Advanced Database Security

Course Overview

Fundamental to many business critical applications are their backend databases which are now under an ever increasing level of threat. This course focuses upon security threats and issues specific to databases.

This vendor neutral course expands the security context of database technologies and examines in detail the exploitation of database vulnerabilities - irrespective of the underlying vendor technology. It exposes the pitfalls of database design, their means of identification and the methods of exploiting vulnerabilities.

Audience

This comprehensive database security course provides all the information that both DBA's and security professionals need to develop, deploy and maintain a secure database solution.

Prerequisites

An understanding of TCP networking is required. Any hands on experience in programming, designing or administrating corporate-level databases would be advantageous, but not essential.

Course Outline

Module 1: Introduction

• Overview of Course
• Database Development History
• Logic Flaws in Database Security

Module 2: DB Access Controls

• DB Access Control Technologies
• OS Level Access Controls
• Network Level Access Controls
• Built-in Access Controls
• Integrating 3rd-Party Access Control Technologies

Module 3: DB Secure Deployment (Physical)

• Architectural Restrictions on Deployment
• Load balancing
• Database clusters
• Firewalls
• Application Proxies and Firewalls
• Routers
• Application clusters
• Domain Controllers
• Application Deployment Models
• 3 tier (User, business, data services)
• 4 tier (User interface layer, Data interface layer, Transaction interface, external access interface)

Module 4: DB Secure Deployment (Application Software)

• Preparing UNIX for Database Installations
• Preparing Windows NT/2000/2003 for Database Installations
• OS Authentication (e.g. Windows DB & Roles, UNIX DB Users & Roles)

Module 5: Secure Database Design Techniques

• Handling Passwords
• Users Management
• Access Privileges / Permissions
• Secure Table Design
• Linking Data
• Managing Database Roles
• View Design and Implementation
• Controlling Indexes

Module 6: DB Integration with custom applications

• Secure Integration with Web Applications
• Secure Integration with Financial Applications
• Secure Integration with Legacy Applications
• Secure Integration with Distributed Applications

Module 7: 3rd Party Solution Integration

• IDS Compatibility Issues
• VPN Compatibility Issues
• Application context
• Granular Access Control

Module 8: Authentication, Encryption and Integrity

• Authentication Processes
• Access Controls in a Secure Environment
• Client to Middle-tier Communications
• Middle-tier to Database Communications
• Client re-authentication through middle tier to DB
• Encryption
• Data in transit
• Data at rest
• SSL / Kerberos, etc.

• Data Integrity

Module 9: Database Hacking

• Attack vectors
• Buffer overflows
• Injection attacks
• Privilege Escalation
• DoS
• Inference
• Sniffing / spoofing
• Hijacking connections
• Worms

Module 10: Defence Strategies

• Auditing
• Areas to audit
• Appropriate auditing
• Performance Impacts
• Table auditing

• Defence in Depth
• Complex Deployment Strategies
• Assessing and Auditing Secure Databases