CS317 File and Database Systemsmercury.pr.erau.edu/~siewerts/cs317/documents/Lectures/... · 2017....
Transcript of CS317 File and Database Systemsmercury.pr.erau.edu/~siewerts/cs317/documents/Lectures/... · 2017....
November 13, 2017 Sam Siewert
CS317File and Database Systems
Lecture 12 – DBMS Security Considerations
http://dilbert.com/strips/comic/2009-02-21/
RemindersAssignment #4 Grading Now
Assignment #5, Physical DB Design – Reviewing TEAMS
Assignment #6, DBMS Project of Your Interest – POSTEDFINAL ORAL PRESENTATION– Design Schema for DBMS project in a small team
Logical design focusNormalizationPhysical is MySQL on PRClab
– Combine Network Applications with DBMS in C/C++, JDBC, or Python - http://www.mysql.com/products/connector/
– Add Stored Programs and Triggers– Add Views– Create Transactions where needed
Sam Siewert 2
GENERAL PLATFORM SECURITY
Security Primer
Sam Siewert 3
Key IssuesNIST (National Institute of Standards and Tech)– Department of Commerce– Data privacy and protection– FISMA (Federal Information Security and Modernization Act)– Detailed categorization of federal information and systems (threat,
risk, cost, benefit) - FIPS 199, FIPS 200, FIPS 800 v1, v2
How would YOU prioritize Data Security?1. Data Privacy (Disclosure to unauthorized user, system,
application)2. Misuse of Data (Fraud, Identity Theft)3. Fake Data (forged documents or credentials)4. Access Privilege Violations (Seeing Co-worker salaries)5. Data Corruption (Integrity, Veracity)6. Denial of Service (Can’t Access Data or Services due to Attack)7. Data Loss (Restore from backup? - RTO/RPO)
Sam Siewert 4
Recent Data Security Disasters and Lessons to Learn
Equifax - facing potential judgment of corporate dissolution (corporate death penalty)Companies like this are “data stewards”, entrusted with personal financial data to provide services for pay - this is their job Why? 145.5 million personal records compromised (financial records used in credit scores)Mistakes exposed in Congressional Hearings (6 Fresh Horrors From the Equifax CEO's Congressional Hearing)1. Slow to act on knowledge of breach2. Software vulnerability patching process (points of failure, human
and automation) - one system had user=admin, pass=admin, Apache struts vulnerability ignored
3. Data storage of sensitive consumer information in plaintext4. Quarterly security reviews (infrequent for primary business)5. Not sure who is attacking them (or attacked)6. Breach notification separate system (domain)
Sam Siewert 5
Authorization and Access ControlBy Session LoginBy File (permissions)By DirectoryHost to Network (Known host Ethernet address, WWID)By Execution Privilege Level (root or user) –“sudo”
Authorized Users, Computers, and Applications– Encrypted password, pass phrase, password hash (salt)
- “Randomness in Digital Cryptography: A Survey”– Avoid Dictionary and Birthday attacks
Download password files (to crack)Use dictionary derived guessesProbability of one password matching any other is higher than one matching a specificInformed guessing and testing
Require Authentication– Proving you are who you claim you are– Producing a pass phrase, an answer to a challenge
question– Key or smartcard– Providing biometric scan
Sam Siewert 6
Marton, Kinga, Alin Suciu, and Iosif Ignat. "Randomness in digital cryptography: A survey." Romanian Journal of Information Science and Technology 13.3 (2010): 219-240.
10% of the Internet Is Encrypted with Lava Lamps
Attacks on SecurityEarly Famous Attacks– DES (Banking) Encryption for ATM machines– EFF Showed Weakness in DES (Cluster attack, then FPGA)– Scramble to patch with Triple DES (1996 timeframe)– NIST competition for AES (Advanced Encryption Standard)
Cryptanalysis– Capture Encrypted Data (“Man in the middle”)– Capture Encryption code, key, or mechanism– Capture Decryption code, key, or mechanism– Analyze Examples to Deduce the Substitution and Transposition
Cypher Code mappings– Inverse Function
Defense– Very Large Cryptographic Hashing Functions– 128-bit, 256-bit or larger random number generators– Frequent Key Updates
Sam Siewert 7
Denial of ServiceRather than Gaining Unauthorized Access, Deny Other Authorized Users Access– Bug System with 1000’s or Millions of Invalid Requests Per
Second– Flood Network with Bad Protocol or Packets– Cause Routing Loops, Crash Services Remotely on Purpose
Reason for Maximum Login Attempts– Withdraw Prompt for Password to A Particular Network Client or
Terminal– Invalidate a Username
Reason for Network Authentication of Clients– Block All Traffic for a Specific IP or Ethernet Address– Secure Physical Network Switches and Gateway Machines
Sam Siewert 8
MalwareSoftware Designed to Harm a Client or Exploit a Known Bug– Trojan Horse – Present Free Software, an E-mail Application, Plug-In, or
other Method to Deliver an Application with Bad IntentUser Agrees to Download without Authentication of Source or Verification of Code Data Digest (Unique Signature for Tested and Authentic Code)Beware of Free Software from Unknown Sources
– Virus – Application Code that Installs Itself on a Computer in Key Operating System and Shared Data Locations
Boot CodeCommonly Used File system CodeTransfer Malware via Shared Files, Networks, Disks (e.g. USB stick)
– Exploit – Find Buffer Overflow on Widely Used Operating System or Networking Service to Exploit
Buffer Overflow Provides Doorway to Modify CodePerfect Exploit in Private Lab, Release as Trojan Horse or Virus
– Rootkit – Gain Access and Install Monitoring Software or Create Second Administrator Prviliege Password and Account
Sam Siewert 9
PhishingWrite A Program that Asks for a Password– Run this on a Public Computing System – Spoofing a Well-
known and Trusted Server– Collect Login Credentials from Users (Produce Error Messages)
Fake E-mail Requesting Credentials
Fake Service or Business Front
Impersonation of a Web Service (Re-direction of Traffic)
E-mail Indicating your Are Over E-mail Quota Limits, Credit has Been Frozen, Etc. Followed by Request for Credentials Sam Siewert 10
Newer Threats Continue to Emerge …Character Defamation– Impersonation of Web Presence– Defame a User - a.k.a. “Fake News”– Influence a Stock Price (“Pump & Dump”)– Confuse or Influence with specific purpose
Identity Theft – Creation of Accounts Using False Credentials– Outright theft (credit card fraud)– Less obvious - Sign up all identities for “free Netflix trial”
Ransomware - Hold files hostage for payment to get back
Cyber Attacks and Cyber Warfare– Malware Designed to Harm or Deny Service to Physical Systems
Using Process Control (Water, Power, Traffic Management, etc.)– Financial Sector Attacks – Discrediting a Company, Service
Disruption of Exchanges and Banking– Discrediting Governments, Spoofing, Replay Attacks
Sam Siewert 11
White-hat Sites, Historic Attackshttps://www.defcon.org/, Wikipedia Overview on DEF CONhttps://www.eff.org/, Wikipedia on EFFhttp://www.kali.org/ , BackTrack, Security Admin Tool for Analyzing Networks
Alleged Cyber-warfare attack – Stuxnet
Motor Vehicle Attack Analysis – Wired and Wireless– http://www.autosec.org/pubs/cars-oakland2010.pdf– https://www.youtube.com/watch?v=oqe6S6m73Zw– https://www.youtube.com/watch?v=bHfOziIwXic
Database Attacks – Typically Stolen Account Information– Playstation Attack April 17-19, 2011- Sony Blamed Anonymous, but
Not Clear Who did it!– JP Morgan Database Breach– Home Depot Breach– OPM Breach– Many More …
Sam Siewert 12
Biggest Data Breaches
Sam Siewert 13
2014-2016
Current (2017)
https://www.equifaxsecurity2017.com/consumer-notice/, https://www.wired.com/story/equifax-breach-no-excuse/
CybersecuritySome Databases for SOA (Service Oriented Architecture) with Cyberphysical Systems– Growing Trend for Intelligent Transportation and Vechicle
Telematics– E.g. On-Star System uses Oracle– DBMS Security not Just Records or Information Breaches
http://cybersecurity.ieee.org/
http://dev.mysql.com/doc/refman/5.0/en/security.html
http://dev.mysql.com/doc/refman/5.0/en/security-against-attack.html
Sam Siewert 14
Best General DefensesEncryption Used for Authentication, Data Exchange (e.gSecure Sockets), and to Sign and Verify All Updates and Upgrades
Public Services, Ports, and Terminals Should be Limited– Only Necessary Services – SSH, SFTP– No Plaintext Services – FTP, Telnet
Routine Monitoring and Logging– Review all Connection Attempts and Login Attempts– Review Logs for Services that Crash and Restart– Installations, Updates, Upgrades– Signed Drivers– Modifications to Boot Code or CMOS/UEFI (Firmware)
Security Patches and Updates from Trusted Sources
Sam Siewert 15
Inside ThreatsInsiders with Physical Access to Machines and Networking Equipment– Log all Entry / Exit to/from Data center and labs– Cross-checks and Need-to-Know Limited Distributions of
Sensitive Data– No Password Sharing, Guest or Anonymous Accounts– Delete Access and Accounts for Severed Relationships– VPN – Virtual Private Network Remote Access (Encrypted and
Tunnels for Data from Authenticated Client to Host over SSL)
Limit Data Removal on Media
File Permission and ACL (Access Control List) Maintenance Sam Siewert 16
Extreme ProtectionPrivate Network, No Public LANLimited Physical Access (Vault)Strong Encryption (E.g. AES 256 – FIPS-197, or Larger Keys)AES Validation, Validation ListMulti-method Authentication (Smartcard, Pass phrase, and Fingerprint)
Compartmentalization - Limit Knowledge of Why Work is Being Done (Hide Global Purpose)
Require Multiple Independent User Authentication –Combined Key or Pass Phrase Access that Requires Two Logins [E.g. mysql-workbench SSH tunnel]
Quotas on Bandwidth, Storage, Download, Session Time, Intrusion Detection Monitors, Port Monitors
Sam Siewert 17
Encryption MethodsMathematical Hashing Functions
– One Way Hash Functions – Digital Signatures, Authentication codes, Hash tables, Fingerprints
– Not Reversible, but Valuable in Protocol
1 to 1 Transposition and Substitution Mapping Functions
Reversible Mathematical Transforms Y=f(X), X=f(Y)
Security Based on:1. Algorithm – E.g. AES, Rijndael, RSA, PGP, DES, Triple-DES, …2. Key Length (Bits), Cypher Block Chaining3. Key Exchange Protocol (Public or Private)
Sam Siewert 18http://www.snellgroup.com/documents/white-papers/white-paper-Good-Old-Mathematics.pdf
Basic Encryption - SubstitutionRe-map Alphabet, 1-to-1 and On-to (function)
Sam Siewert 19
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
ssiewert@ssiewert-VirtualBox:~/a320/crypto$ ./a.outA B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS!WONGPBNWJ WMQP!
BETA>INTRODUCTION TO COMPUTERSQGWOHITSWQHG WH SHDETWJOPINTRODUCTION TO COMPUTERS
BETA>abcdefghijklmnopqrstuvwxyzNASIJKCMQRFBDGHELOPWTZYVUXABCDEFGHIJKLMNOPQRSTUVWXYZ
BETA>exitJVQWEXIT
Basic Encryption - TranspositionPermute Text Block (e.g. up to 10 characters at a time)
Sam Siewert 20
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9
ssiewert@ssiewert-VirtualBox:~/a320/crypto$ ./a.out0123456789ABCD6275134908ABCD
TRAN>introduction to computersutcdnroiitc o ntopomutersintroduction to computers
TRAN>abcdefghijklmnopqrstuvwxyzgchfbdejaiqmrplnotksuvwxyzabcdefghijklmnopqrstuvwxyz
TRAN>exitexitexit
Basic Encryption – Early AutomationSubstitution with transposition – Enigma Code, U571
Sam Siewert 21
ssiewert@ssiewert-VirtualBox:~/a320/crypto$ ./cryptA B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS!WONGPBNWJ WMQP!NNWBOGP WJWMQP!
CRYPT>abcdefghijklmnopqrstuvwxyzNASIJKCMQRFBDGHELOPWTZYVUXCSMKAIJRNQLDOEBGHWFPTZYVUX
CRYPT>introduction to computersQGWOHITSWQHG WH SHDETWJOPTWSIGOHQQWS H GWHEHDTWJOP
CRYPT>exitJVQWJVQW
Symmetric Key ConceptsEncryption KeysCan I encrypt and decrypt with the same key?
With the substitution Key, Yes
With the transposition Key, YesThis is a Symmetric Key System Sam Siewert 22
struct charmap submap[ALPHABET] ={
{'A','N'}, {'B','A'}, {'C','S'}, {'D','I'}, {'E','J'}, {'F','K'}, {'G','C'},{'H','M'}, {'I','Q'}, {'J','R'}, {'K','F'}, {'L','B'}, {'M','D'}, {'N','G'},{'O','H'}, {'P','E'}, {'Q','L'}, {'R','O'}, {'S','P'}, {'T','W'}, {'U','T'},{'V','Z'}, {'W','Y'}, {'X','V'}, {'Y','U'}, {'Z','X'}
};
// 0 1 2 3 4 5 6 7 8 9int transmap[BLOCK_SIZE]= {6, 2, 7, 5, 1, 3, 4, 9, 0, 8};int detransmap[BLOCK_SIZE]={8, 4, 1, 5, 6, 3, 0, 2, 9, 7};
Better Key Management?One Time Stack of Keys Exchanged in Private by Sender and Receiver in Advance– Agree to Use Different Symmetric Keys Based on
Day of Year or some Universal Coordination– Cycle Through 365 Different Keys
Attacker Can Still Capture Stack of Keys
Better Approach is a Public-Private Key System, E.g. PGPPublic Key SharedPublic Key Used to Encrypt Only (Digital Signature)Private Key Used to Decrypt Only (Authentication, Plaintext Recovery)Key Exchange Protocol and Key Rings
Sam Siewert 23
http://en.wikipedia.org/wiki/Public-key_encryption
24
Security for MySQL on PRClabLevel 1 – SSH Login and/or Tunnel Authentication
Level 2 – MySQL Authentication
Level 3 – MySQL Grants and Privileges by DB
E.g. SSH Tunnel Setup for mysql-workbench
Generate SSH Keys on PRClab for your account– In directory .ssh Copy and paste id_rsa contents into file on your
PC
– Start up mysql-workbench on your PC and set up SSH Tunnel using id_rsa private key on your PC
Sam Siewert 25
Truncated for security purposes
SSH Tunnel Configuration
Sam Siewert 26
SSH Tunnel
PRClabAccount
PRClabid_rsa
PRClabMySQLusername
SSH Tunnel Connection to DBEnter PRClabPassword
Enter MySQL PRClab Server Password
Now workbench is connected to PRClab MySQL Server over Tunnel
Sam Siewert 27
SummaryTake a Cybersecurity Class – E.g. CI311 (Operations) and CS303 (Design/Implementation)
Tutorial Papers– Big Iron Lessons 5 & 6– http://www.snellgroup.com/documents/white-papers/white-paper-Good-
Old-Mathematics.pdf
In Practice Used by Egypt to Present Day – Cryptanalysis Time Should be Larger than the Time the Information is “Sensitive” or Private
Assume All Codes Can Eventually Be Broken with Sufficient Computing and Man-in-Middle Samples [Change Keys, Pass Phrases, Passwords, etc. Often]
Critical for Secure Military Communications – Considered a Munition, Export Controlled
Security Features Should Be Designed In and Patched Often as Threats Emerge Sam Siewert 28
Embry Riddle Courses to Go Deeper
Sam Siewert 29
Take AwayEncryption– Substitution– Transposition – cypher blocks– Mathematical Basis (mapping functions, random
number generation, large hashing functions, one-way and reversible)
Secure Systems– Authorization– Authentication and Access Control– Denial of Service– Trojan Horses, Malware, Exploits [E.g. Buffer
Overflow] Sam Siewert 30
DBMS SECURITY NOTESC&B Reference - Chapter 20 - Security
Sam Siewert 31
32
Chapter - Objectives
The scope of database security.
Why database security is a serious concern for an organization.
The type of threats that can affect a database system.
33
Chapter - Objectives
How to protect a computer system using computer-based controls.
The security measures provided by Microsoft Office Access and Oracle DBMSs.
Approaches for securing a DBMS on the Web.
34
Database Security
Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource.
Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential.
35
Database Security
Mechanisms that protect the database against intentional or accidental threats.
Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database.
36
Database Security
Involves measures to avoid:– Theft and fraud– Loss of confidentiality (secrecy)– Loss of privacy– Loss of integrity– Loss of availability
37
Database Security
Threat– Any situation or event, whether intentional or unintentional,
that will adversely affect a system and consequently an organization.
38
Summary of Threats to Computer Systems
39
Typical Multi-user Computer Environment
40
Countermeasures – Computer-Based Controls
Concerned with physical controls to administrative procedures and includes: – Authorization– Access controls– Views– Backup and recovery– Integrity– Encryption– RAID technology
41
Countermeasures – Computer-Based Controls
Authorization– The granting of a right or privilege, which enables a subject
to legitimately have access to a system or a system’s object.– Authorization is a mechanism that determines whether a user
is, who he or she claims to be.
42
Countermeasures – Computer-Based Controls
Access control– Based on the granting and revoking of privileges. – A privilege allows a user to create or access (that is read,
write, or modify) some database object (such as a relation, view, and index) or to run certain DBMS utilities.
– Privileges are granted to users to accomplish the tasks required for their jobs.
43
Countermeasures – Computer-Based Controls
Most DBMS provide an approach called Discretionary Access Control (DAC).
SQL standard supports DAC through the GRANT and REVOKE commands.
The GRANT command gives privileges to users, and the REVOKE command takes away privileges.
44
Countermeasures – Computer-Based Controls
DAC while effective has certain weaknesses. In particular an unauthorized user can trick an authorized user into disclosing sensitive data.
An additional approach is required called Mandatory Access Control (MAC).
45
Countermeasures – Computer-Based Controls
DAC based on system-wide policies that cannot be changed by individual users.
Each database object is assigned a security class and each user is assigned a clearance for a security class, and rules are imposed on reading and writing of database objects by users.
46
Countermeasures – Computer-Based Controls
DAC determines whether a user can read or write an object based on rules that involve the security level of the object and the clearance of the user. These rules ensure that sensitive data can never be ‘passed on’ to another user without the necessary clearance.
The SQL standard does not include support for MAC.
47
Popular Model for MAC (Mandatory Access Control) called Bell-LaPadula
48
Countermeasures – Computer-Based Controls
View– Is the dynamic result of one or more relational operations
operating on the base relations to produce another relation. – A view is a virtual relation that does not actually exist in the
database, but is produced upon request by a particular user, at the time of request.
49
Countermeasures – Computer-Based Controls
Backup– Process of periodically taking a copy of the database and
log file (and possibly programs) to offline storage media.
Journaling– Process of keeping and maintaining a log file (or journal)
of all changes made to database to enable effective recovery in event of failure.
50
Countermeasures – Computer-Based Controls
Integrity– Prevents data from becoming invalid, and hence giving
misleading or incorrect results.
Encryption– The encoding of the data by a special algorithm that renders
the data unreadable by any program without the decryption key.
51
Setting the Insert, Select, and Update privileges
52
DBMSs and Web Security
Internet communication relies on TCP/IP as the underlying protocol. However, TCP/IP and HTTP were not designed with security in mind. Without special software, all Internet traffic travels ‘in the clear’ and anyone who monitors traffic can read it.
53
DBMSs and Web Security
Must ensure while transmitting information over theInternet that:– inaccessible to anyone but sender and receiver
(privacy);– not changed during transmission (integrity);– receiver can be sure it came from sender
(authenticity);– sender can be sure receiver is genuine (non-
fabrication);– sender cannot deny he or she sent it (non-
repudiation).
54
DBMSs and Web Security
Measures include:– Proxy servers – Firewalls– Message digest algorithms and digital signatures– Digital certificates– Kerberos– Secure sockets layer (SSL) and Secure HTTP (S-
HTTP) – Secure Electronic Transactions (SET) and Secure
Transaction Technology (SST)– Java security– ActiveX security
55
How Secure Electronic Transactions (SET) Works