Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Security into Your Data Back-End

Building Security into Your Data Back-End

A session by K. Brian Kelley at Syntax Code & Craft Convention 2016


Syntax Conference

May 10, 2016


  1. Back-End Data Security Three Things and Three Places… Not Just

    the Database!
  2. Author Page 2  Infrastructure and security architect  Database

    Administrator / Architect  Former Incident response team lead  Certified Information Systems Auditor (CISA)  SQL Server security columnist / blogger  Editor for SQL Server benchmarks at Center for Internet Security
  3. Contact Information K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security

    Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
  4. Goals  Get you in an adversary mindset  Consider

    areas traditionally neglected  Understand the “insider” threat
  5. Agenda  A Solid INFOSEC Model  The “Insider” Threat

     Three Things and Three Places  Applying the Things to Places  Two Examples to Consider
  6. Information Security’s C-I-A Triad Confidentiality Integrity Availability

  7. Principle of Least Privilege  The permission to do the

    job.  Nothing more. ◦ Threatens confidentiality. ◦ Threatens integrity.  Nothing less. ◦ Threatens availability.
  8. The Insider Threat  The vast majority aren’t the problem.

     Sometimes you have bad people.  Sometimes people turn bad.  OR – An adversary can act like an insider.
  9. My Miss Emma Example  Miss Emma may be the

    purest soul walking today. ◦ You can’t just think about Miss Emma. ◦ What if Miss Emma falls to a phishing attack?  SC DOR or Anthem compromise  Attacks against Defense Industry contractors. ◦ RSA Compromise  Aurora attacks  Assume that a user account will be compromised
  10. Three Things to Worry About  Unauthorized Data Access 

    Unauthorized Data Change  Unauthorized Process Change
  11. Three Places to Worry About  Source  In-Flight 

  12. Places: Web Servers / Services  Are they vulnerable to

    SQL Injection?  What and who connect to them?  Are they using HTTPS?  What else is on the same web server?
  13. Places: File System Questions  Who has ability to modify

    the files?  Who has ability to read the files?  What processes can touch the files?  Can you detect file tampering?
  14. Places: Database Questions  Who can read the data? 

    Who can modify the data?  Can you verify data integrity?
  15. Places: Network Questions  Is sensitive data being sent across?

     If so, is it encrypted?  If you're using SSL, who controls the CA?  If it isn't encrypted, is someone watching?
  16. Example: SSIS Packages  Who can update the packages? 

    Are you checking for updates?  Can you detect an unauthorized update?  How about during the ETL process?
  17. Example: Web Services  Who can administer the web server?

     Who can change the code?  Can you detect a change?  Can you reverse the change?
  18. Goals  Get you in an adversary mindset  Consider

    areas traditionally neglected  Understand the “insider” threat
  19. Thank You! Questions? K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley

    Tech/Sec blog: http://truthsolutions.wordpress.com/ Prof. Dev. blog: http://gkdba.wordpress.com/ Center for Internet Security: http://cisecurity.org/