnerabilities
Default username Password
While Default Installation of Database there are default
username/password created
Vendor username Password
Oracle HR HR
My sql ROOT
Ms sql-server SA SA
While Default Installation of Database there are default
username/password created
Vendor username Password
Oracle HR HR
My sql ROOT
Ms sql-server SA SA
Exploitation
Exploitation
Audit
Oracle Database 11g now offers a way to quickly identify
users with default passwords, implemented in the rather
ludicrously simple way of checking a single data dictionary
view
DBA_USERS_WITH_DEFPWD
Oracle Database 11g now offers a way to quickly identify
users with default passwords, implemented in the rather
ludicrously simple way of checking a single data dictionary
view
DBA_USERS_WITH_DEFPWD
Solution
Lock all Default username and passwords
Password Policy must be in place for all users
Lockout policies
Password life time must be configured
Lock all Default username and passwords
Password Policy must be in place for all users
Lockout policies
Password life time must be configured
Least Privilege
Least Privilege account
should be allocated to all
application user.
It will Mitigate risk of data
loss.
Least Privilege account
should be allocated to all
application user.
It will Mitigate risk of data
loss.
Privileges
Public Privileges
ORACLE FUNCTIONS
Oracle supplies over 1,000 functions in about 175 standard
database packages that potentially can be exploited in a SQL
injection attack.
SELECT TRANSLATE('' ||
UTL_HTTP.REQUEST('http://192.168.1.1/') || '',
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'0123456789') FROM dual;
ORACLE FUNCTIONS
Oracle supplies over 1,000 functions in about 175 standard
database packages that potentially can be exploited in a SQL
injection attack.
SELECT TRANSLATE('' ||
UTL_HTTP.REQUEST('http://192.168.1.1/') || '',
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'0123456789') FROM dual;
Auditing
For Oracle’s built-in auditing functionality, you must not only
determine the rationale behind the turning on of auditing, but also
the level of auditing and its impact on system resources. Oracle
auditing gets turned on as soon as you set the AUDIT_TRAIL
we can audit the following:
Statement Auditing: Audits on the type of SQL statement used,
such as any SQL statement on a table.
Privilege Auditing: Audits use of a particular system privilege,
such as CREATE TABLE
Object: Audits specific statements on specific objects such as
ALTER PROFILE on the DEFAULT profile.
For Oracle’s built-in auditing functionality, you must not only
determine the rationale behind the turning on of auditing, but also
the level of auditing and its impact on system resources. Oracle
auditing gets turned on as soon as you set the AUDIT_TRAIL
we can audit the following:
Statement Auditing: Audits on the type of SQL statement used,
such as any SQL statement on a table.
Privilege Auditing: Audits use of a particular system privilege,
such as CREATE TABLE
Object: Audits specific statements on specific objects such as
ALTER PROFILE on the DEFAULT profile.
Architecture Review (Oracle)
Secure Network Architecture
Application Security
Solution
Solution
Major Threat
SQL Injection
A SQL injection attack consists of insertion or "injection" of
a SQL query via the input data from the client to the
application
A successful SQL injection exploit can read sensitive data
from the database, modify database
SQL Injection attacks occur when the data entered in the
application is from an untrusted source and that same data is
used to dynamically construct a SQL Query.
SQL Injection
A SQL injection attack consists of insertion or "injection" of
a SQL query via the input data from the client to the
application
A successful SQL injection exploit can read sensitive data
from the database, modify database
SQL Injection attacks occur when the data entered in the
application is from an untrusted source and that same data is
used to dynamically construct a SQL Query.
SQL Injection
Error
Solution
Error Based Trigger could be a solution for SQL Injection.
The most powerful protection against SQL injection attacks
is the use of bind variables.
Every passed string parameter should be validated.
The PL/SQL Gateway can be configured to display varying
levels of error messages.
Error Based Trigger could be a solution for SQL Injection.
The most powerful protection against SQL injection attacks
is the use of bind variables.
Every passed string parameter should be validated.
The PL/SQL Gateway can be configured to display varying
levels of error messages.
Thanks
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9,641
- Slides 21
- Favorites 5
- Age 4534 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views