2. 09:00 Welcome
09:15 KYOS Sàrl stellt sich vor
Andreas Kutter
09:30 Thales e- Security stellt sich vor
Edgar Kary
09:45 Trustwave stellt sich vor
Gérard Zapf
10:00 Pause und Networking
10:30 Database Security
Gérard Zapf
11:15 Diskussion und Q&A
12:00 Verabschiedung
Agenda
4. • Experts in Security, Networks and IT Services
• Created in 2002
• Based in Geneva and St. Gallen
Headquarter in Geneva with a focus Suisse romand
Branch Office in St. Gallen with a focus of DACH region
• Kyos values:
Close to customers and strong reactivity
Services oriented
Professional ethics & modesty
KYOS in a nutshell
12. • 16 Mrd. Jahresumsatz
• 65.000+ Mitarbeiter weltweit
• 40 Jahre am Markt
• HQ in Paris
DEFENSEAEROSPACE SPACE SECURITY
GROUND
TRANSPORTATION
TRUSTED PARTNER FOR A SAFER WORLD
22. Data breaches are common and expensive
Data records lost or stolen since 2013 - Breach Level Index (February 15, 2017)
$158$4
Average Total Cost of a
Data Breach
Per-Record Cost of a
Data Breach
Ponemon: 2016 Cost of a Data Breach
Study
76%
Number of
organizations
breached in 2015
CyberEdge: 2016 Cyberthreat
Defense Report
Ponemon: 2016 Cost of a Data Breach
Study
Million
23. Today´s top database risks
Patch (Gap) Management
Databases are vulnerable the day a patch is released
Exploit/POC code is published quickly
What to patch first? Critical business systems? Low risk systems?
58% of businesses don’t have a “fully mature” patch management
process in place
24. Today´s top database risks
SQL Injection
Many vulnerable web applications out there
• Good news: Most really valuable apps aren’t vulnerable
But the scary stuff isn’t just at the web app level. It’s in the Database
• SQL Injection vulnerabilities exist in all major database platforms
• Generally resulting in privilege escalation (run SQL as DBA)
• It takes a patch to fix these problems
• Leaving most production systems vulnerable for 6-9 months (or
more)
25. Today´s top database risks
Password attacks
People choose easily guessed passwords
• Minimum 8 Characters
• Must include upper and lower case
• Must include a digit or special character
• Hmmm…..Password1……..that works!
Database password cracking tools freely available
• Default passwords are often found in production systems
Oracle11g Stealth Password Cracking Vulnerability
• Fixed in Oct 2012 CPU
• Makes it trivial to silently brute force any user’s password
26. Today´s top database risks
Database JAVA Exploits
Nearly every major database vendor has added Java support to their
RDBMS product line
Each vendor (Oracle, Sybase, IBM, etc.) has patched critical vulnerabilities
that allow an attacker to load and run arbitrary Java
• In each case, any database user could assume complete control of
the database server through a simple attack
Many databases have unused and unpatched Java systems waiting to be
attacked
27. Today´s top database risks
Misconfigured database security settings
Disabled database security features don’t work
• Databases configured for convenience rather than
security
Some security options shouldn’t be optional
• Disable authentication and authorization systems
• Use blank password for system administrator account
• Reconfigure cluster architecture without a login
• Unlimited failed login attempts
29. • Laptop Application
• Point & Shoot Intuitive Interface
• Per engagement / Subscription
• Database Assessment (for PCI)
• Security Engagement
• IT Audits / Security Toolkits
• Data Center Product
• Automated Scanning Scheduled
• License + Maint & Training
• Managed Service Offering
• DBA Operations
• IT Security Operations
Trustwave database security solutions
30. AppDetectivePro
The premier Database Scanner for Security, Risk & IT professionals
De facto Standard for Database Audit and Assessment
• Discovery
• Pen Test (Zero-Knowledge)
• Security Audit (Authenticated)
• User Rights Review
• Interview Questionnaire
• Quick Start Features
Easy to deploy: Standalone laptop
Bundles MS SQL Server 2008 Express (10 GB storage limit)
• Easy to use: Built-in regulatory frameworks
• Always up-to-date: Team SHATTER ASAP updates
• Comprehensive: Over 2,000 vulnerability checks & tests
across all major platforms