SQL Server Security– A to Z
Oded Raz| CEO | BrillixLTD
What is Security?
Firewall
AuthenticationSmart Card
Public Key Infrastructure
SSL
Encryption
LDAP
Single Sign-OnAuthorization
Virtual Private Network
BS7799
Auditing
X.509 Certificate
Password
Kerberos
Intrusion Detection
DMZ
Anti Virus
RADIUS
Non Repudiation
Proxy
One Time Password
IPSEC
Access List
1
CIA
• “The Big Three” goal
• 100% is impossible!
– Is 99.99% good enough?
• Risk Management
– Assets
– Threats
– Vulnerabilities
– Risks
Confidentiality
Integrity Availability
Achieving Security
• The assets and threats are there
• Use Controls to limit vulnerabilities:
– Preventative
– Detective
– Reactive
• Controls have many forms
– Technical
– Physical
– Administrative
2
“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991�Network
� Application - Software
� Physical
� Human integrity
� Policies and procedures
The “Classic” Security Layers
Network Security
Network IDS
Firewall
Host IDS
Scanner
3
Network & Host Security
The Problem
• TCP/IP is common knowledge and not secured.
• “Weak links” in complex architectures.
• Relatively easy to attack without being detected, no time constraint, available hacking tools.
• Denial of service attacks.
• Eavesdropping from radiation of transmission media.
Network & Host Security
The Solution
• Firewall :
• Network
• Application
• Database
• Encryption of data during transmission – VPN , SSL and more
• IDS – On the network level
• ACL for routers.
• Scanner
4
“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991� Network
�Application - Software
� Physical
� Human integrity
� Policies and procedures
The “Classic” Security Layers
Application Security
� “Inside the application” Security Mechanisms
� Identification / authentication
� User Management
� Authorization
� Auditing
� “Around the application” Security Mechanisms
� Reverse Proxy
� Application Level Firewall
5
Application Security - Building Blocks
User Name / User IDIdentification
Smart Card +
BiometricsBiometricsSmart CardCertificates
User +
Password
Authentication
Session Management ServiceSession
Auditing ServiceAuditing
Authorization ServiceAuthorization
Managing Applications
User Name / User ID
Smart Card +
BiometricsBiometricsSmart CardCertificates
User +
Password
Session Management Service
Authorization Service
Auditing Service
6
Multi-Application Problem
• Administrative problems– Efficiently provisioning users for applications
– Limited/no ability to delegate administration
• Usability problems– Different user names/passwords
– Little/no personalization of portal content
• Security problems– Inconsistent password management policies
– Fragmented security policy enforcement
14
Vulnerabilities By Industry – 2010
7
15
Top Web Site Vulnerabilities - 2010
16
Buffer Overflow
8
17
Buffer Overflow - Wikipedia
• It can be triggered by malicious input which may be crafted to execute arbitrary, possibly malicious, code, or make the program operate in a way which was unintended, this is a source of many software vulnerabilities.
• The problem can be avoided by sufficient bounds checking by the programmer or by a language which provides bounds checking as a language feature.
18
Severity
• The effectiveness of the buffer overflow attack has been common knowledge in software circles since the 1980’s
• The Internet Worm used it in November 1988 to gain unauthorized access to many networks and systems nationwide
• Still used today by hacking tools to gain “root” access to otherwise protected computers
9
19
HISTORY - Real World Scenarios
• Multiple IIS vulnerabilities gives System-level access
• Security researchers are warning of a potentially nasty buffer over-run flaw in Oracle Database
• Users of WinAmp player should upgrade to version 2.80 to avoid a vulnerability
20
Code Red Example
• /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
10
21
Stacks and Processes
• Assume we are in main(), and we make a procedure call to myFunction(char *str).
• myFunction access the variables that are passed to it via the stack
• The system knows where to resume execution of main(), when myFunction() has terminated via the return address
• The stack works just like a regular stack data structure, with pushand pop.
Variable x
Variable y
Push z
Temp=Pop()
Temp is now assigned the value z
Variable z
22
Stacks and Processes – Cont’
In our case, when we call myFunction(char *str), here is what happens.
void main(){
char bufferA[256];
myFunction(bufferA);
}
When we get here, the OS
executes the following
instruction:
push(bufferA);
call myFunction;
Our stack now looks like this:
Previous stack
content
bufferA
11
23
Stacks and Processes - Cont
• Now we are executing the code in myFunction(). As in any procedure, the first thing myFunction() does is push its local variables (bufferB[16] in this case) onto the stack. This variable, as defined in myFunction() is 16 bytes long. So the OS will allocate 16 bytes in the stack for it.
Previous stack
content
bufferA
Return Address
OS data
24
Stacks and Processes - Cont
Our stack now looks like this:
Previous stack
content
bufferA
Return address
OS data
bufferB 16 bytes long
void myFunction(char *str) {
char bufferB[16];
strcpy(bufferB,str);
}
12
25
Buffer Overflow Attacks
• Main() passes a 256 byte array to myFunction(), and myFunction() copies it into a 16 byte array, attempting to fill bufferB[16] with 240 bytes of data. Since there is no check on whether bufferB is big enough, the extra data overwrites other unknown space in memory.
• This vulnerability is the basis of buffer overflow attacks. How is it used to harm a system? It modifies the system stack.
void main(){
char bufferA[256];
myFunction(bufferA);
}
void myFunction(char *str) {
char bufferB[16];
strcpy(bufferB, str);
}
26
Implications
• Usually, the hacker wants to write code to gain access to the computer or gain more privileges on the system. Once this occurs, a number of system violations or damage can easily be performed
• Corrupts or damages program running, causing it to fail; produces incorrect results with other programs
• Can corrupt programs, causing it to disclose confidential information
• Can corrupt program, take remote control, and have it do undesired things
13
Copyright 2006 Swift
Coders Ltd. All Rights
27
Example Buffer Overflow Code
Void CopyString(char *dest, char *source){while(*source){
*dest++ = *source++;}
}void Example (){
char buffer[16];CopyString(buffer, "This string is too long!");
}
Application Buffer Overflow- Example
14
Application Buffer Overflow- Example
Application Buffer Overflow
15
Application Buffer Overflow- Example
Application Buffer Overflow- Example
16
33
SQL Injection
34
* Taken from nrg.co.il
A Real-Life Example
17
35
Impact of SQL Injection
• Bypassing authentication mechanisms– select id from users where name=‘admin’ and password=‘’ or
‘1’=‘1’
• Information disclosure– select phone from users where name=‘’
UNION select credit_num from users --’
• Information tampering– select usr_id from clients where name=‘’; update clients set
debt=0;--
• Database corrupting– select usr_id from clients where name=‘’; drop table clients;--
• Command execution– select picture from animals where name=‘‘;EXEC
master.dbo.xp_cmdshell 'format /y c:’
36
Authentication Bypass
The Naive Case - Identification Inputs
18
37
Authentication Bypass
Naive Case – Identification Process
– "SELECT FamilyName FROM Users WHERE Username = '" & request.QueryString("username") & "' AND Password = '" & request.QueryString("password") & "'"
– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'imbad'
38
Authentication Bypass
Hacker Case – Identification Process
– "SELECT FamilyName FROM Users WHERE Username = '" & request.QueryString("username") & "' AND Password = '" & request.QueryString("password") & "'"
– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'a' or '1'='1'
– SELECT FamilyName FROM Users WHERE Username = 'Michael' AND Password = 'a' or true;
– SELECT FamilyName FROM Users
19
How Prevalent Is XSS? 2006
2006 Statistics (January 1 – December 31)
http://webappsec.org/projects/statistics/
How Prevalent is XSS? 2007
The overall statistics includes analysis results of 32,717 sites and 69,476 vulnerabilities
2007 Statistics (January 1 – December 31)
http://webappsec.org/projects/statistics/
20
41
Definition
• Any way to fool a legitimate web site to send malicious code to a user’s browser
• Almost always involves user content (third party)– Error messages
– User comments
– Links
• References– http://www.cert.org/archive/pdf/cross_site_scripting.pdf (Jason
Rafail, Nov. 2001)
– http://www.spidynamics.com/support/whitepapers/SPIcross-sitescripting.pdf
42
Definition
A technique that allows hackers to:
Execute malicious script in a client’s Web browser
Insert <script>, <object>, <applet>, <form>, and <embed>
tags
Steal Web session information and authentication cookies
• Any Web page that renders HTML
containing user input is vulnerable
21
43
XSS - Demo
44
Protection = Input Validation
• Assume all input is malicious• Centralize your approach
– Use Web Application Firewalls
• Do not rely on client-side validation• Be careful with canonicalization issues • CVS doctrine - Constrain, Validate & Sanitize
22
“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991� Network
� Application - Software
�Physical
� Human integrity
� Policies and procedures
The “Classic” Security Layers
• The Problem:– Almost unlimited capabilities when having physical
approach to network devices.
• The Solution– Strong authentication means: tokens, s. cards, biometrics.– Locked servers and communication hardware.– Locked workstations and drivers.– Locked backup tapes and removable memory devices.– Security devices: cameras, alarm, patrols.– Selective entrance to sensitive areas.
Physical Layer
23
“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991� Network
� Application - Software
� Physical
�Human integrity
� Policies and procedures
The “Classic” Security Layers
•The Problem
– Computer crime, industrial espionage, sabotage, theft -by dishonest or disgruntled employees, authorized users, technicians.
•The Solution
– Checking honesty “certificates”.
– Auditing and forensic tools.
– Appropriate policies and procedures.
Human Integrity
24
“The only effective security program is one based on multi-layered solutions, both technological and organizational” J.G. 1991� Network
� Application - Software
� Physical
� Human integrity
�Policies and procedures
The “Classic” Security Layers
•The Problem– Security breaches caused by:
• Lack of realistic security policies and procedures.• No enforcement of security policies and procedures.• Low awareness to security policies and procedures.
•The Solution– Risk assessment.– Security policy writing.– Procedures writing as derived from policy.– Awareness program.– Enforcement
Policies and Procedures
25
DBA/Insider Theft Remains Key Concern
“The most common mistake is to assume that something "behind the firewall" will not be attacked, or alternatively, that insiders are all
upstanding citizens.” – Mary Ann Davidson, Chief Security Officer, Oracle
“Gartner estimates that 70 percent of security incidents that actually cause loss to enterprises – rather than mere annoyance – involve insiders, … Enterprises must broaden their approach to securing
Internet-exposed applications and servers.” – John Pescatore, Gartner
“The increasing sophistication of business applications requires a
similarly sophisticated application-centric approach to security.” –David Thompson, META Group
DBA/Insider Theft Remains Key Concern
• 80% of threats come from insiders
• 65% of internal threats are undetected
• 60% of data loss/corruption due to human error
• 30% concerned about DBA threat
• 50% looking at monitoring insider/DBA threats
26
The ‘Insider Threat’ – the Facts
Data Security – Vulnerabilities
• Misconfigorations & Administration malpractice• Default Users, Initial parameters ….• Applying Security paths• Permeations management
• ID & passwords control • One User one IP • Shared Users
• Applications & Applications level attacks• SQL Injection• Session managements• Application level ACL’s
27
Oracle 10g DoS Sample
Details
Buffer Overflow in SYS.PBSDE.INIT. This function has EXECUTE permission granted to SYSDBA or EXECUTE_CATALOG_ROLE. Members of these groups can exploit this vulnerability and crash the database or execute arbitrary code.
Example
SQL> exec sys.pbsde.init('AA',TRUE,'MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON',NULL);BEGIN sys.pbsde.init('AA',TRUE,'MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON_MARY_ANN_DAVIDSON',NULL); END;
*ERROR at line 1:ORA-03113: end-of-file on communication channel
WorkaroundRevoke execute privilege on sys.pbdsde.init from publicrevoke execute on sys.pbsde from public;
Common Application Architecture
UserAuthentication
ApplicationServer
Privileged User OracleDB
X.509,SSL
ActiveDirectory
AccessControl
sWebApplication
Users
Users Table
28
Motivation for using database encryption
• Hide data from the DBA
• Comply with regulations - PCI
• Last line of defense
• Encrypt data on external media (Backup)
• Many more reasons
29
Encryption challenges
Who is responsible for the entire key management ?
� Key is lost, Data is lost !
� Index Encrypted data – Database
performance.
� Who are we hiding from ?
SQL Server Encryption
DPAPI encrypts
Service Master Key
Service Master Key encrypts
Database Master Key
30
Asymmetric Encryption
• More secure encryption
• Only suitable for small amounts of data
• Certificates and asymmetric keys both provide the same RSA asymmetric encryption capabilities
• Nondeterministic
Symmetric Encryption
• Magnitudes faster than asymmetric encryption
• Symmetric keys may be secured with a password, symmetric key, certificate, and/or asymmetric key
• Supports encryption algorithms: DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES (128, 192, or 256)
• Nondeterministic
31
Key Management
• Keys can be fixed or computed
• Key management can be handled in many ways:
–With the client
–The server file system
– In the database
Computed Keys
• For every row a different key is dynamically generated.
• Advantages– No need to store keys in the database
– Every value has a different key
• Disadvantages– Algorithm to generate the key must be protected
32
Computed Keys - Sample
-- Open the symmetric key with which to encrypt the data
OPEN SYMMETRIC KEY CreditCards_Key11 DECRYPTION BY CERTIFICATE Sales09;
-- Encrypt the value in column CardNumber with symmetric
UPDATE HR.Employee
SET Base_Pay = EncryptByKey(Key_GUID(‘SALARY_Key11'), 6600, 1, CONVERT( varbinary, Employee_ID) );
Encryption
33
Package Interception
• The following approach works (in most cases) without DBA permission and a hacker is able to intercept all encryption keys
• With DBA permission a hacker or malicious DBA can ALWAYS intercept the encryption key
Decrypting the TDE Architecture
Database Master Key encrypts
Certificate In Master Database
DPAPI encrypts
Service Master Key
Service Master Key encrypts
Database Master Key
Certificate encrypts Database
Encryption Key
34
Transparent Database Encryption
Transparent Database Encryption
35
What is data masking?
What
• The act of anonymizing customer, financial, or company confidential data to create new, legible data which retains the data's properties, such as its width, type, and format.
Why
• To protect confidential data in test environments when the data is used by developers or offshore vendors
• When customer data is shared with 3rd parties without revealing personally identifiable information
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
D’SOUZA 989-22-2403 80,000
FIORANO 093-44-3823 45,000
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 111-34-1345 60,000
KDDEHLHESA 111-97-2749 80,000
FPENZXIEK 111-49-3849 45,000
Policy Management
36
Audit
2008 Improvements
• The Surface Area Configuration Tool (SAC) has been deprecated.
• (SAC) has been replaced with Policy Based Management.
• Kerberos authentication has been expanded to include all protocols in the SQL Server stack
• SQL Server 2008 is tightly integrated with Windows Server 2008 and Active Directory Domain Services. ■It is now possible to rename the SA account during a fresh installation
37
2008 Improvements
• It is now possible to rename the SA account during a fresh installation
• The local Windows Group BUILTIN\Administrator is no longer included in the SQL Server sysadmin server role.
• SQL Server accounts are following the principle of least privilege as they are better protected and now further isolated from the operating system.
SQL Server Hardening
• Use Only windows authentication of possible.
• If using Mixed Mode, rename disable and rename sa user.
Use [MASTER]ALTER LOGIN sa DISABLE;GO
ALTER LOGIN sa WITH NAME = [KING];GO
38
SQL Server Hardening
• Install Only needed components.
• Disable unneeded network protocols.
• Change Listening port, do not use 1433.
• Hide SQL Server Instance.
• Run SQL Server Services OS user.
• Remove SQL Server service use from Administrator Group.
SQL Server Hardening
• BUILTIN\Administrators windows group from sysadmin server role.
• Enable audit for both successful and unsuccessful logins.
• Use SQL Server audit.
• Hide SQL Server Instance.
• Run SQL Server Services OS user.
• Remove SQL Server service use from Administrator Group.
39
Compliance
1. the act of conforming, acquiescing, or yielding.
2. A tendency to yield readily to others, esp. in a weak and
subservient way.
3. Conformity; accordance: in compliance with orders.
4. Cooperation or obedience: Compliance with the law is
expected of all.
What is SOX ?
1. A short stocking usually reaching to the calf or
just above the ankle.
2. A lightweight shoe worn by ancient Greek and
Roman comic actors.
3. Comic writing for the theater; comedy or comic
drama.
4. Furniture. a raised vertical area of a club or pad
foot.
40
What is SOX ?
"To protect investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the security laws, and
for other
purposes”
Sarbanes-Oxley is US legislation enacted on July 30, 2002
AKA: Public Company Accounting Reform and Investor Protection Act of 2002
SOX
Sarbox
CPA Employment Act :)
Put forth in part because of accounting scandals of corporations such as Enron, Tyco
International, Adelphia, Peregrine Systems and WorldCom that cost investors billions
of dollars
Sections
1) Public Company Accounting Oversight Board (PCAOB)
2) Auditor Independence
3) Corporate Responsibility
4) Enhanced Financial Disclosures
5) Analyst Conflicts of Interest
6) Commission Resources and Authority
7) Studies and Reports
8) Corporate and Criminal Fraud Accountability
9) White Collar Crime Penalty Enhancement
10) Corporate Tax Returns
11) Corporate Fraud Accountability
41
Key Provisions
SOX Section 302: Internal control certifications
SOX Section 404: Assessment of internal control
SOX Section 802: Criminal penalties for violation of SOX
CIA & SOX
Confidentiality
Integrity Availability
42
SOX Section 302: Internal control certifications
Holds the Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) personally responsible to certify that financial reports are
accurate and complete.
They must also assess and report on the effectiveness of internal
controls around financial reporting.
CEOs and CFOs now face the potential for criminal fraud liability.
Section 302 does not specifically list which internal controls must be
assessed.
control
• Understand the flow of transactions, including IT aspects
• Perform a fraud risk assessment
• Evaluate controls designed to prevent or detect fraud
• Conclude on the adequacy of internal control over
financial reporting.
43
violation of SOX
" Whoever knowingly alters, destroys, mutilates, conceals,
covers up, falsifies, or makes a false entry in any record,
document, or tangible object with the intent to impede,
obstruct, or influence the investigation or proper
administration of any matter within the jurisdiction of any
department or agency of the United States or any case filed
under title 11, or in relation to or contemplation of any such
matter or case, shall be fined under this title, imprisoned
not more than 20 years, or both. "
So, after all of that, what does
SOX have to do with
information security?
Nothing Really !!!
44
Control of access to financial records
• FGA
• Encryption
• Hardening – both DB & OS
Detection of modification
• AUDIT, AUDIT, AUDIT, AUDIT
Preventions of data loss and contingent liabilities
• Mirroring / Log Shipping
Need 2 Feature
עמדתו את המשקפות הבנקים על המפקח הוראות את מהווים אלה קבצים
. הנורמות הנדרשות לניהול בנקאי תקין בתחומים שונים לגבי
ניהול טכנולוגיית המידע - 357
בנק ישראל -הוראות ניהול בנקאי תקין
45
דירקטוריון תאגיד בנקאי חויב בקיום דיון תקופתי וקביעת
מדיניות ניהול טכנולוגיית המידע במסגרת מדיניות
על המדיניות לכלול בין . המחשוב של התאגיד הבנקאי
עקרונות גיבוי , היתר התייחסות לאבטחת מידע
מיקור, והתאוששות במצבים של תקלות ואסונות
, ידי משתמשי קצה-לרבות על, מדיניות פיתוח, חוץ
ושימוש בטכנולוגיות חדשות
עיקרי ההוראה
מינוי אחראי – סעיף 4
אשר יישא באחריות למכלול , הנהלת תאגיד בנקאי חויבה במינוי מנהל בעל הכשרה וניסיון מתאימים
נושאי טכנולוגיית המידע
נהלים ותיעוד – סעיף 5 ו-6
, אבטחה, תפעול, תאגיד בנקאי חויב בקביעת נהלים מפורטים לכל שלב ולכל תהליך המטפלים בניהול
שרידות ובקרה של טכנולוגיית המידע, גיבוי
עיקרי ההוראה
46
הערכת סיכונים – סעיף 7
תאגיד בנקאי חויב לבצע הערכת סיכונים שתתעדכן
באופן שוטף ובהתאם להערכת הסיכונים לנקוט באמצעים
הנדרשים למזעור אפשרות פגיעה
מינוי מנהל אבטחת מידע – סעיף 8
הנהלת תאגיד בנקאי חויבה במינוי מנהל אבטחת מידע
מניעת ניגוד עניינים וקביעת תחומי אחריותו
עיקרי ההוראה
הערכת סיכונים – סעיף 7
תאגיד בנקאי חויב לבצע הערכת סיכונים שתתעדכן
באופן שוטף ובהתאם להערכת הסיכונים לנקוט באמצעים
הנדרשים למזעור אפשרות פגיעה
מינוי מנהל אבטחת מידע – סעיף 8
הנהלת תאגיד בנקאי חויבה במינוי מנהל אבטחת מידע
מניעת ניגוד עניינים וקביעת תחומי אחריותו
עיקרי ההוראה
47
סיקרי בטיחות ונסיונות חדירה – סעיף 9
תאגיד בנקאי יקיים סקר בטיחות של מערך טכנולוגיית המידע
בסקר תוערך האפקטיביות של . בהתאם להערכת הסיכונים, שלו
במערכות שהוגדרו , אמצעי ההגנה בהתייחס להערכת הסיכונים
.על ידי התאגיד הבנקאי ויוצעו דרכים לתיקון הליקויים שיימצאו
זיהוי ואימות משתמשים – סעיף 10
תנאי מוקדם למתן גישה למערכות התאגיד הבנקאי יהיה זיהוי
אישי של כל גורם בעל גישה
עיקרי ההוראה
קישור תאגיד בנקאי לאינטרנט – סעיף 11
מותרת קישוריות כאמור במקרים של מתן שירותי בנקאות בתקשורת
וקישוריות של עובדי התאגיד הבנקאי תחת המגבלות המפורטות בהוראה
תאגיד בנקאי חויב בנקיטת אמצעים לאיתור התחזות של גורמים , בנוסף
בלתי מורשים לאתר האינטרנט של התאגיד הבנקאי
עקרונות גיבוי והתאוששות – סעיף 12
תאגיד בנקאי יקיים תכנית מפורטת להפעלת מערך טכנולוגיית המידע שלו
וכן יבצע ניסוי של כל הסדרי הגיבוי אחת , במקרים של תקלות ואסונות
לתקופה
עיקרי ההוראה
48
פיזית -תאגיד בנקאי חויב ביישום אמצעי אבטחה
תיקון ותיעוד של חשיפות , גילוי, למניעה, ולוגית
בהתאם להערכת הסיכונים , במערך טכנולוגיית המידע
סודיות , ותוך התייחסות גם להיבטים של זיהוי ואימות
שלמות ומהימנות הנתונים ומניעת הכחשה, ופרטיות
PCI – Protecting Card Holder Data
ASSESSIdentify cardholder data and analyze the vulnerabilities that can put this data at risk.
REMIDATE
Fix vulnerabilities and don’t keep cardholder data unless you need it.
REPORT
Validate remediation.
49
PCI – Building Blocks
50
What to protect
PCI – Step By Step
51
52
• www.ilDBA.co.il – Read More
53
Top Related