Making the Most of InfoSphere Guardium Vulnerability ... · PDF fileMaking the Most of...

© 2014 IBM Corporation

Making the Most of InfoSphere GuardiumVulnerability Assessment

Ian Schmidt [email protected]

Mike [email protected]@BTRG_MikeMartin

Louis Lam [email protected]

mailto:[email protected]




2014

3 © 2014 IBM Corporation3

Logistics This tech talk is being recorded. If you object, please hang up and

leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.

We’ll try to answer questions in the chat or address them atspeaker’s discretion.

– If we cannot answer your question, please do include your emailso we can get back to you.

When speaker pauses for questions:– We’ll go through existing questions in the chat

http://ibm.co/Wh9x0o

4 © 2014 IBM Corporation

Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: What is this thing called Hadoop and how do Isecure it?

Speakers: Kathy Zeidenstein and Sundari Voruganti

Date &Time: Thursday, July 17th, 2014

11:30 AM Eastern Time (75 minutes)

Register here: http://bit.ly/SinP6o


http://bit.ly/SinP6o


New!!! Regional user groups this yearUS Location Date of session Location Registration Link

*New* Miami,FL

June 11, 2014 IBM OfficeColumbus Center, Suite14151 Alhambra PlazaCoral Gables, FL 33134

https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=326PXCES&locale=en_US

*NEW*Markham,Ontario,Canada

June 19, 2014 IBM Canada Ltd.3600 Steeles Avenue East1st Floor, Room B104Markham ON L3R 9Z7Canada

https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=8ACM45ES&locale=en_US

NYC, NY June 25, 2014 IBM590 Madison AveRoom 1219New York, NY 10022

https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=4FBKUGES&locale=en_US

Atlanta, GA August 28,2014

IBM (Building A) TechnicalExploration Center6303 Barfield Rd., NEAtlanta, GA 30328

https://www.ibm.com/events/wwe/grp/grp004.nsf/enrollall?openform&seminar=4C2U2FES&locale=en_US

IBM Insight Oct 26, 2014 TBD To follow














Agenda

Review of InfoSphere GuardiumVulnerability Assessment featuresand offerings

Application-specific vulnerabilityassessment and demo

Step by step demo of custom querycreation

Q and A


Exploit

Vulnerability Assessment: Industry Definition

“Vulnerability assessment" (VA)covers tools for finding knownvulnerabilities and configurationweaknesses on computing resourcessuch as servers, desktops, mobilecomputing assets and other networkeddevices as well as on related workflowprocesses such as vulnerabilityprioritization and analysis.

Includes configuration weaknesses,unpatched OS components andapplications, some other technicalsecurity deficiency, or a situation thatdoesn't comply with organizational ITpolicies.

“Vulnerability assessment" (VA)covers tools for finding knownvulnerabilities and configurationweaknesses on computing resourcessuch as servers, desktops, mobilecomputing assets and other networkeddevices as well as on related workflowprocesses such as vulnerabilityprioritization and analysis.

Includes configuration weaknesses,unpatched OS components andapplications, some other technicalsecurity deficiency, or a situation thatdoesn't comply with organizational ITpolicies.

Gartner group: Vulnerability Assessment Technology andVulnerability Management Practices, John Chuvakin, Published:7 February 2014


Data Protection is key to holistic approach toInformation Governance and Security


Why are Databases Vulnerable?

Data in all its forms are explodingwhile resources to manage it arelimited

Development systems that getreplicated to production withoutproper lock down

Application packages that getdeployed with default settings withno understanding securityimplications

Systems are turned over DBA’s withlittle control over how the databasesare set up

BigData

Mobile

Cloud


How to preventunauthorized

activities?

How to securethe repository?

What is actuallyhappening?

Who shouldhave access?

How to protectsensitive datato reduce risk?

Where is thesensitive data?

Discover Harden Monitor Block Mask

Guardium’s Holistic Data Protection Process

Discover Assess

Vulnerability Assessment


InfoSphere Guardium Vulnerability Assessment, Editions

Guardium VulnerabilityAssessment – Evaluation

• Free, Downloadable, Up to 10sources, 30 Day Trial

• Uncovers risk with sensitive datadiscovery

• Detailed assessments andvulnerability reporting

Guardium VulnerabilityAssessment - Standard

• Sensitive Data Discovery

• Comprehensive Testing andReporting

• Ongoing protection with testingsubscription

• Collaboration and workflow

• Extensible framework

Guardium VulnerabilityAssessment - Advanced

Adds to Standard:

• Configuration auditing system

• Entitlement Reporting


InfoSphere Guardium Vulnerability Assessment- Standard Edition

Sensitive DataDiscovery

Extensible design

• Identifies Sensitive Data likecredit cards, transactions or PII

• Reporting on sensitive objects

• Discover database instances

• Using industry best-practices andbenchmarks and primary research

• Predefined tests to uncover databasevulnerabilities

• Recommendations for mediation

• Vulnerability Assessment scorecard

• View side by side comparison of tests

• View graphical view of trends

Guardium VAGuardium VAStandard EditionStandard Edition

• Enables custom designed defined tests

• Tuning existing tests to match needs

• Report builder for custom reports

• Compliance Workflow

• Exception management

• Export to other security tools

Perpetual License

Support, Education

Subscription to test updates

Comprehensivetesting andreporting

Collaborate toprotect


Why Build Custom Tests?

Some vulnerabilities in databasesare specific to a particular usage Creating custom tests to target

specific use cases can be:– Organization level– Industry level– Application level

Guardium VA was designed to beextensible by users or partnerswho have special domainknowledge


Guardium Vulnerability Assessment

Mike [email protected]@BTRG_MikeMartin



Agenda

Application Specific VulnerabilityAssessment

What are we finding out

–Results

–Case Studies

Demo and How/Why we created it


About BTRG

InformationGovernance Industries

• Telecom• Retail• Federal• Manufacturing• Healthcare• Financial• Banking• Insurance• Pharma• State/Local

Gov.• Media• Transportation• Utilities

• One of the first PeopleSoftpartners

• Implemented, upgradedand integrated every majorrelease of PeopleSoft

• PeopleSoft 9.2 TestingPartner

• Several current clientsupgrading to 9.2

• Unique BTRG Solutions• Progressive Testing• ERP Vulnerability• Manger Action Center• Hiring Hub

Years250+ UniqueCustomers

Complete Data SecurityManagement•Award winning softwaresolutions•Trusted advisor for ERP security•Addressing the full lifecycle ofsecurity & compliance

Big Data Management Strategy•Information LifecycleGovernance•Information Management•Enterprise ContentManagement

16

PeopleSoftExperience


About the Presenter

Director of Information Governance Practice forBTRG

More than 20 years of experience in InformationTechnology, 15 years as a PeopleSoft Consultant

Frequent presenter at webinars and conferences

IBM Champion

Connect:[email protected]@BTRG_MikeMartin

http://www.linkedin.com/in/mikemartin


http://www.linkedin.com/in/mikemartin


Guardium Application Vulnerability Assessment

Why create it?– Most ERP systems and packaged applications control security within the

application itself– Vulnerabilities can and often do exist within the application that no amount of

database security will address

What is it?– Application (PeopleSoft) specific checks Vulnerability Assessment– Generates a scorecard (0% to 100%) of security level– Provides details on each vulnerability and recommendations for remediation

How does it work?– Leverages existing Guardium Technology– Built upon 20 years of best practices at BTRG for PeopleSoft security

configuration– Interactive and dynamic report that allows you to monitor application security

level over time


Vulnerability Assessments: Key components in overall security

19

Identifying Security Risks


Types of checks that are done

Privilege– Password settings, expiration

Authentication– Application Users, Logon Times

Configuration– Application security, configuration best practices

Version– Current fixes, patches, bundles

Other– Query Levels and access


Vulnerability Check Examples

21

Operator IDs associated with inactive employees

Usage of the ALLPAGES or other demo/delivered configuration

Ensure all Operator IDs/User IDs are assigned to an Employee

Permission lists with access to sensitive/security PeopleToolsPages

Operator with access to Security and Functional pages

Users/Permission lists with ability to join more than 5 tables andunlimited sign-on ability


Application Scorecard

22


How can you be sure you are secure?

Delivered/Vanilla PeopleSoft scores an 11% on this assessment

A good amount of things can go wrong between 11% and 100%

Upgrades can introduce additional vulnerabilities– Best practice is to benchmark before and after as well as over time

Have found instances of very low scores– Some examples: 26%, 19%, 15%


Vulnerability Assessment Case Study

Customer: Leading Technology Company

Solution: PeopleSoft Application Vulnerability Assessment

Score: 26%

Results:1.Found vulnerabilities in PeopleSoft configuration2.Implemented immediate corrections within hours, others withindays3.Implemented database activity monitoring and ongoingvulnerability checks.4.Improved audit reporting (2 audit reports to 20+) which proved PCIand SOX compliance.


DEMO

Vulnerability Assessment


Guardium Vulnerability Assessment Query-

Based Test Builder

Louis Lam [email protected]



Agenda - Guardium Vulnerability Assessment

Build your own query-basedtest

Q&A

How to securethe repository?

Where is thesensitive data?

Discover Harden


Query-based Test Builder

What is the query-based test builder?– A tool that allow users to create their own custom tests, leveraging the VA

infrastructure from existing Guardium predefined tests.– Supports all the RDBMS database types that VA currently supports.– Easy to deploy; requires little programming experience.– Custom tests can be exported from one Guardium appliance to another using

security assessment export.

Why create it?– Most ERP systems and packaged applications control security within the

application itself.– Vulnerabilities can and often do exist within the application that no amount of

database security will address.


Navigate To Query-based Test Builder

There are two ways to access the query-based test builder withinthe Guardium appliance.

– Access as a normal user:1. Click on Assess/Harden tab.2. Click on Assessment builder icon.3. Click on Query-based Tests.4. Click on New to create a new test.

– Access as an admin user:1. Click on Tools tab.2. Click on Security Assessment Builder under Config & Control tab with Tools.3. Click on Query-based Tests.4. Click on New to create a new test.


Creating a test, step by step

Test Name

– Name of the test you want to use.

– Ideally, give it a meaningful name that indicates what the test actual checks.

– Using a prefix is recommend so you can identify your test easily from Guardiumtests.

– Example: “IBM - db_owner granted to users and roles”


Creating a test, step by step (Continued)

Database type

– Pick a database type from the drop down list.

– Example: “MS SQL SERVER”



Category

– Pick a category from the drop down list.• Privileges: Check for object creation and usage rights, privilege grants to DBAs and users, and

system level rights.• Authentication: Verify password policies, default vendor accounts, no empty passwords, remote

login parameters, etc.• Configuration: Check platform-specific variables such as maximum failed logins for DBA profiles.• Version: Verify appropriate version numbers and patch levels.• Other:

– Example: “Privilege”



Severity

– Pick a severity level from the drop down list that best fits your test. Note,severity can be overridden in the assessment test tuning section. You maydecide that the severity level for a given test in one datasource is higher thananother.

– Severity levels• Critical• Major• Minor• Cautionary• Informational

– Example: “Major”



Short description

– This is where you describe what your test does. The more descriptive thebetter. You can talk about scenarios that would cause your test to pass or fail.

– Example:• “This test check for db_owner role granted to user or roles in each MSSQL

databases. Grantee with db_owner can perform all configuration and maintenanceactivities on the database. This test does loop through all the databases in a givenSQL Server instance. Granting db_owner role should be limited to only few inproduction. If you have server role sysadmin, you would not need to be granteddb_owner per databases.”



External Reference

– Any references you may use for this test like STIG, CIS, CVE, your companysecurity policy benchmark, etc. This field can be left blank if you don’t haveany references.

– Example: “Advance VA feature demo”



Result text for pass

– Reason why the datasource passed this test.

– Example: “db_owner database level role has not been granted to unauthorizedgrantee.”



Result text for fail

– Reason why the datasource failed this test.• Usually this means the configuration setting is not your recommended value.• Privileges are granted to unauthorized grantees.• Database might not be patched to some required level

– Example: “db_owner database level role has been granted to unauthorizedgrantee.”



Recommendation text for pass

– Any recommendation you want to provide when a datasource passes the test.Usually there is no recommendation when a test passes.

– Example: “No action required.”



Recommendation text for fail

– Recommendation you are providing when a datasource fails your test. It isimportant to provide as much detail as you can when the test fails. You want totalk about conditions in your test that would cause a datasource to fail. Ideally,provide an example remediation syntax where possible so the end user knowswhat needs to be done to pass your test.

– Example: “We recommend that you revoke db_owner role from unauthorizedgrantees. You can use this SQL Server example command for revoking suchprivilege: EXEC sp_droprolemember N'db_owner', N'UserName or RoleName'GO. To exclude authorized grantees from this test, you can populate anexception group with your authorized grantees and link the group to this test.”



SQL Statement

– This is the query your test will execute when connecting to a datasource. Thiscan be a query or union of queries. You can use T-SQL or PL/SQL as long asyour codes return a valid value that can be compared in determining thecondition for the test’s passing or failing criteria.

– Tips:• When using comment within a query do this /*my comment*/ instead of –my comment.• Make sure you test your SQL syntax on a native database tool or JDBC tool first.• When writing your SQL, it is best that the SQL return a count(*) for comparison. Majority of the tests can be

structured this way. You can return this within SQL Server or Sybase T-SQL as well. Select count(*) fromsome_table where some_grant = ‘bad’

• For Oracle, if you are using PL/SQL, the way to return a value from an anonymous block is via “? := retval;” Therewill be an example for this in a later slide.

• Use %THRESHOLD% in SQL syntax when you want your test to compare against some predefined default valueand you want your end user to override your default value uses in the test comparison. There will be an examplein a later slide.



SQL Statement (Continued)

– Example:

SELECT COUNT(*)FROM sys.database_role_members ro,

sys.database_principals db_role,sys.database_principals grantee

WHERE ro.role_principal_id = db_role.principal_idand ro.member_principal_id = grantee.principal_idand db_role.name = 'db_owner'and grantee.name <> 'dbo' /* Ignore the default dbo grant */



SQL Statement – Oracle PL/SQL Exampledeclare

nver number;retval integer := 0;sver varchar2(255) := '';strval varchar2(255) := '';

begin

select VERSIONinto sverfrom V$INSTANCE;

nver := to_number(substr(sver,1,(instr(sver,'.',1,2) - 1)));

if nver >= 11.1 then

select VALUEinto strvalfrom V$PARAMETERwhere NAME = 'sec_case_sensitive_logon';

end if;

if (nver < 11.1 or strval = 'TRUE') thenretval := 0;

elseretval := 1;

end if;

? := retval;

end;



SQL Statement for detail (Optional)

– This is the query your test will execute when connecting to a datasource. Itwould only execute if the condition for the test fails The purpose of this query isto provide the user detailed grants or configuration settings when a test fails sothe user will know what to remediate.

– Tips:• All the tips from the SQL Statement are relevant here.• When the SQL Statement for detail is used, the test would allow for exception group when the test returns a failed

score.• All the columns projected for SQL provided here must be concatenated into one field. See example below.

– Example:

SELECT 'Grantee = ' + grantee.name collate DATABASE_DEFAULT +' : Grantee_type = ' + grantee.type_desc collate DATABASE_DEFAULT

FROM sys.database_role_members ro,sys.database_principals db_role,sys.database_principals grantee

WHERE ro.role_principal_id = db_role.principal_idand ro.member_principal_id = grantee.principal_idand db_role.name = 'db_owner'and grantee.name <> 'dbo'



Pre test check SQL (Optional)

– Lets you write SQL that checks for a condition to determine if test shouldexecute or not. This is useful when you are querying against database thatmay or may not have the tables or columns you are looking for.

• A ‘0’ return value from your SQL here would mean the test should not be executedand therefore the test would not get a pass or fail score.

• A ‘1’ return value from your SQL here would mean the test should continue and haspassed the pre-test check requirement.

– Example:

select count(*)from sys.all_objectswhere name = 'database_principals'and schema_name(schema_id) = 'sys'



Pre test fail message (Optional)

– If the “pre test check SQL” returns ‘0’, then the test would not execute. In thiscase, it will display the text you wrote for “pre test fail message” field.

– Example: “sys.database_principals view is not found in your system catalog.This test will not execute, please research why this system view is missing.”



Loop databases & DB loop flag (Optional)

– Loop databases allow you to write SQL, indicating what databases your SQLstatement should execute against. This is only supported in the followingdatabase types: Informix, SQL Server, Sybase ASE, PostgreSQL and MySQL.The looping is performed if the DB loop flag box is checked. You can use thisfunction only when the test returns an integer value for comparison.

– Example:

select name from sys.databases

Or

db_name1, db_name2……db_name(n)



Detail prefix (Optional)

– Enter a Detail prefix that will appear at the beginning of the SQL statement forstring details.

– Example: “Grantees with db_owner role.”



Bind output variable (Optional)

– Check the "Bind output variable" checkbox if the entered text in the SQLstatement is a procedural block of code that will return a value that should bebound to an internal Guardium variable that will be used in the comparison tothe "Compare to" value.

– Example: See slide 21 for how this is used for Oracle PL/SQL.



Use Threshold (Optional)

– Check the “Use threshold" checkbox if you allow use of threshold values foryour test.

• For example, if you are testing for a backup configuration setting that should be keptfor 12 backups or more. A different division may not agree with your requirement anddecided that 8 should be their minimum and not 12. In this case, you can set yourtest default threshold value as 12, but allow the end users to change your thresholdwhen they execute the assessment. Your SQL statement would have to change touse this Guardium specific feature.

– In your SQL, you would substitute the actual value you are comparing, which is12 with %THRESHOLD%. You would then define the default value for your%THRESHOLD% which would be 12 in the “default threshold value” column.You also need to define a prompt “Prompt for threshold”, so the user knows thethreshold can be changed.

– The next two slides will demonstrate the use of threshold.



Use Threshold – Example (Optional)

– Here is a SQL Statement without using threshold.

SELECT COUNT(*)FROM (

SELECT CAST(VALUE AS INTEGER) AS VALUEFROM SYSIBMADM.DBCFGWHERE LOWER(NAME) = 'num_db_backups') AS RESULT

WHERE VALUE < 12



Use Threshold – Example (Optional)

– Here is a SQL Statement using threshold.

SELECT COUNT(*)FROM (

SELECT CAST(VALUE AS INTEGER) AS VALUEFROM SYSIBMADM.DBCFGWHERE LOWER(NAME) = 'num_db_backups') AS RESULT

WHERE VALUE < %THRESHOLD%



Return Type, Operator and Compare to Value.

– Return type is the datatype that your SQL Statement returns. This can integer, date or string.– Operator is the operator you want to compare your SQL statement result to the “Compare to value”.

The available operators are in a drop down list like (=, <=, >=, <, >)– Compare to value is the value you are using to compare against your SQL Statement. If your

condition is met, then the test will pass, otherwise it will fail.

Example:

– What the above example shows is our SQL Statement will return an integer value for us to compare. Ifthe value of that integer is zero, then the test we created in this presentation will pass. If the SQLstatement returns anything else, our test will execute and return a failed grade because it found somecondition that violates the logic of the test.



Applicable Version From and Applicable Version To (optional).

– Applicable version from and applicable version to: Use these two fields if you want to control whatversion of the database your test should be executed in. The format that should be use is: ##.##

• For example, Oracle 11gR2 would be 11.2 or DB2 v10.5 would be 10.5. For SQL Server, we follow the actualMicrosoft version convention. SQL Server 2005 would be 9.00 and SQL Server 2008R2 would be 10.50.

Example:

– In our example, we are saying we want our test to execute against SQL Server 2005 and higher only.Since the catalog objects we used are only available in SQL Server 2005 and newer. Since we havenot put in an “applicable version to”, our test can run against any later SQL Server release.



Our example test execution result.

– This is execution of our example ran against a SQL Server 2005 server where it found some db_ownergrantee and shows its finding and give this test a failed score.



Our example test execution result.

– This is an execution of our example that ran against a SQL Server 2005 server and does not find anydb_owner grantee and gives this test a passing score.


Gracias

Merci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish


Information, training, and community

InfoSphere Guardium Vulnerability Assessment Evaluation Edition ondeveloperWorks InfoSphere Guardium YouTube Channel – includes overviews and

technical demos developerWorks forum (very active)Guardium DAM User Group on Linked-In (very active) Community on developerWorks (includes content and links to a

myriad of sources, articles, etc)Guardium Info Center

InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.

Send a note to [email protected] ifinterested.

http://www.ibm.com/developerworks/downloads/im/guardiumva/

http://www.ibm.com/developerworks/downloads/im/guardiumva/

http://www.youtube.com/user/InfoSphereGuardium

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=2648&start=0

http://www.linkedin.com/groups/IBM-Guardium-Database-DB-Activity-3746392

https://www.ibm.com/developerworks/mydeveloperworks/groups/service/html/communityview?communityUuid=432a9382-b250-4e55-98d7-8e9ee6cbf90e

http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp


Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: What is this thing called Hadoop and how do Isecure it?

Speakers: Kathy Zeidenstein and Sundari Voruganti

Date &Time: Thursday, July 17th, 2014

11:30 AM Eastern Time (75 minutes)

Register here: http://bit.ly/SinP6o


http://bit.ly/SinP6o

Making the Most of InfoSphere Guardium Vulnerability ... · PDF fileMaking the Most of...

Documents

Transcript of Making the Most of InfoSphere Guardium Vulnerability ... · PDF fileMaking the Most of...