Access to Data - PowerPoint PPT Presentation

1 / 24

About This Presentation

Title:

Access to Data

Description:

Police in the southern Indian city of Bangalore say they have arrested an employee in connection with a financial scam operating from a HSBC call centre ... – PowerPoint PPT presentation

Number of Views:58

Avg rating:3.0/5.0

Slides: 25

Provided by: openg

Category:

more less

Transcript and Presenter's Notes

Title: Access to Data

1
Access to Data

Getting up close and personal to data
Paul DavieCEO, Secerno
Nick RayCEO, Express HR

2
Controlling data access DRM v. distributed
services

Jericho Forum Commandment 9Access to data
should be controlled by security attributes of
the data itself
Approaches
Attributes held within the data (DRM/Metadata)
Documents, spreadsheets, data on the move
Attributes held in separate systems
Database management systems
Service-Oriented Architecture / Web Services

In my opinion, database security is riddled
with holes and its the biggest problem we face
in IT today.
Database attacks offer the biggest potential for
fraudulent activity and damage to companies
reputations and customer confidence.
David Litchfield, NGSS
BlackHat Conference
Las Vegas, August 2006

(Slide A-02)
4
External Attack Its Personal

SQL injection remains the most serious type of
attack affecting databases, with 250 year on
year growth (Mitre).

5
Internal Attack Its Personnel

One in 10 (of 300) of Glasgow's financial call
centres has been infiltrated by criminal gangs,
police believe
The scam works by planting staff inside offices
or by forcing current employees to provide
sensitive customer details. (BBC Scotland,
October 2006)
Police in the southern Indian city of Bangalore
say they have arrested an employee in connection
with a financial scam operating from a HSBC call
centre
A data operator has been charged with hacking the
computer system which allegedly led to money
being stolen from customer accounts.
HSBC said funds were taken from a "small number"
of customers in UK. (BBC, June 2006)

6
It is Easy and it Hurts

Exploit
87 use legitimate user commands
78 authorised accounts (43 using their own IDs)
Profile - diverse
23 in technical positions (17 with root
access!)
39 unaware of the organisations security
measures
Motivation
81 financial gain
23 revenge
Impact
91 financial loss (30 gt 0.5m)
78 data modification or deletion
26 damage to reputation
The E-Crime Watch Survey 4

7
Security Where It Matters
(Slide A-04)
8
A False Sense of Security

Current database security emphasis
Encryption
Identity management
Authentication
Auditing
Perimeter defences
Compliance driving decisions
Following established technologies
Driving platform provider enhancements
Creating false sense of security
Emphasis on who is accessing the data not what
they are doing with it. Implicit trust.

9
Applicationdatabase interactions
SELECT from dvd_stock where catalog-no
'PHE8131'
Database
Application
The database implicitly trusts its applications
speaking in the agreed language (SQL).
(Slide B-01)
10
Application Protocol Intrusion Protection and
Detection (APIPS, APIDS)
APIPS
APIDS

JFC4 Devices and applications must communicate
using open, secure protocols
E.g. SQL for databases but is SQL secure?
JFC5 All devices must be capable of maintaining
their security policy on an untrusted network
Can we trust the applications that access our
databases?
Need to check what applications ask the DB to do
Application Protocol Intrusion prevention and
detection

11
Database usage analysis and APIPS policy building
Automatically classified actual usage
Protection against unknown threats
Policies based on changes to measured behaviour
(Slide B-20)
12
Application Vulnerabilities

Applications are really written badly really
badly.
Rohit Dhamankar at the SANS Top 20 2006 launch
Qualys, quotes 100 new issues per week, with
badly written web applications being 60-70 of
targets
This OWASP Ten-Most-Wanted List acutely
scratches at the tip of an enormous iceberg. The
underlying reality is shameful most system and
Web application software is written oblivious to
security principles, software engineering,
operational implications, and indeed common
sense.
Dr. Peter G. Neumann, Author of Computer-Related
Risks

13
Taming the costs

Organisations may have many hundreds of instances
of applications that have these vulnerabilities.
The cost of fixing them is simply too high to
contemplate.
This severely limits business agility.
It costs between 10 and 100 times the original
development effort to fix these vulnerabilities
in deployed systems. The factor depends on when
in the development cycle the flaw was introduced
Gartner quote an average of 50x
Unless you can tame this cost, the benefits of
business agility are threatened by the cost of
making the applications sufficiently safe to
conduct the new business functions.

14
Database APIPS Benefits

Internal Security
Reduces risk of unauthorized disclosure or
corruption
Detect unusual behaviour by authorized users
External Security
Fast, accurate, scalable APIDS/APIPS
Avoids black-list and white-list pitfalls
Protection available against SQL-injection
attacks
Reduces the urgency to apply security patches
Audit Compliance
Automated learning can reduce training time
Reduced cost of meeting compliance requirements
Application Development
Enables application design and performance
improvement

15
Introducing expressHR

Leading provider of recruitment process
outsourcing technology
Temporary, permanent and contract staff for
Local authorities, major corporates, call
centres, warehouse, transport, social care,
construction, hospitality
expressHRs Vendor Management System is an
end-to-end solution
From creating vacancy to selection, vetting and
placement
From online timesheets to self-bill invoicing,
and reporting
expressHRs Software as a Service
Web-based solution connecting all parties in the
process

16
expressHR platform connects
17
expressHR platform connects
Line Managers
Candidates
Temporary Workers
Agencies
Managed Recruitment Service
82,000 Candidates/Qtr
56,000 Placements/Qtr
17m Timesheet Hours / Qtr
300m p.a. Transactions
15,000 Users
18
Problem Protecting de-perimeterised dBs

System contains critical personal 3rd-party data
Banking information, salaries, pay rates, charge
rates, CVs and other personal details
Much of which must be protected by law
expressHRs Software-as-a-Service provides
business benefits to costs, speed and efficiency
But raises unique security concerns
Corporate responsibility
Customer reputation and brand
The de-perimeterised challenge is defending
critical information against internal and
external threats

19
Approach Database Micro-perimeter
APIPS

Deploy a micro-perimeter protection
Up close and personal to critical dBs
Understand, control and protect
Application access to critical databases

20
dB APIPS Understanding

Build up a rich UNDERSTANDING of
Application-to-database behaviour
Who is asking for what data and when?
Why is the database system catalogue being
queried?
Security improvements
Locate easily which database stored procedures
should be hardened to resist attack
Software engineering/performance issues
Why is select from being used?

21
dB APIPS Understand, Control Protect

Use the understanding to
Insist on database interactions conforming ONLY
to allowable behaviours
Understand and measure exactly how the database
is being used, and the intent of applications -
for informed decision making
Automatically build a fine-grained security
policy
Reflecting how applications really use a database
Providing a continuous feedback loop based on
actual actual behaviour
Control the risk and secure the corporate assets