4 Special topics.pdf

Full Transcript

CHAPTER 4 Specific cybersecurity topics – database security, malware analysis, BYOD Database security Database security refers to the range of tools, controls, and measures designed to establish and preserve database confidentiality, integrity, and availability. 2 Database security must address and protect the following: The data in the database The database management system (DBMS) Any associated applications The physical database server and/or the virtual database server and the underlying hardware The computing and/or network infrastructure used to access the database 3 Complexity Database security is a complex and challenging endeavor that involves all aspects of information security technologies and practices. It’s also naturally at odds with database usability. The more accessible and usable the database, the more vulnerable it is to security threats; the more invulnerable the database is to threats, the more difficult it is to access and use. (This paradox is sometimes referred to as Anderson’s Rule. 4 Why is it important By definition, a data breach is a failure to maintain the confidentiality of data in a database. How much harm a data breach inflicts on your enterprise depends on a number of consequences or factors: 5 Compromised intellectual property: Your intellectual property— trade secrets, inventions, proprietary practices—may be critical to your ability to maintain a competitive advantage in your market. If that intellectual property is stolen or exposed, your competitive advantage may be difficult or impossible to maintain or recover. Damage to brand reputation: Customers or partners may be unwilling to buy your products or services (or do business with your company) if they don’t feel they can trust you to protect your data or theirs. 6 Business continuity (or lack thereof): Some business cannot continue to operate until a breach is resolved. Fines or penalties for non-compliance: The financial impact for failing to comply with global regulations such as the Sarbannes-Oxley Act (SAO) or Payment Card Industry Data Security Standard (PCI DSS), industry-specific data privacy regulations such as HIPAA, or regional data privacy regulations, such as Europe’s General Data Protection Regulation (GDPR) can be devastating, with fines in the worst cases exceeding several million dollars per violation. Costs of repairing breaches and notifying customers: In addition to the cost of communicating a breach to customer, a breached organization must pay for forensic and investigative activities, crisis management, triage, repair of the affected systems, and more. 7 Common threats and challenges Many software misconfigurations, vulnerabilities, or patterns of carelessness or misuse can result in breaches. The following are among the most common types or causes of database security attacks and their causes. 8 Insider threats An insider threat is a security threat from any one of three sources with privileged access to the database: A malicious insider who intends to do harm A negligent insider who makes errors that make the database vulnerable to attack An infiltrator—an outsider who somehow obtains credentials via a scheme such as phishing or by gaining access to the credential database itself Insider threats are among the most common causes of database security breaches and are often the result of allowing too many employees to hold privileged user access credentials. 9 Human error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors continue to be the cause of nearly half (49%) of all reported data breaches. 10 Exploitation of database software vulnerabilities Hackers make their living by finding and targeting vulnerabilities in all kinds of software, including database management software. All major commercial database software vendors and open source database management platforms issue regular security patches to address these vulnerabilities, but failure to apply these patches in a timely fashion can increase your exposure. 11 SQL/NoSQL injection attacks A database-specific threat, these involve the insertion of arbitrary SQL or non-SQL attack strings into database queries served by web applications or HTTP headers. Organizations that don’t follow secure web application coding practices and perform regular vulnerability testing are open to these attacks. 12 Buffer overflow exploitations Buffer overflow occurs when a process attempts to write more data to a fixed-length block of memory than it is allowed to hold. Attackers may use the excess data, stored in adjacent memory addresses, as a foundation from which to launch attacks. 13 Denial of service (DoS/DDoS) attacks In a denial of service (DoS) attack, the attacker deluges the target server—in this case the database server—with so many requests that the server can no longer fulfill legitimate requests from actual users, and, in many cases, the server becomes unstable or crashes. 14 Malware Malware is software written specifically to exploit vulnerabilities or otherwise cause damage to the database. Malware may arrive via any endpoint device connecting to the database’s network. 15 Attacks on backups Organizations that fail to protect backup data with the same stringent controls used to protect the database itself can be vulnerable to attacks on backups. These threats are exacerbated by the following: Growing data volumes: Data capture, storage, and processing continues to grow exponentially across nearly all organizations. Any data security tools or practices need to be highly scalable to meet near and distant future needs. Infrastructure sprawl: Network environments are becoming increasingly complex, particularly as businesses move workloads to multicloud or hybrid cloud architectures, making the choice, deployment, and management of security solutions ever more challenging. Increasingly stringent regulatory requirements: The worldwide regulatory compliance landscape continues to grow in complexity, making adhering to all mandates more difficult. Cybersecurity skills shortage: Experts predict there may be as many as 8 million unfilled cybersecurity positions by 2022. 16 Best practices Because databases are nearly always networkaccessible, any security threat to any component within or portion of the network infrastructure is also a threat to the database, and any attack impacting a user’s device or workstation can threaten the database. Thus, database security must extend far beyond the confines of the database alone. 17 When evaluating database security in your environment to decide on your team’s top priorities, consider each of the following areas: Physical security: Whether your database server is on-premise or in a cloud data center, it must be located within a secure, climate-controlled environment. (If your database server is in a cloud data center, your cloud provider will take care of this for you.) Administrative and network access controls: The practical minimum number of users should have access to the database, and their permissions should be restricted to the minimum levels necessary for them to do their jobs. Likewise, network access should be limited to the minimum level of permissions necessary. End user account/device security: Always be aware of who is accessing the database and when and how the data is being used. Data monitoring solutions can alert you if data activities are unusual or appear risky. All user devices connecting to the network housing the database should be physically secure (in the hands of the right user only) and subject to security controls at all times. 18 Encryption: ALL data—including data in the database, and credential data—should be protected with best-in-class encryption while at rest and in transit. All encryption keys should be handled in accordance with best-practice guidelines. Database software security: Always use the latest version of your database management software, and apply all patches as soon as they are issued. Application/web server security: Any application or web server that interacts with the database can be a channel for attack and should be subject to ongoing security testing and best practice management. Backup security: All backups, copies, or images of the database must be subject to the same (or equally stringent) security controls as the database itself. Auditing: Record all logins to the database server and operating system, and log all operations performed on sensitive data as well. Database security standard audits should be performed regularly. 19 Malware analysis Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software that can be an intrusive program code or anything that is designed to perform malicious operations on system. Malware can be divided in 2 categories: Infection Methods 1. Malware Actions 20 Malware on the basis of Infection Method are: 1. Virus – They have the ability to replicate themselves by hooking them to the program on the host computer like songs, videos etc and then they travel all over the Internet. The Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus etc. 21 2. Trojan – The Concept of Trojan is completely different from the viruses and worms. The name Trojan is derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the inside. Their purpose is to conceal themselves inside the software that seem legitimate and when that software is executed they will do their task of either stealing information or any other purpose for which they are designed. 22 3. They often provide backdoor gateway for malicious programs or malevolent users to enter your system and steal your valuable data without your knowledge and permission. Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc. 4. Bots –: can be seen as advanced form of worms. They are automated processes that are designed to interact over the internet without the need for human interaction. They can be good or bad. Malicious bot can infect one host and after infecting will create connection to the central server which will provide commands to all infected hosts attached to that network called Botnet. 23 Malware on the basis of Actions: 1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They display ads on a computer’s desktop or inside individual programs. They come attached with free-touse software, thus main source of revenue for such developers. They monitor your interests and display relevant ads. An attacker can embed malicious code inside the software and adware can monitor your system activities and can even compromise your machine. 24 2. Spyware – It is a program or we can say software that monitors your activities on computer and reveal collected information to an interested party. Spyware are generally dropped by Trojans, viruses or worms. Once dropped they install themselves and sits silently to avoid detection. One of the most common example of spyware is KEYLOGGER. The basic job of keylogger is to record user keystrokes with timestamp. Thus capturing interesting information like username, passwords, credit card details etc. 25 3. Ransomware – It is type of malware that will either encrypt your files or will lock your computer making it inaccessible either partially or wholly. Then a screen will be displayed asking for money i.e. ransom in exchange. 4. Scareware – It masquerades as a tool to help fix your system but when the software is executed it will infect your system or completely destroy it. The software will display a message to frighten you and force to take some action like pay them to fix your system. 26 5. Rootkits – are designed to gain root access or we can say administrative privileges in the user system. Once gained the root access, the exploiter can do anything from stealing private files to private data. 6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy and steal information rather they wait for the command from hackers. 27 28 What is Bring Your Own Device (BYOD)? Bring your own device (BYOD) refers to the trend of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data. Personal devices could include smartphones, personal computers, tablets, or USB drives. 29 Why is BYOD Security Important? BYOD security is an important topic for organizational leaders because personal devices are likely to enter the workplace whether sanctioned by IT or not. In many cases, BYOD solutions can improve employee productivity and morale. But, left unaddressed by IT, personal device access to an organization’s network can present serious security challenges. 30 As more and more organizations support employees working from home, maintaining a flexible schedule, or connecting on the go while on work travel or commutes, BYOD solutions have become more prevalent. Some companies may sanction BYOD, while others may consider it part of “shadow IT,” which refers to software or hardware not supported by IT. 31 BYOD Pros and Cons The advantages of supporting BYOD within your organization include: Higher employee productivity, according to a study that shows a 16 percent boost in productivity over a 40-hour workweek* Increased employee job satisfaction and retention through supporting flexible work arrangements Increased employee effectiveness due to more comfort and speed with their own devices Upgraded technologies are integrated into the workplace without IT spend on hardware, software licensing, or device maintenance 32 BYOD Pros and Cons Disadvantages of employees using personal devices on the job could include: Possible data breaches due to lost or stolen personal devices or employees leaving the company Lack of firewall or anti-virus software applied to personal devices Possible IT cost increases if the department determines they will offer support to personal devices Lack of network 33 BYOD policies Most organizations have a Bring-Your-Own-Device policy for their employees. Having such systems poses multiple challenges in Cyber Security. Firstly, if the device is running an outdated or pirated version of the software, it is already an excellent medium for hackers to access. Since the method is being used for personal and professional reasons, hackers can easily access confidential business data. Secondly, these devices make it easier to access your private network if their security is compromised. Thus, organizations should let go of BYOD policies and provide secure devices to the employees, as such systems possess enormous challenges of Computer Security and network compromise. 34 How to Develop a Bring Your Own Device Policy IT departments must address if and how they will secure personal devices and determine access levels. Most importantly, a defined BYOD security policy should inform and educate employees on how to employ BYOD without compromising organizational data or networks. Important elements of BYOD policies include: Types of approved devices Security and data ownership policies Levels of IT support granted to personal devices (if any) 35 A strong BYOD security policy should be integrated with overall IT security and acceptable use policies. As IT leaders determine the level of support they will apply to personal devices, they must ensure a balance between organizational security and employees’ personal privacy. 36