Security and Privacy Lecture 13 Security and Privacy March 28, - - PowerPoint PPT Presentation

security and privacy
SMART_READER_LITE
LIVE PREVIEW

Security and Privacy Lecture 13 Security and Privacy March 28, - - PowerPoint PPT Presentation

Nov 17, 2022 37 likes •363 views

Wentworth Institute of Technology COMP2670 Databases | Spring 2016 | Derbinsky Security and Privacy Lecture 13 Security and Privacy March 28, 2016 1 Wentworth Institute of Technology COMP2670 Databases | Spring 2016 | Derbinsky

slide-1
SLIDE 1

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Security and Privacy

Lecture 13

March 28, 2016 Security and Privacy 1

slide-2
SLIDE 2

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Outline

  • Context
  • Access Control

– Strong password policies, 2FA – Discretionary, Mandatory – Least Privilege, Separate Privileges

  • Attacks

– SQL Injection – DoS (limit password length!) – Brute force password attempts (iCloud) – Internal vs. External (80% internal via Oracle) – Separate server, updates, audit logs

  • Inference Control
  • Encryption

– Symmetric, Asymmetric, Hashing – tricky to get right! – Whole Database (and backups!), Communication – Sensitive Data (salting)

March 28, 2016 Security and Privacy 2

slide-3
SLIDE 3

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Database Design and Implementation Process

March 28, 2016 Security and Privacy 3

slide-4
SLIDE 4

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Guidelines

  • Security as first-class citizen

– Early on security was an add-on, now it is everything

  • Security via depth

– Don’t assume a firewall will save you

  • Design for failure

– What happens after a breach occurs?

  • Secure the weakest link

– Anything but the crypto!

  • Obscurity is not security

– Keys in binary stand out like sore thumbs – Stored procedures are not a cure for access control

March 28, 2016 Security and Privacy 4

slide-5
SLIDE 5

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Authorization

March 28, 2016 Security and Privacy 5

slide-6
SLIDE 6

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XCKD: License Plate

March 28, 2016 Security and Privacy 6

slide-7
SLIDE 7

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Authentication Policies

  • Passwords

– Enforce minimum length/complexity

  • Also maximum (more later w.r.t. DoS)

– Require updates – Goal: make guessing/cracking difficult

  • Cross-service
  • Attempts

– Enforce limits to avoid brute force (iCloud)

  • 2 Factor Authentication (2FA)

– Often infeasible – Implementation may weaken

  • e.g. Social engineering

March 28, 2016 Security and Privacy 7

slide-8
SLIDE 8

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Password Strength

March 28, 2016 Security and Privacy 8

slide-9
SLIDE 9

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Security Question

March 28, 2016 Security and Privacy 9

slide-10
SLIDE 10

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Discretionary Access Control

  • Users grant/revoke privileges to other users

– Starts with root/superuser/dba – with GRANT OPTION

  • Privileges typically apply at multiple levels

– Global, database, table, column

  • Access matrix model

– Users x Objects

  • Fairly universal

March 28, 2016 Security and Privacy 10

slide-11
SLIDE 11

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

MySQL (user)

March 28, 2016 Security and Privacy 11

slide-12
SLIDE 12

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

MySQL (db)

March 28, 2016 Security and Privacy 12

slide-13
SLIDE 13

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

MySQL (tables_priv)

March 28, 2016 Security and Privacy 13

slide-14
SLIDE 14

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

MySQL (columns_priv)

March 28, 2016 Security and Privacy 14

slide-15
SLIDE 15

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Mandatory Access Control

  • Objects are classified with security levels
  • Users are afforded security clearance
  • Government model, not typically supported

March 28, 2016 Security and Privacy 15

slide-16
SLIDE 16

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Privilege Policies

  • Principle of least privilege
  • Privilege separation

– Multiple users, each with least privilege

  • Abuse

– Unauthorized

  • Mitigate escalation attacks

– Authorized

  • Teachers changing grades
  • Firing a DBA

March 28, 2016 Security and Privacy 16

slide-17
SLIDE 17

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

SQL Injection

SQL manipulation for nefarious purpose Method

  • String manipulation

– Parameters, function calls

  • Code injection (e.g. buffer overflow)

Goals

  • Fingerprinting

– Learn about service via version, configuration

  • DoS
  • Bypass authentication/privilege escalation
  • Remote execution

Protection

  • Parameterized statements
  • Filter input
  • Limit use of custom functions

March 28, 2016 Security and Privacy 17

slide-18
SLIDE 18

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Exploits of a Mom

March 28, 2016 Security and Privacy 18

slide-19
SLIDE 19

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Denial of Service (DoS)

Any exposed interface

– Failed login

  • Lock out users
  • Resource utilization via long password verification

– Complex queries

Mitigation

– Resource limits – Patching – Monitoring

March 28, 2016 Security and Privacy 19

slide-20
SLIDE 20

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XCKD: CIA

March 28, 2016 Security and Privacy 20

slide-21
SLIDE 21

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Protection

  • Protect against internal attacks

– Oracle: up to 80% of data loss

  • Isolate DBMS

– Separate machine, VM

  • Regular patching policies
  • Audit logs

March 28, 2016 Security and Privacy 21

slide-22
SLIDE 22

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Inferential Security

  • Relevant when offering parameterized access to

aggregate data

– But must protect sensitive individual data!

  • Prior knowledge and/or clever exploration might

yield queries that reveal private information

– Find “average” salary of <insert conditions that identify single individual>

  • Techniques

– Minimum result set size threshold – Added noise – Group partitioning

March 28, 2016 Security and Privacy 22

slide-23
SLIDE 23

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Privacy Opinions

March 28, 2016 Security and Privacy 23

slide-24
SLIDE 24

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Encryption

  • Symmetric

– Single key encrypts/decrypts

  • Asymmetric

– 2 Keys: public encryption, private decryption

  • Hashing

– No decryption

  • Encryption theory is solid, implementation is tricky

– High-quality randomness – Bug-free code

March 28, 2016 Security and Privacy 24

slide-25
SLIDE 25

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XCKD: Heartbleed

March 28, 2016 Security and Privacy 25

slide-26
SLIDE 26

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Basics

  • Encrypt database files

– Including backups! – Native or 3rd-party wrapper – Can be difficult to implement while being resilient to restarts, high-performance

  • Encrypt application communication

March 28, 2016 Security and Privacy 26

slide-27
SLIDE 27

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XCKD: Security

March 28, 2016 Security and Privacy 27

slide-28
SLIDE 28

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Sensitive Data

  • When dealing with sensitive data, always

consider how it needs to be used

  • If only verification (e.g. password), hash
  • If usage, encrypt

– Ideally segment usage (e.g. CC entry vs. processing = public/private + last 4 as string)

March 28, 2016 Security and Privacy 28

slide-29
SLIDE 29

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Password Salting

  • Salt = additional input prepended to

hashed value

– Ideally 1 salt per sensitive value – Stored text = salt, hash(salt + sensitive value)

  • Possibly several hashes
  • Increases complexity of usefully

processing bulk data

– Re-use within service, across services – Rainbow tables

March 28, 2016 Security and Privacy 29

slide-30
SLIDE 30

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XCKD: Encryptic

March 28, 2016 Security and Privacy 30

slide-31
SLIDE 31

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

Summary

  • When dealing with database applications,

security needs to be a first-class citizen, considered at all levels, preparing for failure (the weakest link!)

– Obscurity ≠ Security

  • We covered issues/best practices related

to authentication/authorization, common attacks, inference control, and encryption

March 28, 2016 Security and Privacy 31

slide-32
SLIDE 32

Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky

XKCD: Password Reuse

March 28, 2016 Security and Privacy 32