Chapter 15 - Data Security Controls PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Data Security Past Paper PDF (Exam 212-82)
- Certified Cybersecurity Technician Data Security PDF Exam 212-82
- Certified Cybersecurity Technician Data Security PDF
- Data Roles and Responsibilities PDF
- Certified Cybersecurity Technician Data Security Exam 212-82 PDF
- Data Masking Tools PDF - Certified Cybersecurity Technician
Summary
This document discusses various data security controls related to transparent data encryption in Oracle. It outlines the implementation process. The document highlights specific procedures for database encryption.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Data Security Implementation of Transparent Data Encryption in Oracle OQO Transparent data encryption (TDE) enab...
Certified Cybersecurity Technician Exam 212-82 Data Security Implementation of Transparent Data Encryption in Oracle OQO Transparent data encryption (TDE) enables the encryption of one or more table columns or a tablespace O On inserting data in an encrypted column, TDE automatically encrypts the data O On selecting the encrypted column, the data is automatically decrypted (n- PITION_VALLET _LOCATION (SO0RCE =TS0 = FILE) (MEEWOR_DATA = (LINECTORY = €1\aretarel_sallesi)| ] *+ To implement transparent database encryption: +*+* Creating a wallet file location to store all encryption key information Specifying location of the wallet in the sqlnet.ora file located in the NETWORK/admin folder caaa o Commands to create, open, and set the master key Copyright ©© by EC-Councll. EC-Councll. All Rights Reserved. Reserved. Reproduction Isis Strictly Prohibited. Prohibited Implementation of Transparent Data Encryption in Oracle Transparent data encryption (TDE) enables the encryption of one or more table columns, or a tablespace. On inserting data in an encrypted column, TDE automatically encrypts the data. On selecting the encrypted column, the data is automatically decrypted. To implement TDE in Oracle, the user has to create a Keystore to store the master encryption key and set a master key. The Keystore is a type of operating system file stored outside the database. TDE uses this Keystore to encrypt data in the database. To implement transparent database encryption: = (Creating a wallet file location to store all encryption key information = Specifying location of the wallet in the sqlnet.ora file located in the NETWORK/admin folder = Commands to create, open, and set the master key Module 15 Page 1800 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security L'V AN B “ Home Share View €« « v A ,J J » This PC » Local Disk (C:) » orc | ‘{ Core\network\admin\sqlnet.ora LJ Chorc\network\admin\sglnet.ora - Notepad+ » o Quig Qui¢ Fle Edt Search View Encoding Language Settings Tools Macro Run Pluging Pluging Window Window 1?7 o EHR B G&® D oc/vg2ax 22 BRI T EDRHw ER(HTEDROHw @@@ EDK KD I-Oa‘e cHEHE B LRISMDc/ag 1‘-00 ‘ 0o [+ sqinet oa ] ora 3 #$ sqlnec.ora sqlnet.ora Network Configuration File: C:\orc\NETWORK\ADMIN\sqglnet.ora C:\orc\NETWORK\ADMIN\sqlnet.ora %)l:l Dg Do # Generated by Oracle configuration tools. -~| | Pig Pic # This file 1s actually generated by netca. But if customers choose to - Lol - Lot # $ install install "Software Only™, authentication, Only™, this file this file they will not be wont wont able to exist exist connect and without and without the to the native the database on NT, NT. a| loc; tog SQLNET.AUTHENTICATION_SERVICES= (NTS) L L we NAMES. DIRECTORY_PATH= NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) L whwh ENCRYPTION_WALLET_LOCATION =(SOURCE = (SOURCE =(METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\o!c\orcl_wnlle:))fl C:\o!c\o:‘cl_wallec)))] L Onc! @ On¢ [ This ThisPCPC oramts oramts 30-05-2019 30-05-2019 20:33 20:33 File folder File folder TF ‘ Network [-g orcl_wallet orcl_wallet 20-02-2020 10:35 20-02-2020 10:35 File folder File folder ¥ Network ~B ord ord 30-05-2019 20:3320:3 30-05-2019 File folder File folder ords Jotd: )-05-2019 20:33 30-05-2019 20:33 File folder File folder d oui oul 1 19-02-202020 14:03 14 File folder File folder ~ owm owm 30-05-2019 )-05-2019 20:3 File folder Figure 15.38: Creating a wallet file location ted © btot shasm shaasm Fntorprise Fnterprise Fditlan Rels thew | arr OLAP. oLApP. Advasced Analy TR » ADMINISTER XEY MM CENENT MaMRGCENEMT HENTE & sllered » ADMINISTER XEY MAMAGENENT SET NIEYSTOARE NEYSTOAE OFFEN OFFN [DEINTIPIED [DENTIPIED Y desc y: altered altere/d FSIEF 1 » ADMINISTER XEY EEY MAMAGIMINT MAMAGIENINT SET T KIY NIY 1DENTITIID W Figure 15.39: Creating and setting the master key Creating a New Table with an Encrypted Column Using the Default Algorithm (AES192) ‘ CREATE TABLE TAB LE employee ( first_name VARCHAR2 VARCHARZ2 (128), last_name last._name VARCHAR2 (128) , empID NUMBER, salary NUMBER(6) ENCRYPT ); | | Figure 15.40: Creating new table with an encrypted column Adding Encrypted Columns to Existing Tables ALTER TABLE employee ADD (ssn VARCHARZ2 VARCHARZ (11) ENCRYPT) ; Figure 15.41: Adding encrypted column Module 15 Page 1801 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Encrypting “Data in Transit” OQ Protecting data in transit is than protecting data at rest QO Data in transit can be secured by encrypting the data prior to sending and using such as HTTPS, SSL/TLS, and VPNs Encrypting “Data in Transit” Data are said to be in transit when travelling from one system to another in internal, external, or private networks. Protecting data in transit is more challenging than protecting data at rest. This type of data can be secured by encrypting the data prior to transmitting/sending and using secured tunnels such as HTTPS, SSL/TLS, and VPNs. Module 15 Page 1802 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Secure HTTP Connection using Digital Certificate OQ The browser connects to a web server by sending a message indicating that a secure session (SSL) is requested Web server responds by sending a copy of its root certificate along with server's public key OO0 0D Browser verifies the certificate by checking whether it is valid and has been signed by a certificate authority (CA). It also verifies the certificate’s expiry date Q The browser creates, encrypts, and sends a one-time session key along with the server's public key Q The server uses its private key to decrypt the session key, and sends back an acknowledgement encrypted with the session key to begin an encrypted session O Now, the browser and server can securely transmit data with the session key QO Standard SSL Certificate | SSL Certificate || ® ]@] oG coogle x< [ [ 3H padiockisis activated, indicath The padlock indicating | i o e Y.Y....................................... ethe connectonbemaenthe Bl arm connection e il the bcsiae the *| 10| d between s Mps/mmguoghcon b e | The standardthat HTTP inchicating Indicating the isconnection HTTP changed tobetween HTTPS between the servers must be secured with SSL v \v || tandard SS5L3 Standard || e Validation I Extended E(:\:)“::c‘:::::l: Extended Extended Validation Validation (EV) (EV) SSL SSL Certificate Certificate :H B & o= 23 Jcom com | The Be x% l+ v. SRR pressenrinanarennes Y essessnsssiniiny e yr— The padiock is activated, indicating : H: the connection between the Inc. [US] Overstockcom, Inc, oW Overstock.com, https//waw.owrstockcom, https//wawowrstockcom, server and the browser iss secure 1 Validation Organizational Validation.- HTTP is changed to The standard MTTP Domain Validation (DV) SSL SSL Certificate SSL Certificate (OV) S5L The website owner’s legally HTTPS, indicating indicating that the connection connecticn Incorporated company name is between the servers must be secured displayed on the address bar with SSL S5L Copyright Copyright ©© by by EECC--{{ cll. All cll. All Rights Rights Reserved, Reserved, ReproductionisIs Strictly Reproduction Strictly Prohibited Prohibited, Secure HTTP Connection using Digital Certificate 1. The browser makes the connection to a web server by sending it a message, indicating that a secure session (SSL) is requested. 2. The web server responds by sending a copy of its root certificate along with the server's public key. 3. The browser verifies the certificate by checking whether it is valid and has been signed by a certificate authority (CA). It also verifies the certificate’s expiry date. 4. The browser creates, encrypts, and sends a one-time session key along with the server's public key. 5. The server uses its private key to decrypt the session key, and sends back an acknowledgment encrypted with the session key to begin an encrypted session. 6. Now, the browser and server can securely transmit data with the session key. Module 15 Page 1803 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security SSL Certificate — ,~ SN \'4 \4 Standard SSL Extended Validation Certificate (EV) SSL Certificate.Il..lI'I.I.-.lllIlllYl IIIII SEARARARARRES ‘ v v Domain Validation (DV) Organizational Validation SSL Certificate (OV) SSL Certificate Figure 15.42: SSL certificates Standard SSL Certificate This certificate is validated and issued rapidly by the CA, and is ideal for small and medium-sized businesses. A standard SSL certificate displays HTTPS instead of HTTP and a padlock. It is either domain validated or has an organizational validity. * Domain-validated (DV) SSL certificate: The CA verifies only the domain ownership and gives the certificate within a few minutes. This certificate ensures that the website safeguards the user privacy. * Organization-validated (OV) SSL certificate: The CA requires important business documents for validation in order to issue this certificate. This certificate is more trusted than the normal DV SSL certificate. This certificate safeguards user confidentiality and increases the trust on the website. ® & G Google xl-}- v The padlock is activated, indicatin, , the connection between the - L“lp K/ wwern google.comy The standard HTTP is changed to HTTPS server and the browser is secure #| indicating that the connection between the servers must be secured with SSL Figure 15.43: Standard SSL Certificate Extended Validation (EV) SSL Certificate EV SSL is the most reliable and recommended SSL certificate. It verifies the company name in the URL and delivers a 256-bit robust encryption, which safeguards the confidentiality of the users and increases the trust and confidence in the website. Characteristic Features of EV SSL = The web address bar should have HTTPS = The address bar contains the organization name Module 15 Page 1804 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security * The URL contains the company name. = The certificate information has the CA name. [F! ll!