Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Security into Your Data Back-End

Building Security into Your Data Back-End

A session by K. Brian Kelley at Syntax Code & Craft Convention 2016

Syntax Conference

May 10, 2016
Tweet

More Decks by Syntax Conference

Other Decks in Programming

Transcript

  1. Author Page 2  Infrastructure and security architect  Database

    Administrator / Architect  Former Incident response team lead  Certified Information Systems Auditor (CISA)  SQL Server security columnist / blogger  Editor for SQL Server benchmarks at Center for Internet Security
  2. Contact Information K. Brian Kelley Email: [email protected] Twitter: @kbriankelley Infrastructure/Security

    Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
  3. Goals  Get you in an adversary mindset  Consider

    areas traditionally neglected  Understand the “insider” threat
  4. Agenda  A Solid INFOSEC Model  The “Insider” Threat

     Three Things and Three Places  Applying the Things to Places  Two Examples to Consider
  5. Principle of Least Privilege  The permission to do the

    job.  Nothing more. ◦ Threatens confidentiality. ◦ Threatens integrity.  Nothing less. ◦ Threatens availability.
  6. The Insider Threat  The vast majority aren’t the problem.

     Sometimes you have bad people.  Sometimes people turn bad.  OR – An adversary can act like an insider.
  7. My Miss Emma Example  Miss Emma may be the

    purest soul walking today. ◦ You can’t just think about Miss Emma. ◦ What if Miss Emma falls to a phishing attack?  SC DOR or Anthem compromise  Attacks against Defense Industry contractors. ◦ RSA Compromise  Aurora attacks  Assume that a user account will be compromised
  8. Three Things to Worry About  Unauthorized Data Access 

    Unauthorized Data Change  Unauthorized Process Change
  9. Places: Web Servers / Services  Are they vulnerable to

    SQL Injection?  What and who connect to them?  Are they using HTTPS?  What else is on the same web server?
  10. Places: File System Questions  Who has ability to modify

    the files?  Who has ability to read the files?  What processes can touch the files?  Can you detect file tampering?
  11. Places: Database Questions  Who can read the data? 

    Who can modify the data?  Can you verify data integrity?
  12. Places: Network Questions  Is sensitive data being sent across?

     If so, is it encrypted?  If you're using SSL, who controls the CA?  If it isn't encrypted, is someone watching?
  13. Example: SSIS Packages  Who can update the packages? 

    Are you checking for updates?  Can you detect an unauthorized update?  How about during the ETL process?
  14. Example: Web Services  Who can administer the web server?

     Who can change the code?  Can you detect a change?  Can you reverse the change?
  15. Goals  Get you in an adversary mindset  Consider

    areas traditionally neglected  Understand the “insider” threat
  16. Thank You! Questions? K. Brian Kelley Email: [email protected] Twitter: @kbriankelley

    Tech/Sec blog: http://truthsolutions.wordpress.com/ Prof. Dev. blog: http://gkdba.wordpress.com/ Center for Internet Security: http://cisecurity.org/