1 / 88

Welcome to Database Scanner 4.1

Welcome to Database Scanner 4.1. Course Objectives. Install and configure Database Scanner List Database Scanner components Determine database security vulnerabilities Correlate security vulnerabilities with representative checks Create a security policy Run a security scan

shona
Download Presentation

Welcome to Database Scanner 4.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome to Database Scanner 4.1 Database Scanner

  2. Course Objectives • Install and configure Database Scanner • List Database Scanner components • Determine database security vulnerabilities • Correlate security vulnerabilities with representative checks • Create a security policy • Run a security scan • Run a penetration test • Assess password strength • Analyze security scan results Database Scanner

  3. Course Outline • Module 1 - Understanding the Need for Database Security • Module 2 - Installing and Configuring Database Scanner • Module 3 - Navigating the Main Window • Module 4 - Understanding Vulnerabilities • Module 5 - Working with Security Policies • Module 6 - Scanning with Database Scanner • Module 7 - Assessing Password Strength • Module 8 - Analyzing Results Database Scanner

  4. Module 1 Understanding the Need for Database Security Database Scanner

  5. Module Objectives • Identify the causes of security violations • Identify the need for Database Scanner • List the tasks performed by Database Scanner • Identify the features of Database Scanner • List the advantages of using Database Scanner Database Scanner

  6. Relational Database Customers Orders • Relational Database • A database system that contains tables that relate to each other by indexes • Separates physical data and logical data representation Database Scanner

  7. How are Databases Used? Databases store vital company information, such as: • Financial records • Payroll records • Customer data • Account information • Medical information • Credit card information Database Database Scanner

  8. DBA Permissions • Database Object Permissions • Database Scanner can grant or deny any of these explicit permissions per user or role/group, per object • Microsoft SQL Server/Sybase  Select from table  Select from view  Update table  Update view  Delete from table  Delete from view  Insert to table  Insert to view  Declarative referential  Execute stored procedure integrity  Execute extended stored procedure Database Scanner

  9. SQL – Structured Query Language • Standard language used by relational database systems • Developed by E. F. Codd – 1970s, IBM San Jose Research lab • Oracle ships first commercial SQL version in 1979, followed by IBM • SQL is an interactive query language for specific database queries • SQL is a database programming language Database Scanner

  10. Why Database Security is Important • Protects critical information • Databases are the foundation of e-business • Databases not under the same scrutiny as other systems • Most security professionals do not understand databases • Databases are complex • Securing a database aloneis not sufficient Database Scanner

  11. Complexity of Database Security Databases include their own: • Login accounts • Auditing language • Permissions language • Scripting language • Password control function Database Scanner

  12. Information Passing Database Scanner

  13. Types of Threats • Internal threats • External threats • Structured threats • Unstructured threats Database Scanner

  14. Top Internet Threats • Denial of Service attacks • Firewall attacks • E-mail vulnerabilities • Windows NT vulnerabilities • Unix vulnerabilities • Internal threats and activity • Document interception • Virus infection Database Scanner

  15. Default Ports Microsoft SQL Sybase Adaptive Oracle Server Server Current version 7 (SP1) 11.9.2 8i (8.1.5) Installed base 6.5 11.x 7.3, 8.0.x Lots of Unix, Lots of Unix, Operating systems Windows NT Windows NT, Windows NT mainframes, etc. Named Pipes,TCP/IP Networks sockets, IPX, TCP/IP sockets, TCP/IP sockets, supported Multiprotocol Named Pipes Named Pipes (RPC based), IPX, etc. Default IP port 5000 for NT, no 1521 - Oracle 7.0 1433 number default for Unix 1526 - Oracle 8.0 Database Scanner

  16. Developing an ANS Process Database Scanner

  17. Using Layers of Security Layer1 Corporate Regional Layer 2 Team Layer 3 Database Scanner

  18. Addressing Administrators’ Security Needs Database Scanner allows administrators to: • Establish security policies. • Provide an assessment of security vulnerabilities. • Provide continuous security enhancements. • Close the gap between security policy and security practices. • Help the organization respond effectively to all aspects of database security. Database Scanner

  19. Task Performed by Database Scanner • Set up security policies • Analyze configuration settings • Analyze password usage • Promote enforcement of security policies • Scan databases • Detect and report on vulnerabilities • Provide corrective actions Database Scanner

  20. Security Features • Detect weak passwords • Check password aging (expiration) • Detect login attacks • Detect stale logins (old, unused accounts) • Track login hour restrictions Database Scanner

  21. Advantages of Database Scanner • Automation and Speed • Comprehensive Vulnerability Checks • Quickly Managed Reporting System • Scalability Database Scanner

  22. Exercises • Threats Associated with an Unsecured Web Site • Addressing Administrator Needs • Tasks Performed by Database Scanner • Database Scanner Security Features and Advantages Database Scanner

  23. Module Review • Reviewing the causes of security violations • Establishing the need for Database Scanner • Identifying the tasks performed by Database Scanner • Reviewing the features of Database Scanner • Discussing the advantages of using Database Scanner Database Scanner

  24. Module 2 Installing and Configuring Database Scanner Database Scanner

  25. Module Objectives • Identifying the requirements for installing Database Scanner • Downloading Database Scanner • Installing Database Scanner • Installing a license key • Installing X-Press Updates Database Scanner

  26. Prerequisites for Installation • Database Scanner CD-Rom or install file • License Key • Sybase ODBC Driver (Sybase) • Open Client Library (Sybase) • SQL * NET driver or NET8 driver (Oracle) • SQL * NET or NET8 Client Libraries Database Scanner

  27. Server Requirements • Microsoft SQL Server greater than 6.x (Windows NT or Windows 2000 ) • Sybase Adaptive Server 11.x or greater (Unix or Windows NT or Windows 2000) • Oracle 7.3 or greater (Unix or Windows) Database Scanner

  28. Windows 2000 Support • Run Database Scanner from a Windows 2000 client • Run a scan of Microsoft SQL, Sybase, and Oracle installed on a Windows 2000 server • Run Microsoft SQL Server Client Side Checks Database Scanner

  29. Driver Requirements Database Scanner

  30. Minimum Workstation Requirements Database Scanner

  31. Types of License Keys • Demonstration • Evaluation • Permanent Database Scanner

  32. X-Press Updates • What is it? • A mechanism to update Database Scanner automatically • Modified System Stored Procedures (Microsoft SQL Server) • Service Packs (Microsoft SQL Server and Windows NT) Database Scanner

  33. Exercises • Installing Database Scanner • Installing a License Key Database Scanner

  34. Module Review • Reviewing the system requirements for installing Database Scanner • Downloading Database Scanner • Installing Database Scanner • Installing a license key • Installing X-Press Updates Database Scanner

  35. Module 3 Navigating the Main Window Database Scanner

  36. Module Objective • Selecting menu items in the Database Scanner main window menu bar • Accessing secondary windows • Using the online help Database Scanner

  37. Secondary Windows • Scan a database • Create a security policy • Analyze security scan results • Use the password strength utility Database Scanner

  38. Scan Database Window Database Scanner

  39. Exercises • Using Database Scanner Windows • Accessing Secondary Windows • Using Online Help Database Scanner

  40. Module Review • Selecting menu items in the Database Scanner main window menu bar • Accessing secondary windows • Using the online help Database Scanner

  41. Module 4 Understanding Vulnerabilities Database Scanner

  42. Module Objectives • Identify types of vulnerabilities • Identify security setting categories • Identify categories of vulnerabilities Database Scanner

  43. Describing Vulnerabilities • Human error and misconfigurations • Software bugs • Unsecured network services • Enabled and unused network services Database Scanner

  44. Vulnerability Examples Oracle ELEMENT MS SQL Server Sybase AS Login / Account Management Stale Logins/Accts. Off Hours Usage Attacks Password Management Strength Aging Trojan Horses Rights / Permissions Database Scanner

  45. Default Admin Login IDs/Accounts Microsoft Sybase Adaptive Oracle SQL Server Server Default sa sa sys, system Admin Default sys - Admin blank blank "change_on_install" passwords system - "manager" "Local "sybase" for Unix "oracle" for Unix Default OS System" for "Local System" "Local System" for accounts NT for NT NT Database Scanner

  46. Stale Logins/Accounts ELEMENT MS SQL Server Sybase AS Oracle Login / Account Management Stale Logins/ Accts . No Control No Control No Control in 7 Stale Logins/ Accts . Off Hours Usage Attacks Password Management Strength Aging Trojan Horses Rights / Permissions • Logins/Accounts that haven’t been used for a period of time Database Scanner

  47. Off Hour Usage ELEMENT MS SQL Server Sybase AS Oracle Login / Account Management Stale Logins/ Accts . Off Hours Usage Off Hours Usage No Control No Control No Control Attacks Password Management Strength Aging Trojan Horses Rights / Permissions • No controls restricting logging into the database during non-business hours Database Scanner

  48. Login Attacks ELEMENT MS SQL Server Sybase AS Oracle Login / Account Management Stale Logins/ Accts . Off Hours Usage No Protection Attacks Attacks No Protection No Protection in 7 Password Management Strength Aging Trojan Horses Rights / Permissions • Series of failed logins within a short period of time • Microsoft SQL Server, Sybase, and Oracle 7 lack the ability to lock out accounts • Oracle 8 • FAILED_LOGIN_ATTEMPT parameter Database Scanner

  49. Dictionary Attacks • Microsoft SQL Server isvulnerable to Brute Force attacks. • Absence of Lockout • Lack of password strength facility • No control over stale logins/passwords Database Scanner

  50. SA Password Exposure ELEMENT MS SQL Server Sybase AS Oracle Login / Account Management Stale Logins/ Accts . Off Hours Usage Attacks Password Management Password Management Strength Aging Trojan Horses Rights / Permissions • Registering a server under Standard Security leaves the sa password in clear text within the registry • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft SQL Server\SQLEW\Registered Server\SQL 6.5. • Only available to logged on user, but in practice, it is saved locally as the NTUSER.DAT (for NT) or the USER.DAT (for Windows 95/98) Database Scanner

More Related