Database Security Concepts & Technologies PDF

Summary

This document provides an overview of database security concepts, including relational databases, SQL injection attacks, and countermeasures. It also discusses access control and database encryption.

Full Transcript

I. Security Concepts & Technologies

Database Security

Relational Databases: Data is organized into tables consisting of rows (tuples) and columns
(attributes). Primary keys uniquely identify rows, while foreign keys link tables. Views are
virtual tables derived from queries, often used for security.

SQL: Structured Query Language is : "Standardized language to define schema, manipulate,
and query data in a relational database".It's used to define schemas, manipulate, and query
data.

SQL Injection (SQLi) Attacks: A prevalent threat that exploits vulnerabilities in web applications by
injecting malicious SQL commands to extract, modify, or delete data. Attackers use various
techniques, including:

Injection Technique : Prematurely terminating a text string “- -“ comment mark. Subsequent text
is ignored at execution time

1. Attack Avenues:

o User Input: Malicious input in web forms.

o Server Variables: Exploitation of HTTP headers.

o Cookies: Altering stored data.

o Second-Order Injection: Using existing system data to trigger attacks.

o Physical User Input: Malicious hardware-based inputs.

2. Inband Attacks: same communication channel

o Tautology: Always true conditional statements.

o End-of-Line Comments: Nullifying legitimate code.

o Piggybacked Queries: Adding malicious queries.

3. Inferential Attacks: no actual transfer observe database behavior and inferring

o Blind SQLi: Inferring data without direct responses.

o Illegal Queries: Gathering structural information through errors.

4. Out-of-Band Attack: Different channel

Quote: "One of the most prevalent and dangerous network-based security threats... Designed to
exploit the nature of Web application pages."

SQLi Countermeasures

Defensive Coding: Manual practices to sanitize inputs - Parameterized queries and SQL DOM.

Detection: Signature-based, anomaly-based, and code analysis techniques.

Run-Time Prevention: Real-time checks to validate query structures.
Access Control: Controls database access, defining user permissions (e.g., SELECT, INSERT, UPDATE,
DELETE).

Two main command types: GRANT to provide access and REVOKE to remove it.

Administration Models:

o Centralized: Privileged users manage access.

o Ownership-Based: Table creators manage rights.

o Decentralized: Owners delegate rights management.

Role-Based Access Control (RBAC) assigns roles with predefined permissions to users.

Fixed Roles: SQL Server includes pre-defined roles such as sysadmin (full control), db_owner
(all database permissions), and db_datareader (select access).

Inference: Attackers can infer sensitive data by combining non-sensitive information,
necessitating strategies to detect and prevent this indirect access.

Two Approaches to Inference Detection:

o Database design: Altering the database structure or access control, which can lead to
restrictive controls.
o Query time: Eliminating inference channels during queries, which might lead to
queries being denied.

Database Encryption: "Encryption becomes the last line of defense in database security.". Databases
are a high-value target, requiring multiple layers of security including encryption of data. Levels of
Encryption: Can be applied to the entire database, at the record level, the attribute level, or even to
individual fields.

Data Centers Security: Data center -> "An enterprise facility that houses a large number of servers,
storage devices, and network switches and equipment."

Site Security: Physical perimeters. Set backs , redundant utilities landscapping , buffer zones.

Physical Security: Surveillance, two factor authentic. and security zones within the facility.

Network Security: Firewalls, intrusion detection/prevention, and authentication.

Data Security: Encryption, password policies, and data masking techniques.

TIA-942( The Telecommunications Industry Association) specifies the minimum requirements for

telecommunications infrastructure of data centers

Defines Annual Downtime and availability based on redundancy:

1. Tier 1: Basic, non-redundant, 28.8 hours annual downtime.

2. Tier 2: Redundant components, 22.0 hours downtime.

3. Tier 3: Fault-tolerant, planned activities do not disrupt operations, 1.6 hours downtime.

4. Tier 4: Fully redundant, 0.4 hours downtime, withstands worst-case failures.
II. Malicious Software (Malware)

Definition : "a program that is inserted into a system, usually covertly, with the intent of
compromising the confidentiality, integrity, or availability of the victim’s data"

Classification of Malware : first on how it spreads or propagates , Then on the actions or payloads it
performs

Those that need a host program (parasitic code such as viruses)

Those that are independent,self-contained programs (worms, trojans, and bots)

Malware that does not replicate (trojans and spam e-mail)

Malware that does replicate (viruses and worms)

Trojans: Programs disguised as useful software but hiding malicious functionality.

Attack Kits (Crimeware): "Set of tools for generating new malware automatically." These kits facilitate
the creation and deployment of malware, even by less skilled individuals. Ex. Zeus ,Angler

Advanced Persistent Threats (APTs): sophisticated, targeted attacks by state-sponsored organizations
or criminal enterprises (usually business or political). Include Aurora, RSA, APT1, and Stuxnet

Viruses: Malware that replicates itself into other executable code, infects programs. (requiring a host
program).

Components : Infection mechanism (which a virus spreads or propagates) , trigger-logic
bomb (Event or condition that determines when the payload is activated) , ayload (What the
virus does)
Phases: Dormant (virus idle), Triggering (Virus is activated to perform), Propagation(Virus
places a copy of itself into other programs) , Execution (Function is performed)

Macro and Scripting Viruses: “a virus that attaches itself to documents and uses the macro
programming capabilities of the document’s application to execute and propagate”. Platform
independent, infect documents, easy to spread.

Worms: Worms are described as self-replicating programs that exploit vulnerabilities in systems and
spread through networks and shared media (USB drives, CD, DVD data disks).

Various methods of worm replication are listed (email, instant messages, file sharing, remote
execution, remote file access, remote login).

Target discovery methods used by worms are identified (random, hit-list, topological, local
subnet).

Morris Worm (1988): Exploited UNIX vulnerabilities.

WannaCry (2017): Ransomware worm exploiting SMB vulnerabilities. Slowed by ”kill-switch”

Technology: Modern worms exhibit features like multi-platform support, multi-exploit
capabilities, rapid spread, polymorphism, and metamorphism.

Mobile Code: Software that executes on multiple heterogeneous platforms; a common vehicle for
malware. Examples include Java applets, ActiveX, JavaScript, and VBScript. It often takes advantage of
vulnerabilities to perform exploits. mobile phone worms and trojans, highlighting their ability to
disable phones, delete data, or send costly messages, often spreading through Bluetooth or MMS.

Drive-by-downloads exploit browser and plugin vulnerabilities to install malware when users visit
compromised websites.

Watering-hole attacks are targeted drive-by-downloads where attackers compromise websites
frequently visited by their intended victims.

Malvertising involves placing malware in online advertisements, allowing attackers to infect website
visitors without directly compromising the website itself.

Clickjacking is a UI redress attack where attackers trick users into clicking on hidden elements, leading
to unwanted actions, such as adjusting computer settings or visiting malicious websites

Social engineering is the art of "tricking" users into compromising their own systems, often through
spam emails, phishing or trojan horses.

Specific Malware Examples and Payloads

Specific malware examples are provided to illustrate the different categories, such as:

Chernobyl Virus: A destructive parasitic memory-resident virus that rewrites BIOS code, resulting
in file system corruption

Klez: A mass-mailing worm that stops anti-virus programs

Ransomware: Encrypts data, demanding payment for decryption.. Ex. WannaCry

Payloads : Malicious actions such as data corruption, system damage, data theft, becoming a
bot/zombie agent, or ransomware demands. Categories :

System Corruption: Data destruction, real-world damage, logic bombs.

Attack Agents (Bots): Used for DDoS attacks, spamming, and more. Bots are distinguished from
worms by their remote control facility.

Information Theft: Keyloggers, spyware, phishing.

Stealthing Techniques

Backdoors (trapdoors): Secret entry points allowing attackers to bypass security measures.

Rootkits: Tools used to gain root-level access, allowing control over the compromised system.

Bots & Botnets: Compromised computers controlled by an attacker, often forming botnets used for
attacks.

Malware Countermeasures: Prevention (ideal solution)

Detection, Identification, Removal

Policy, Awareness, Vulnerability mitigation

Anti-virus software

Sandbox analysis

Egress monitors
III. Denial-of-Service (DoS) Attacks

Definition: DoS attacks aim to prevent or impair the authorized use of network, systems, or
applications by exhausting resources.

Attack Categories:

Network Bandwidth: Overwhelming network links (e.g., flooding ping).

System Resources: Overloading or crashing the software (e.g., SYN spoofing).

Application Resources: Consuming resources by valid requests (e.g. HTTP floods)

Classic DoS Attacks:

Flooding (Ping Flood): Intent is to overload the network capacity on some link to a server
with ICMP-uses echo request packets- (ping flood), UDP, or TCP (SYN flood).

Source Address Spoofing: Uses forged source addresses to make attacks harder to identify.

SYN Spoofing: Exploits the TCP handshake by flooding a server with SYN requests from
spoofed addresses.

Reflection Attacks:Attacker sends packets to an intermediary service with a spoofed source
address, causing the intermediary to send responses to the actual target.

DNS Amplification Attacks: Exploit DNS behavior to convert a small request to a much larger
response (amplification).

Distributed Denial-of-Service (DDoS): Uses multiple systems (botnets-zombies) to generate attacks.

HTTP-based Attacks: Exploit web servers using HTTP requests.

Slowloris: Attempts to monopolize by sending HTTP requests that never complete.

o Exploit services (e.g., DNS) to amplify small requests into much larger responses,
flooding the target.

Defense Strategies

1. Prevention:

o Block spoofed IP addresses near their source.

o Use cryptographic tokens (cookies) in TCP connections to ensure legitimacy.

o Employ CAPTCHAs to prevent automated attacks.

o Good system security practices (e.g., mirrored servers, replication).

2. Detection:

o Use network monitors and intrusion detection systems (IDS) to identify abnormal
traffic patterns.

3. Response:

o Identify the attack type by analyzing traffic.

o Implement traffic filters upstream to block malicious packets.
 o Utilize alternate servers or backup systems during an attack.

Responding to DoS Attacks

1. Incident Response Planning:

o Maintain contact information for ISPs to coordinate filtering efforts.

o Prepare contingency plans (e.g., alternate servers).

2. Tracing and Mitigation:

o Trace packets to their source (challenging but essential for legal action).

o Update response plans based on post-attack analysis.

IV. Intrusion Detection and Prevention

Intrution Detection : A hardware or software function that gathers and analyzes information from
various areas within a computer or a network to identify possible security intrusions.

Classes of Intruders

Intruders can be categorized into different groups based on their motivations and methods:

Cyber Criminals: Individuals or groups focused on financial gain through identity theft,
corporate espionage, and data ransoming.

Activists (Hacktivists): Attackers motivated by social or political causes, often engaging in
website defacement, denial-of-service (DoS) attacks, or data leaks.

State-Sponsored Attackers: Government-backed hackers (Advanced Persistent Threats - APTs)
engaged in espionage or sabotage.

Other Hackers: Includes classic hackers driven by technical challenges or peer recognition, as
well as "hobby hackers" using attack toolkits.

Intruder Skill Levels

Apprentices (Script Kiddies): Low-skilled attackers who use pre-made attack tools.

Journeymen: Have moderate skills, capable of modifying tools and exploiting known
vulnerabilities.

Masters: Highly skilled hackers who create new attack methods and are difficult to defend
against.

Intrusion Detection Concepts

Security Intrusion: Any unauthorized bypassing of security mechanisms.

Intrusion Detection: Hardware/software system that monitors activities in a system or
network to identify suspicious behavior.
Intrusion Detection System (IDS) Components

Sensors: Collect security-related data.

Analyzers: Process data to detect intrusions.

User Interface: Displays alerts and allows administrative control.

Types of Intrusion Detection Systems (IDS)

Host-Based IDS (HIDS): Monitors a single system for suspicious activities. Adds an extra
security layer to sensitive systems. Detects both external and internal threats

Network-Based IDS (NIDS): Monitors network traffic for anomalies.

Distributed/Hybrid IDS: Combines HIDS and NIDS for improved detection capabilities.

Intrusion Detection Analysis Approaches

1. Anomaly Detection : Compares current user behavior against historical normal behavior.
Uses statistical, knowledge-based, or machine-learning techniques.

2. Signature/Heuristic Detection Matches observed behavior against a database of known
attack patterns. Used in antivirus software and NIDS.

Intrusion Detection Techniques

Signature Detection: Identifies known threats (e.g., scanning, worms, policy violations).

Anomaly Detection: Detects unexpected behavior (e.g., DoS attacks, application exploits).

Stateful Protocol Analysis (SPA): Compares network traffic to predefined protocol standards
to detect anomalies.

IETF Intrusion Detection Working Group defined protocols for sharing intrusion data :

o RFC 4765 (Intrusion Detection Message Exchange Format - IDMEF)

o RFC 4766 (Exchange Requirements)

o RFC 4767 (Intrusion Detection Exchange Protocol - IDXP)

Honeypots : Decoy systems designed to lure attackers and study their behavior.

Low Interaction Honeypots: Simulated systems that imitate services.

High Interaction Honeypots: Fully functional systems used to attract attackers for extended
periods.

Snort IDS

Snort is a popular open-source NIDS. Uses rules to define intrusion patterns and classify
network traffic. Snort Rule Actions include alert, log, pass, drop, and reject.
V. Firewalls and Intrusion Prevention Systems (IPS)

Firewall: All traffic from inside to outside, and vice versa, must pass through the firewall. Only
authorized traffic as defined by the local security policy will be allowed to pass. Designed to create a
"controlled link" between a premises network and the Internet.

Firewall Access Policy: Defines the traffic types allowed, including address ranges, protocols,
applications, and content types.

Quote: "Lists the types of traffic authorized to pass through the firewall... This policy should
be developed from the organization’s information security risk assessment and policy"

Filtering Characteristics: Firewalls use different methods to filter traffic:

IP Address and Protocol Values: Used by packet filters and stateful inspection firewalls to
limit access to specific services.

Application Protocol: Used by application-level gateways to monitor traffic for specific
protocols.

User Identity: Typically used for internal users who authenticate using some secure
technology.

Network Activity: Controls access based on considerations such as time, request rates, or
other patterns.

Firewall Limitations: Cannot protect against attacks that bypass it, may not fully protect against
internal threats, wireless LAN security issues, or when laptops are infected outside the network.

Firewall Types:

Packet Filtering Firewall: Applies rules to each IP packet, based on IP/TCP headers and either
discards or forwards based on the rules. Adv. Simplicity

Stateful Inspection Firewall: Tightens rules for TCP traffic by tracking the state of established
connections. It reviews packet information and records information about TCP connections
including "TCP sequence numbers" to prevent attacks.

Application-level Gateway (Proxy): Works at the application layer by processing traffic
between the client and the destination server.

Circuit-level Gateway: Works at the session layer by creating an external and internal
connection and relays TCP connections between internal and external systems.

Bastion Hosts: Critical, hardened systems that serve as platforms for application-level or circuit-level
gateways. They run secure operating systems with only essential services.

Host-Based Firewalls: Secure individual hosts by filtering packet flows. They can be tailored to
specific host environments and add an extra layer of protection and can be implemented on
"servers".

Personal Firewalls: Control traffic between a personal computer and a network, typically as a
software module, or on a router. Their primary role is to "deny unauthorized remote access."
Firewall Topologies

Screening Router: Single firewall at network boundaries.

Single Bastion Inline: A firewall between an internal and external router.

Single Bastion T: A firewall with a DMZ (Demilitarized Zone) for public-facing services.

Double Bastion Inline: Two firewalls sandwiching a DMZ.

Distributed Firewalls: Used by large enterprises for multilayer protection.

Intrusion Prevention Systems (IPS): An extension of an IDS that blocks detected malicious activity by
leveraging the same algorithms as an IDS.

Types: host-based, network-based, and distributed.

Host-based IPS (HIPS): Uses signature/heuristic or anomaly detection to identify attacks.
They aim to protect against "Modification of system resources", "Privilege-escalation
exploits", and "Buffer-overflow exploits". HIPS can be tailored to the specific platform and
may use sandboxing.

Network-based IPS (NIPS): Are inline NIDS that can "modify or discard packets and tear down
TCP connections. Uses pattern matching, stateful matching, protocol/traffic anomaly, and
statistical anomaly detection.

Digital Immune System: Comprehensive defense against malware, developed by IBM, for the
automation of detection and response to malware.

Snort Inline: Enables Snort to function as an IPS. Drops ,Reject , Sdrop

Unified Threat Management (UTM): A single appliance that incorporates multiple security functions
(firewall, VPN, IPS, web filtering, etc.).