security and privacy
play

Security and Privacy Lecture 13 Security and Privacy March 28, - PowerPoint PPT Presentation

Nov 17, 2022 •37 likes •357 views

Wentworth Institute of Technology COMP2670 Databases | Spring 2016 | Derbinsky Security and Privacy Lecture 13 Security and Privacy March 28, 2016 1 Wentworth Institute of Technology COMP2670 Databases | Spring 2016 | Derbinsky

  1. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Security and Privacy Lecture 13 Security and Privacy March 28, 2016 1

  2. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Outline • Context • Access Control – Strong password policies, 2FA – Discretionary, Mandatory – Least Privilege, Separate Privileges • Attacks – SQL Injection – DoS (limit password length!) – Brute force password attempts (iCloud) – Internal vs. External (80% internal via Oracle) – Separate server, updates, audit logs • Inference Control • Encryption – Symmetric, Asymmetric, Hashing – tricky to get right! – Whole Database (and backups!), Communication – Sensitive Data (salting) Security and Privacy March 28, 2016 2

  3. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Database Design and Implementation Process Security and Privacy March 28, 2016 3

  4. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Guidelines • Security as first-class citizen – Early on security was an add-on, now it is everything • Security via depth – Don’t assume a firewall will save you • Design for failure – What happens after a breach occurs? • Secure the weakest link – Anything but the crypto! • Obscurity is not security – Keys in binary stand out like sore thumbs – Stored procedures are not a cure for access control Security and Privacy March 28, 2016 4

  5. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Authorization Security and Privacy March 28, 2016 5

  6. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XCKD: License Plate Security and Privacy March 28, 2016 6

  7. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Authentication Policies • Passwords – Enforce minimum length/complexity • Also maximum (more later w.r.t. DoS) – Require updates – Goal: make guessing/cracking difficult • Cross-service • Attempts – Enforce limits to avoid brute force (iCloud) • 2 Factor Authentication (2FA) – Often infeasible – Implementation may weaken • e.g. Social engineering Security and Privacy March 28, 2016 7

  8. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Password Strength Security and Privacy March 28, 2016 8

  9. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Security Question Security and Privacy March 28, 2016 9

  10. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Discretionary Access Control • Users grant / revoke privileges to other users – Starts with root/superuser/dba – with GRANT OPTION • Privileges typically apply at multiple levels – Global, database, table, column • Access matrix model – Users x Objects • Fairly universal Security and Privacy March 28, 2016 10

  11. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky MySQL (user) Security and Privacy March 28, 2016 11

  12. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky MySQL (db) Security and Privacy March 28, 2016 12

  13. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky MySQL (tables_priv) Security and Privacy March 28, 2016 13

  14. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky MySQL (columns_priv) Security and Privacy March 28, 2016 14

  15. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Mandatory Access Control • Objects are classified with security levels • Users are afforded security clearance • Government model, not typically supported Security and Privacy March 28, 2016 15

  16. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Privilege Policies • Principle of least privilege • Privilege separation – Multiple users, each with least privilege • Abuse – Unauthorized • Mitigate escalation attacks – Authorized • Teachers changing grades • Firing a DBA Security and Privacy March 28, 2016 16

  17. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky SQL Injection SQL manipulation for nefarious purpose Method • String manipulation – Parameters, function calls • Code injection (e.g. buffer overflow) Goals • Fingerprinting – Learn about service via version, configuration • DoS • Bypass authentication/privilege escalation • Remote execution Protection • Parameterized statements • Filter input • Limit use of custom functions Security and Privacy March 28, 2016 17

  18. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Exploits of a Mom Security and Privacy March 28, 2016 18

  19. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Denial of Service (DoS) Any exposed interface – Failed login • Lock out users • Resource utilization via long password verification – Complex queries Mitigation – Resource limits – Patching – Monitoring Security and Privacy March 28, 2016 19

  20. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XCKD: CIA Security and Privacy March 28, 2016 20

  21. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Protection • Protect against internal attacks – Oracle: up to 80% of data loss • Isolate DBMS – Separate machine, VM • Regular patching policies • Audit logs Security and Privacy March 28, 2016 21

  22. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Inferential Security • Relevant when offering parameterized access to aggregate data – But must protect sensitive individual data! • Prior knowledge and/or clever exploration might yield queries that reveal private information – Find “average” salary of <insert conditions that identify single individual> • Techniques – Minimum result set size threshold – Added noise – Group partitioning Security and Privacy March 28, 2016 22

  23. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Privacy Opinions Security and Privacy March 28, 2016 23

  24. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Encryption • Symmetric – Single key encrypts/decrypts • Asymmetric – 2 Keys: public encryption, private decryption • Hashing – No decryption • Encryption theory is solid, implementation is tricky – High-quality randomness – Bug-free code Security and Privacy March 28, 2016 24

  25. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XCKD: Heartbleed Security and Privacy March 28, 2016 25

  26. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Basics • Encrypt database files – Including backups! – Native or 3 rd -party wrapper – Can be difficult to implement while being resilient to restarts, high-performance • Encrypt application communication Security and Privacy March 28, 2016 26

  27. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XCKD: Security Security and Privacy March 28, 2016 27

  28. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Sensitive Data • When dealing with sensitive data, always consider how it needs to be used • If only verification (e.g. password), hash • If usage, encrypt – Ideally segment usage (e.g. CC entry vs. processing = public/private + last 4 as string) Security and Privacy March 28, 2016 28

  29. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Password Salting • Salt = additional input prepended to hashed value – Ideally 1 salt per sensitive value – Stored text = salt, hash(salt + sensitive value) • Possibly several hashes • Increases complexity of usefully processing bulk data – Re-use within service, across services – Rainbow tables Security and Privacy March 28, 2016 29

  30. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XCKD: Encryptic Security and Privacy March 28, 2016 30

  31. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky Summary • When dealing with database applications, security needs to be a first-class citizen, considered at all levels, preparing for failure (the weakest link!) – Obscurity ≠ Security • We covered issues/best practices related to authentication/authorization, common attacks, inference control, and encryption Security and Privacy March 28, 2016 31

  32. Wentworth Institute of Technology COMP2670 – Databases | Spring 2016 | Derbinsky XKCD: Password Reuse Security and Privacy March 28, 2016 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data Protecting Personal Data Privacy &amp; Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy &amp; Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt // http://yxiao.info i i f Outline Outline What is Location Privacy Basic Techniques Private Information Retrieval Probabilistic

415 views • 24 slides
Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead- -In In Overview and Lead Security has been one of the great detractors for wireless technologies WINLABs security initiatives:

642 views • 13 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11,

CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11,

CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11, 2018 7:15 PM - 10:15 PM SOUTH CAMPUS (Bus schedules posted) Room assignments ROOM LAST NAMES DFN 146 Abbot - Deslippe DFN 147 Dingel -

387 views • 13 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions Prof. Nadim Kobeissi 1.1a Why Hash Functions? Describing the importance of the cryptographers Swiss Army knife. 2 CSCI-UA.9480:

569 views • 34 slides
SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data

SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data

SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data from vehicles GIS data about infrastructure Logistic challenges Winter service (planning, execution) Port of Koper, container terminal

351 views • 14 slides
Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23 420.00 5 30 420.00 6 06-Feb 420.00 7 13 470.00 8 20 420.00 9 27 420.00 10 06-Mar 420.00 11 13 420.00 12 20

624 views • 3 slides
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7 Page 1 CS 236 Online Outline Introduction Basic authentication mechanisms Lecture 7 Page 2 CS 236 Online Introduction Much of

799 views • 30 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides

More recommend