MICHAEL W. MEISSNER 1 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

Primer

Database Security Threats

Revision: 0

Compiled and Edited By: Michael W. Meissner, RCDD

Cyber Security Digital Engineer Work: +1.339.368.6453

michael@ethernautics.com

MICHAEL W. MEISSNER 2 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

Forward: This Glossary is crafted as a brief Summary of Protocols encountered while conducting Cyber Security Assessment Nuclear Power Plants and is a “work in progress” and not intended to be a complete list found in the Cyber Security Domain or Nuclear Power Plants.

For comprehensive and continuously updated lists of Database Security Threats, please see the following:

http://www.wikipedia.org/

Glossary of Key Information Security Terms

http://www.imperva.com/docs/WP_TopTen_Database_Threats.pdf

http://sqlity.net/en/2542/privilege-abuse/

MICHAEL W. MEISSNER 3 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

About the Editor: .

Mr. Michael W. Meissner, RCDD is a Senior Systems Engineer, Cyber Security Specialist, Solutions Architect, Information Management Consultant, RCDD, and noted Technologist. He has thirty plus years of experience in information systems and network technologies. I have authored several telecommunications patents. He possess experience in Information System Management Technologies incorporating strong technical credentials with exposure in all phases of systems and network design; development and management, tempered with excellent general business skills. His talents comes from years of experience working for international industry giants including: IBM, Schlumberger, AT&T, Bellcore, Telcordia, TCI, Qwest, Comcast, One Communications, France Telecom, Time Warner, TECO Energy, US Cellular, Nokia, Deutsche Telekom, Urenco, Computer Sciences Corporation, US Army and US Government.

He is highly qualified with experience and accomplishments in: Cyber Security, SOA, Business Intelligence, Systems Analysis, Software Development, Application Development Management, Systems Administration, Database Administration, Enterprise Network Planning, Systems Architecture, Data Center/Call Centre/NOC/IVR (Design, Operations, and Relocation), RCDD/OSP Services and as an Internal Business Consultant. He has assisted clients solve a variety of business problems including: strategic systems planning, business requirements analysis, Gap Analysis, help desk operation, development of requests for proposals, project planning, joint applications design and development, business continuity and disaster recovery planning (ISO 17799, BS7799), Sarbanes-Oxley compliance (SOX), systems and network design, hardware and software acquisitions, data migrations and conversion, systems training, process re-engineering, systems performance tuning, integration management, project governance, and project implementation management.

He maintains extensive experience and practicality with Information Technology as it pertains to specific industries: studying, designing, implementing, and managing information systems in a variety of different organizational environments. Industries served include:

Telecommunications/Utilities Information Technologies Health Care Oil and Gas, Mining State, Local, Federal Government,

Military, and Non-profit Banking and Insurance

Leisure and Entertainment Media and Broadcasting Manufacturing Wholesale and Distribution Retail Architecture, Engineering,

Construction, and Environmental

He has authored several papers and taught multiple information technology classes and seminars including: Best Practices Guides, Wireless Application Development using Internet-Centric Technologies, Strategic Information System Planning, Joint Application Development (JAD), Rapid Prototyping in a Production Environment, Advanced Voice/Data Network Design, Information System Management, Help Desk Management, Project Management,

MICHAEL W. MEISSNER 4 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

Performance Tuning and Planning, Technology Forecasting, and Artificial Intelligence Techniques. In addition I have been the keynote speaker at several IT Conferences.

Mr. Michael William Meissner, RCDD

Senior Systems Engineer/Cyber Security Digital Engineer/Programme Director/Solutions Architect/RCDD

Business Phone: +1.339.368.6453

Mobile: +1.720.257.3933

Email: MichaelWMeissner@yahoo.com

Business Email: Michael@ethernautics.com

Web Site: https://sites.google.com/site/michaelwmeissner/home

LinkedIn: http://www.linkedin.com/in/michaelwmeissner

Ethernautics, Inc. 10655 Moonshell Ct. Suite #10 San Diego, California 92130 U.S.A.

Business Phone: 1.339.368.6453 Facsimile: 1.877.871.6453

www.ethernautics.com

MICHAEL W. MEISSNER 5 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

Top Ten Database Security Threats of 2015

Ranking Threat Brief Description Example 1 Excessive and Unused Privileges Database access privileges are granted

that exceed the requirements of their job function or there need to know, resulting in privileges abused

1

2 Privilege Abuse Abuse of legitimate privileges can be considered a database vulnerability, if the malicious user misuses their database access privileges.

2

3 Input Injection A class of attacks that rely on injecting data or code into an application in order to facilitate the execution or interpretation of malicious data in an unexpected manner (See also SQL Injection and Code Injection)

3

4 Malware Is malicious code to automate the exploitation of one or more known exploits; the principal purposes of those malicious agents are information stealing and sabotage.

4

5 Weak Audit Trail Automated recording of database transactions involving sensitive data should be part of any database deployment. Failure to collect detailed audit records of database activity represents a serious organizational risk on many levels.

5

6 Storage Media Exposure Backup storage media is often completely unprotected from attack. As a result, numerous security breaches have involved the theft of database backup disks and tapes

6

7 Exploitation of Vulnerabilities and Misconfigured Databases

Vulnerable and un-patched databases, or discover databases that still have default accounts and configuration parameters

7

8 Unmanaged Sensitive Data Companies struggle to maintain an accurate inventory of their databases and the critical data objects contained within them. Forgotten databases may contain sensitive information, and new databases can emerge

8

9 Denial of Service (DoS) Denial of Service (DoS) is a general attack category in which access to network applications or data is denied to intended users.

9

MICHAEL W. MEISSNER 6 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

10 Limited Security Expertise and Education

Lack of expertise required to implement security controls, enforce policies, or conduct incident response processes.

10

The list of top ten database threat as identified by Iperva Application Defense Center. To read the White Paper published by Imperva go hear.

1) A bank employee whose job requires the ability to change only accountholder contact information may take advantage of excessive database privileges and increase the account balance of a colleague’s savings account. Further, when someone leaves an organization, often his or her access rights to sensitive data do not change. And, if these workers depart on bad terms, they can use their old privileges to steal high value data or inflict damage.

How do users end up with excessive privileges? Usually, it’s because privilege control mechanisms for job roles have not been well defined or maintained. As a result, users may be granted generic or default access privileges that far exceed their specific job requirements. This creates unnecessary risk.

Mitigation

• User Rights Management • Monitoring and Blocking • http://itsecurity.telelink.com/excessive-and-unused-privileges/

2) An example for that would be a database administrator accessing data that he/she has no “need to know”, e.g. the contents of the CreditCard table. This manifestation could also be an application problem, if the application allows an account specialist to access accounts not assigned to them.

Mitigation

• Do not grant unnecessary privileges • Follow the Least Privilege Principle • Best Practice Audit Trails (including account information) • http://sqlity.net/en/2542/privilege-abuse/

3) Examples of attacks within this class include Cross-Site Scripting (XSS), SQL Injection, Header Injection, Log Injection and Full Path Disclosure. The most common form of Injection Attack is the infamous SQL Injection attack. SQL Injections operate by injecting data into an application which is then used in SQL queries

Mitigation

MICHAEL W. MEISSNER 7 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)

• Apply the Defense In Depth principle. • Validation • Escaping • Parameterized Queries (Prepared Statements) • Enforce Least Privilege Principle • http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html

4) In November 2012, Symantec published a security alert on a new malware dubbed W32.Narilam that was designed to damage corporate databases. The W32.Narilam worm attempts to spread by copying itself to all drives and certain shared folders on the victim’s PC. There weren’t instances that included a module to steal information from the victims. The worm was designed to attack SQL archives; it was able to search for database instances. Once the database instance was found, the malware was able to access database objects to manipulate them; it was also able to delete the entire archive.

http://resources.infosecinstitute.com/databases-vulnerabilities-costs-of-data-breaches-and-countermeasures/

Mitigation

• Physical and logical policies • Reactive and proactive approaches to malware and virus prevention • Strategies for helping to reduce malware • https://msdn.microsoft.com/en-us/library/cc875818.aspx

5) On September 18th 2014, Home Depot published a press release (pdf) about their recent data breach. In this document, they let us know, that the "cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards". http://sqlity.net/en/2574/weak-audit-trail/

Mitigation

• Audit current security practices and applications. • Do research, including reading the whitepaper mentioned several times above provided by Imperva. • And lastly, resolve the issue of a weak audit trail now by investing in an independent data audit trail.

• http://www.realisedatasystems.com/weak-audit-trail-database-security-threat/

MICHAEL W. MEISSNER 8 ©1994-2015 Copyright Michael W. Meissner Author: Michael W. Meissner Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)