Making the Most of InfoSphere Guardium Vulnerability ... · PDF fileMaking the Most of...
Transcript of Making the Most of InfoSphere Guardium Vulnerability ... · PDF fileMaking the Most of...
© 2014 IBM Corporation
Making the Most of InfoSphere GuardiumVulnerability Assessment
Ian Schmidt [email protected]
Mike [email protected]@BTRG_MikeMartin
Louis Lam [email protected]
© 2014 IBM Corporation
2014
3 © 2014 IBM Corporation3
Logistics This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.
We’ll try to answer questions in the chat or address them atspeaker’s discretion.
– If we cannot answer your question, please do include your emailso we can get back to you.
When speaker pauses for questions:– We’ll go through existing questions in the chat
4 © 2014 IBM Corporation
Reminder: Guardium Tech Talks
Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: What is this thing called Hadoop and how do Isecure it?
Speakers: Kathy Zeidenstein and Sundari Voruganti
Date &Time: Thursday, July 17th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/SinP6o
5 © 2014 IBM Corporation
New!!! Regional user groups this yearUS Location Date of session Location Registration Link
*New* Miami,FL
June 11, 2014 IBM OfficeColumbus Center, Suite14151 Alhambra PlazaCoral Gables, FL 33134
https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=326PXCES&locale=en_US
*NEW*Markham,Ontario,Canada
June 19, 2014 IBM Canada Ltd.3600 Steeles Avenue East1st Floor, Room B104Markham ON L3R 9Z7Canada
https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=8ACM45ES&locale=en_US
NYC, NY June 25, 2014 IBM590 Madison AveRoom 1219New York, NY 10022
https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=4FBKUGES&locale=en_US
Atlanta, GA August 28,2014
IBM (Building A) TechnicalExploration Center6303 Barfield Rd., NEAtlanta, GA 30328
https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=4C2U2FES&locale=en_US
IBM Insight Oct 26, 2014 TBD To follow
6 © 2014 IBM Corporation
Agenda
Review of InfoSphere GuardiumVulnerability Assessment featuresand offerings
Application-specific vulnerabilityassessment and demo
Step by step demo of custom querycreation
Q and A
7 © 2014 IBM Corporation
Exploit
Vulnerability Assessment: Industry Definition
“Vulnerability assessment" (VA)covers tools for finding knownvulnerabilities and configurationweaknesses on computing resourcessuch as servers, desktops, mobilecomputing assets and other networkeddevices as well as on related workflowprocesses such as vulnerabilityprioritization and analysis.
Includes configuration weaknesses,unpatched OS components andapplications, some other technicalsecurity deficiency, or a situation thatdoesn't comply with organizational ITpolicies.
“Vulnerability assessment" (VA)covers tools for finding knownvulnerabilities and configurationweaknesses on computing resourcessuch as servers, desktops, mobilecomputing assets and other networkeddevices as well as on related workflowprocesses such as vulnerabilityprioritization and analysis.
Includes configuration weaknesses,unpatched OS components andapplications, some other technicalsecurity deficiency, or a situation thatdoesn't comply with organizational ITpolicies.
Gartner group: Vulnerability Assessment Technology andVulnerability Management Practices, John Chuvakin, Published:7 February 2014
8 © 2014 IBM Corporation
Data Protection is key to holistic approach toInformation Governance and Security
9 © 2014 IBM Corporation
Why are Databases Vulnerable?
Data in all its forms are explodingwhile resources to manage it arelimited
Development systems that getreplicated to production withoutproper lock down
Application packages that getdeployed with default settings withno understanding securityimplications
Systems are turned over DBA’s withlittle control over how the databasesare set up
BigData
Mobile
Cloud
10 © 2014 IBM Corporation
How to preventunauthorized
activities?
How to securethe repository?
What is actuallyhappening?
Who shouldhave access?
How to protectsensitive datato reduce risk?
Where is thesensitive data?
Discover Harden Monitor Block Mask
Guardium’s Holistic Data Protection Process
Discover Assess
Vulnerability Assessment
11 © 2014 IBM Corporation
InfoSphere Guardium Vulnerability Assessment, Editions
Guardium VulnerabilityAssessment – Evaluation
• Free, Downloadable, Up to 10sources, 30 Day Trial
• Uncovers risk with sensitive datadiscovery
• Detailed assessments andvulnerability reporting
Guardium VulnerabilityAssessment - Standard
• Sensitive Data Discovery
• Comprehensive Testing andReporting
• Ongoing protection with testingsubscription
• Collaboration and workflow
• Extensible framework
Guardium VulnerabilityAssessment - Advanced
Adds to Standard:
• Configuration auditing system
• Entitlement Reporting
12 © 2014 IBM Corporation
InfoSphere Guardium Vulnerability Assessment- Standard Edition
Sensitive DataDiscovery
Extensible design
• Identifies Sensitive Data likecredit cards, transactions or PII
• Reporting on sensitive objects
• Discover database instances
• Using industry best-practices andbenchmarks and primary research
• Predefined tests to uncover databasevulnerabilities
• Recommendations for mediation
• Vulnerability Assessment scorecard
• View side by side comparison of tests
• View graphical view of trends
Guardium VAGuardium VAStandard EditionStandard Edition
• Enables custom designed defined tests
• Tuning existing tests to match needs
• Report builder for custom reports
• Compliance Workflow
• Exception management
• Export to other security tools
Perpetual License
Support, Education
Subscription to test updates
Comprehensivetesting andreporting
Collaborate toprotect
13 © 2014 IBM Corporation
Why Build Custom Tests?
Some vulnerabilities in databasesare specific to a particular usage Creating custom tests to target
specific use cases can be:– Organization level– Industry level– Application level
Guardium VA was designed to beextensible by users or partnerswho have special domainknowledge
15 © 2014 IBM Corporation
Agenda
Application Specific VulnerabilityAssessment
What are we finding out
–Results
–Case Studies
Demo and How/Why we created it
16 © 2014 IBM Corporation
About BTRG
InformationGovernance Industries
• Telecom• Retail• Federal• Manufacturing• Healthcare• Financial• Banking• Insurance• Pharma• State/Local
Gov.• Media• Transportation• Utilities
• One of the first PeopleSoftpartners
• Implemented, upgradedand integrated every majorrelease of PeopleSoft
• PeopleSoft 9.2 TestingPartner
• Several current clientsupgrading to 9.2
• Unique BTRG Solutions• Progressive Testing• ERP Vulnerability• Manger Action Center• Hiring Hub
Years250+ UniqueCustomers
Complete Data SecurityManagement•Award winning softwaresolutions•Trusted advisor for ERP security•Addressing the full lifecycle ofsecurity & compliance
Big Data Management Strategy•Information LifecycleGovernance•Information Management•Enterprise ContentManagement
16
PeopleSoftExperience
17 © 2014 IBM Corporation
About the Presenter
Director of Information Governance Practice forBTRG
More than 20 years of experience in InformationTechnology, 15 years as a PeopleSoft Consultant
Frequent presenter at webinars and conferences
IBM Champion
Connect:[email protected]@BTRG_MikeMartin
http://www.linkedin.com/in/mikemartin
18 © 2014 IBM Corporation
Guardium Application Vulnerability Assessment
Why create it?– Most ERP systems and packaged applications control security within the
application itself– Vulnerabilities can and often do exist within the application that no amount of
database security will address
What is it?– Application (PeopleSoft) specific checks Vulnerability Assessment– Generates a scorecard (0% to 100%) of security level– Provides details on each vulnerability and recommendations for remediation
How does it work?– Leverages existing Guardium Technology– Built upon 20 years of best practices at BTRG for PeopleSoft security
configuration– Interactive and dynamic report that allows you to monitor application security
level over time
19 © 2014 IBM Corporation
Vulnerability Assessments: Key components in overall security
19
Identifying Security Risks
20 © 2014 IBM Corporation
Types of checks that are done
Privilege– Password settings, expiration
Authentication– Application Users, Logon Times
Configuration– Application security, configuration best practices
Version– Current fixes, patches, bundles
Other– Query Levels and access
21 © 2014 IBM Corporation
Vulnerability Check Examples
21
Operator IDs associated with inactive employees
Usage of the ALLPAGES or other demo/delivered configuration
Ensure all Operator IDs/User IDs are assigned to an Employee
Permission lists with access to sensitive/security PeopleToolsPages
Operator with access to Security and Functional pages
Users/Permission lists with ability to join more than 5 tables andunlimited sign-on ability
22 © 2014 IBM Corporation
Application Scorecard
22
23 © 2014 IBM Corporation
How can you be sure you are secure?
Delivered/Vanilla PeopleSoft scores an 11% on this assessment
A good amount of things can go wrong between 11% and 100%
Upgrades can introduce additional vulnerabilities– Best practice is to benchmark before and after as well as over time
Have found instances of very low scores– Some examples: 26%, 19%, 15%
24 © 2014 IBM Corporation
Vulnerability Assessment Case Study
Customer: Leading Technology Company
Solution: PeopleSoft Application Vulnerability Assessment
Score: 26%
Results:1.Found vulnerabilities in PeopleSoft configuration2.Implemented immediate corrections within hours, others withindays3.Implemented database activity monitoring and ongoingvulnerability checks.4.Improved audit reporting (2 audit reports to 20+) which proved PCIand SOX compliance.
25 © 2014 IBM Corporation
DEMO
Vulnerability Assessment
© 2014 IBM Corporation
Guardium Vulnerability Assessment Query-
Based Test Builder
Louis Lam [email protected]
27 © 2014 IBM Corporation
Agenda - Guardium Vulnerability Assessment
Build your own query-basedtest
Q&A
How to securethe repository?
Where is thesensitive data?
Discover Harden
28 © 2014 IBM Corporation
Query-based Test Builder
What is the query-based test builder?– A tool that allow users to create their own custom tests, leveraging the VA
infrastructure from existing Guardium predefined tests.– Supports all the RDBMS database types that VA currently supports.– Easy to deploy; requires little programming experience.– Custom tests can be exported from one Guardium appliance to another using
security assessment export.
Why create it?– Most ERP systems and packaged applications control security within the
application itself.– Vulnerabilities can and often do exist within the application that no amount of
database security will address.
29 © 2014 IBM Corporation
Navigate To Query-based Test Builder
There are two ways to access the query-based test builder withinthe Guardium appliance.
– Access as a normal user:1. Click on Assess/Harden tab.2. Click on Assessment builder icon.3. Click on Query-based Tests.4. Click on New to create a new test.
– Access as an admin user:1. Click on Tools tab.2. Click on Security Assessment Builder under Config & Control tab with Tools.3. Click on Query-based Tests.4. Click on New to create a new test.
30 © 2014 IBM Corporation
Creating a test, step by step
Test Name
– Name of the test you want to use.
– Ideally, give it a meaningful name that indicates what the test actual checks.
– Using a prefix is recommend so you can identify your test easily from Guardiumtests.
– Example: “IBM - db_owner granted to users and roles”
31 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Database type
– Pick a database type from the drop down list.
– Example: “MS SQL SERVER”
32 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Category
– Pick a category from the drop down list.• Privileges: Check for object creation and usage rights, privilege grants to DBAs and users, and
system level rights.• Authentication: Verify password policies, default vendor accounts, no empty passwords, remote
login parameters, etc.• Configuration: Check platform-specific variables such as maximum failed logins for DBA profiles.• Version: Verify appropriate version numbers and patch levels.• Other:
– Example: “Privilege”
33 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Severity
– Pick a severity level from the drop down list that best fits your test. Note,severity can be overridden in the assessment test tuning section. You maydecide that the severity level for a given test in one datasource is higher thananother.
– Severity levels• Critical• Major• Minor• Cautionary• Informational
– Example: “Major”
34 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Short description
– This is where you describe what your test does. The more descriptive thebetter. You can talk about scenarios that would cause your test to pass or fail.
– Example:• “This test check for db_owner role granted to user or roles in each MSSQL
databases. Grantee with db_owner can perform all configuration and maintenanceactivities on the database. This test does loop through all the databases in a givenSQL Server instance. Granting db_owner role should be limited to only few inproduction. If you have server role sysadmin, you would not need to be granteddb_owner per databases.”
35 © 2014 IBM Corporation
Creating a test, step by step (Continued)
External Reference
– Any references you may use for this test like STIG, CIS, CVE, your companysecurity policy benchmark, etc. This field can be left blank if you don’t haveany references.
– Example: “Advance VA feature demo”
36 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Result text for pass
– Reason why the datasource passed this test.
– Example: “db_owner database level role has not been granted to unauthorizedgrantee.”
37 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Result text for fail
– Reason why the datasource failed this test.• Usually this means the configuration setting is not your recommended value.• Privileges are granted to unauthorized grantees.• Database might not be patched to some required level
– Example: “db_owner database level role has been granted to unauthorizedgrantee.”
38 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Recommendation text for pass
– Any recommendation you want to provide when a datasource passes the test.Usually there is no recommendation when a test passes.
– Example: “No action required.”
39 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Recommendation text for fail
– Recommendation you are providing when a datasource fails your test. It isimportant to provide as much detail as you can when the test fails. You want totalk about conditions in your test that would cause a datasource to fail. Ideally,provide an example remediation syntax where possible so the end user knowswhat needs to be done to pass your test.
– Example: “We recommend that you revoke db_owner role from unauthorizedgrantees. You can use this SQL Server example command for revoking suchprivilege: EXEC sp_droprolemember N'db_owner', N'UserName or RoleName'GO. To exclude authorized grantees from this test, you can populate anexception group with your authorized grantees and link the group to this test.”
40 © 2014 IBM Corporation
Creating a test, step by step (Continued)
SQL Statement
– This is the query your test will execute when connecting to a datasource. Thiscan be a query or union of queries. You can use T-SQL or PL/SQL as long asyour codes return a valid value that can be compared in determining thecondition for the test’s passing or failing criteria.
– Tips:• When using comment within a query do this /*my comment*/ instead of –my comment.• Make sure you test your SQL syntax on a native database tool or JDBC tool first.• When writing your SQL, it is best that the SQL return a count(*) for comparison. Majority of the tests can be
structured this way. You can return this within SQL Server or Sybase T-SQL as well. Select count(*) fromsome_table where some_grant = ‘bad’
• For Oracle, if you are using PL/SQL, the way to return a value from an anonymous block is via “? := retval;” Therewill be an example for this in a later slide.
• Use %THRESHOLD% in SQL syntax when you want your test to compare against some predefined default valueand you want your end user to override your default value uses in the test comparison. There will be an examplein a later slide.
41 © 2014 IBM Corporation
Creating a test, step by step (Continued)
SQL Statement (Continued)
– Example:
SELECT COUNT(*)FROM sys.database_role_members ro,
sys.database_principals db_role,sys.database_principals grantee
WHERE ro.role_principal_id = db_role.principal_idand ro.member_principal_id = grantee.principal_idand db_role.name = 'db_owner'and grantee.name <> 'dbo' /* Ignore the default dbo grant */
42 © 2014 IBM Corporation
Creating a test, step by step (Continued)
SQL Statement – Oracle PL/SQL Exampledeclare
nver number;retval integer := 0;sver varchar2(255) := '';strval varchar2(255) := '';
begin
select VERSIONinto sverfrom V$INSTANCE;
nver := to_number(substr(sver,1,(instr(sver,'.',1,2) - 1)));
if nver >= 11.1 then
select VALUEinto strvalfrom V$PARAMETERwhere NAME = 'sec_case_sensitive_logon';
end if;
if (nver < 11.1 or strval = 'TRUE') thenretval := 0;
elseretval := 1;
end if;
? := retval;
end;
43 © 2014 IBM Corporation
Creating a test, step by step (Continued)
SQL Statement for detail (Optional)
– This is the query your test will execute when connecting to a datasource. Itwould only execute if the condition for the test fails The purpose of this query isto provide the user detailed grants or configuration settings when a test fails sothe user will know what to remediate.
– Tips:• All the tips from the SQL Statement are relevant here.• When the SQL Statement for detail is used, the test would allow for exception group when the test returns a failed
score.• All the columns projected for SQL provided here must be concatenated into one field. See example below.
– Example:
SELECT 'Grantee = ' + grantee.name collate DATABASE_DEFAULT +' : Grantee_type = ' + grantee.type_desc collate DATABASE_DEFAULT
FROM sys.database_role_members ro,sys.database_principals db_role,sys.database_principals grantee
WHERE ro.role_principal_id = db_role.principal_idand ro.member_principal_id = grantee.principal_idand db_role.name = 'db_owner'and grantee.name <> 'dbo'
44 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Pre test check SQL (Optional)
– Lets you write SQL that checks for a condition to determine if test shouldexecute or not. This is useful when you are querying against database thatmay or may not have the tables or columns you are looking for.
• A ‘0’ return value from your SQL here would mean the test should not be executedand therefore the test would not get a pass or fail score.
• A ‘1’ return value from your SQL here would mean the test should continue and haspassed the pre-test check requirement.
– Example:
select count(*)from sys.all_objectswhere name = 'database_principals'and schema_name(schema_id) = 'sys'
45 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Pre test fail message (Optional)
– If the “pre test check SQL” returns ‘0’, then the test would not execute. In thiscase, it will display the text you wrote for “pre test fail message” field.
– Example: “sys.database_principals view is not found in your system catalog.This test will not execute, please research why this system view is missing.”
46 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Loop databases & DB loop flag (Optional)
– Loop databases allow you to write SQL, indicating what databases your SQLstatement should execute against. This is only supported in the followingdatabase types: Informix, SQL Server, Sybase ASE, PostgreSQL and MySQL.The looping is performed if the DB loop flag box is checked. You can use thisfunction only when the test returns an integer value for comparison.
– Example:
select name from sys.databases
Or
db_name1, db_name2……db_name(n)
47 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Detail prefix (Optional)
– Enter a Detail prefix that will appear at the beginning of the SQL statement forstring details.
– Example: “Grantees with db_owner role.”
48 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Bind output variable (Optional)
– Check the "Bind output variable" checkbox if the entered text in the SQLstatement is a procedural block of code that will return a value that should bebound to an internal Guardium variable that will be used in the comparison tothe "Compare to" value.
– Example: See slide 21 for how this is used for Oracle PL/SQL.
49 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Use Threshold (Optional)
– Check the “Use threshold" checkbox if you allow use of threshold values foryour test.
• For example, if you are testing for a backup configuration setting that should be keptfor 12 backups or more. A different division may not agree with your requirement anddecided that 8 should be their minimum and not 12. In this case, you can set yourtest default threshold value as 12, but allow the end users to change your thresholdwhen they execute the assessment. Your SQL statement would have to change touse this Guardium specific feature.
– In your SQL, you would substitute the actual value you are comparing, which is12 with %THRESHOLD%. You would then define the default value for your%THRESHOLD% which would be 12 in the “default threshold value” column.You also need to define a prompt “Prompt for threshold”, so the user knows thethreshold can be changed.
– The next two slides will demonstrate the use of threshold.
50 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Use Threshold – Example (Optional)
– Here is a SQL Statement without using threshold.
SELECT COUNT(*)FROM (
SELECT CAST(VALUE AS INTEGER) AS VALUEFROM SYSIBMADM.DBCFGWHERE LOWER(NAME) = 'num_db_backups') AS RESULT
WHERE VALUE < 12
51 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Use Threshold – Example (Optional)
– Here is a SQL Statement using threshold.
SELECT COUNT(*)FROM (
SELECT CAST(VALUE AS INTEGER) AS VALUEFROM SYSIBMADM.DBCFGWHERE LOWER(NAME) = 'num_db_backups') AS RESULT
WHERE VALUE < %THRESHOLD%
52 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Return Type, Operator and Compare to Value.
– Return type is the datatype that your SQL Statement returns. This can integer, date or string.– Operator is the operator you want to compare your SQL statement result to the “Compare to value”.
The available operators are in a drop down list like (=, <=, >=, <, >)– Compare to value is the value you are using to compare against your SQL Statement. If your
condition is met, then the test will pass, otherwise it will fail.
Example:
– What the above example shows is our SQL Statement will return an integer value for us to compare. Ifthe value of that integer is zero, then the test we created in this presentation will pass. If the SQLstatement returns anything else, our test will execute and return a failed grade because it found somecondition that violates the logic of the test.
53 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Applicable Version From and Applicable Version To (optional).
– Applicable version from and applicable version to: Use these two fields if you want to control whatversion of the database your test should be executed in. The format that should be use is: ##.##
• For example, Oracle 11gR2 would be 11.2 or DB2 v10.5 would be 10.5. For SQL Server, we follow the actualMicrosoft version convention. SQL Server 2005 would be 9.00 and SQL Server 2008R2 would be 10.50.
Example:
– In our example, we are saying we want our test to execute against SQL Server 2005 and higher only.Since the catalog objects we used are only available in SQL Server 2005 and newer. Since we havenot put in an “applicable version to”, our test can run against any later SQL Server release.
54 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Our example test execution result.
– This is execution of our example ran against a SQL Server 2005 server where it found some db_ownergrantee and shows its finding and give this test a failed score.
55 © 2014 IBM Corporation
Creating a test, step by step (Continued)
Our example test execution result.
– This is an execution of our example that ran against a SQL Server 2005 server and does not find anydb_owner grantee and gives this test a passing score.
56 © 2014 IBM Corporation
Gracias
Merci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish
57 © 2014 IBM Corporation
Information, training, and community
InfoSphere Guardium Vulnerability Assessment Evaluation Edition ondeveloperWorks InfoSphere Guardium YouTube Channel – includes overviews and
technical demos developerWorks forum (very active)Guardium DAM User Group on Linked-In (very active) Community on developerWorks (includes content and links to a
myriad of sources, articles, etc)Guardium Info Center
InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.
Send a note to [email protected] ifinterested.
58 © 2014 IBM Corporation
Reminder: Guardium Tech Talks
Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: What is this thing called Hadoop and how do Isecure it?
Speakers: Kathy Zeidenstein and Sundari Voruganti
Date &Time: Thursday, July 17th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/SinP6o