Up next in 10
Data breach prevention and mitigation by Jasmin Azemović || LightUp Conference
Nov 16, 2023
Security, privacy, data leaks, industrial espionage are terms we hear on a daily basis. Are we aware of the potential dangers and potential consequences for our companies, customers and businesses? Data Breaches figures are generally measured in the tens and hundreds of millions of records. However, the other side of the medal from the Hall of Fame is that it is unprotected data from databases that have reached the "deep web". What happens next, hypothetically, can have very serious consequences. Is everything just so black? Learn about this lecture. Conference Website: https://www.2020twenty.net/lightup #lightup #2020twenty
View Video Transcript
0:00
uh okay thank you uh good evening
0:03
uh okay thank you uh good evening
0:03
uh okay thank you uh good evening because it's the evening in my country
0:05
because it's the evening in my country
0:05
because it's the evening in my country wasn't it it's nine o'clock
0:07
wasn't it it's nine o'clock
0:07
wasn't it it's nine o'clock and i believe it's at three o'clock uh
0:10
and i believe it's at three o'clock uh
0:10
and i believe it's at three o'clock uh in
0:10
in
0:10
in in your country in your eastern time
0:13
in your country in your eastern time
0:13
in your country in your eastern time zone
0:14
zone
0:14
zone so thank you everybody uh this session
0:15
so thank you everybody uh this session
0:16
so thank you everybody uh this session will be recorded so
0:17
will be recorded so
0:17
will be recorded so if someone doesn't make it right now uh
0:19
if someone doesn't make it right now uh
0:19
if someone doesn't make it right now uh he or she
0:20
he or she
0:20
he or she can maybe watch and learn something new
0:23
can maybe watch and learn something new
0:23
can maybe watch and learn something new later
0:24
later
0:24
later when they have a time so yes the topic
0:26
when they have a time so yes the topic
0:26
when they have a time so yes the topic is data breach
0:27
is data breach
0:27
is data breach uh breaches let's say like that
0:29
uh breaches let's say like that
0:29
uh breaches let's say like that prevention and mitigation
0:31
prevention and mitigation
0:31
prevention and mitigation uh really interesting and really hot
0:34
uh really interesting and really hot
0:34
uh really interesting and really hot topic
0:35
topic
0:35
topic uh especially uh in these days uh
0:38
uh especially uh in these days uh
0:38
uh especially uh in these days uh corona uh covered 19 outbreak outbreak
0:42
corona uh covered 19 outbreak outbreak
0:42
corona uh covered 19 outbreak outbreak where we have a lot of uh situations uh
0:45
where we have a lot of uh situations uh
0:45
where we have a lot of uh situations uh uncontrolled situations uh situations uh
0:48
uncontrolled situations uh situations uh
0:48
uncontrolled situations uh situations uh that we didn't expect uh to be
0:50
that we didn't expect uh to be
0:50
that we didn't expect uh to be happening so uh so quickly and and so
0:52
happening so uh so quickly and and so
0:52
happening so uh so quickly and and so and so uh eventually and so
0:54
and so uh eventually and so
0:54
and so uh eventually and so uh frequently and in this mixing of
0:57
uh frequently and in this mixing of
0:57
uh frequently and in this mixing of different
0:58
different
0:58
different vector security vectors uh data breaches
1:01
vector security vectors uh data breaches
1:01
vector security vectors uh data breaches are happening almost every day
1:04
are happening almost every day
1:04
are happening almost every day they appear every day and and before
1:06
they appear every day and and before
1:06
they appear every day and and before covered
1:07
covered
1:07
covered but now in copyright in outbreak uh data
1:10
but now in copyright in outbreak uh data
1:10
but now in copyright in outbreak uh data bridges are
1:12
bridges are
1:12
bridges are yes hello
1:17
do you hear me
1:26
do you hear me
1:26
do you hear me do you hear me
1:31
do you hear my sessions
1:41
do you hear my sessions
1:41
do you hear my sessions do you hear me
1:45
okay i will just continue okay uh thank
1:48
okay i will just continue okay uh thank
1:48
okay i will just continue okay uh thank you
1:48
you
1:48
you uh for supporting this event uh unicef
1:52
uh for supporting this event uh unicef
1:52
uh for supporting this event uh unicef because uh this is a novel cause and i
1:54
because uh this is a novel cause and i
1:54
because uh this is a novel cause and i will try to to give my
1:56
will try to to give my
1:56
will try to to give my best best best as i can in this
1:59
best best best as i can in this
2:00
best best best as i can in this situation to support this cause and
2:02
situation to support this cause and
2:02
situation to support this cause and i hope my session uh you will find it uh
2:04
i hope my session uh you will find it uh
2:04
i hope my session uh you will find it uh useful
2:05
useful
2:05
useful in your daily work also
2:08
in your daily work also
2:08
in your daily work also uh thank you for our sponsors uh because
2:11
uh thank you for our sponsors uh because
2:11
uh thank you for our sponsors uh because uh without sponsors uh
2:13
uh without sponsors uh
2:13
uh without sponsors uh this event uh offline or online virtual
2:16
this event uh offline or online virtual
2:16
this event uh offline or online virtual or not virtual are simply uh is not
2:19
or not virtual are simply uh is not
2:19
or not virtual are simply uh is not possible
2:20
possible
2:20
possible and also uh thank you to all the
2:22
and also uh thank you to all the
2:22
and also uh thank you to all the volunteers and
2:23
volunteers and
2:23
volunteers and a lot of uh men's and women's behind it
2:27
a lot of uh men's and women's behind it
2:27
a lot of uh men's and women's behind it behind the scene
2:28
behind the scene
2:28
behind the scene uh because their hard work uh is simply
2:31
uh because their hard work uh is simply
2:31
uh because their hard work uh is simply uh
2:31
uh
2:31
uh doesn't show in the first place but they
2:33
doesn't show in the first place but they
2:33
doesn't show in the first place but they are in behind
2:34
are in behind
2:34
are in behind and i'm making this all possible also
2:38
and i'm making this all possible also
2:38
and i'm making this all possible also i will uh kind of ask you for your
2:40
i will uh kind of ask you for your
2:40
i will uh kind of ask you for your feedback
2:41
feedback
2:41
feedback after the session also uh feedback based
2:44
after the session also uh feedback based
2:44
after the session also uh feedback based on
2:44
on
2:44
on my session what do you think about it if
2:46
my session what do you think about it if
2:46
my session what do you think about it if you find useful or
2:48
you find useful or
2:48
you find useful or anything else uh speaking feedback and
2:50
anything else uh speaking feedback and
2:50
anything else uh speaking feedback and also
2:51
also
2:51
also uh please give some event feedback uh
2:53
uh please give some event feedback uh
2:53
uh please give some event feedback uh later after this event or event or
2:55
later after this event or event or
2:55
later after this event or event or this session okay summary uh
2:59
this session okay summary uh
2:59
this session okay summary uh what what will i speak about uh is about
3:02
what what will i speak about uh is about
3:02
what what will i speak about uh is about data breaches and cyber security this uh
3:05
data breaches and cyber security this uh
3:05
data breaches and cyber security this uh this presentation is simply divided in
3:07
this presentation is simply divided in
3:07
this presentation is simply divided in three section
3:08
three section
3:08
three section introduction part uh where i will try to
3:11
introduction part uh where i will try to
3:11
introduction part uh where i will try to to
3:12
to
3:12
to from high level overview explain uh what
3:14
from high level overview explain uh what
3:14
from high level overview explain uh what is going on
3:15
is going on
3:16
is going on in in the space of data bridges then uh
3:19
in in the space of data bridges then uh
3:19
in in the space of data bridges then uh in the middle part of the presentation
3:21
in the middle part of the presentation
3:21
in the middle part of the presentation i'll speak about what is missing uh
3:24
i'll speak about what is missing uh
3:24
i'll speak about what is missing uh in all process that actually uh
3:27
in all process that actually uh
3:27
in all process that actually uh making possible all this database story
3:30
making possible all this database story
3:30
making possible all this database story and on the end especially it's a central
3:32
and on the end especially it's a central
3:32
and on the end especially it's a central part of the presentation
3:33
part of the presentation
3:34
part of the presentation uh i call it handle data with care
3:37
uh i call it handle data with care
3:37
uh i call it handle data with care where i will try to explain uh how to
3:39
where i will try to explain uh how to
3:39
where i will try to explain uh how to prevent
3:40
prevent
3:40
prevent and how to mitigate uh database
3:42
and how to mitigate uh database
3:42
and how to mitigate uh database scenarios using sql center
3:45
scenarios using sql center
3:45
scenarios using sql center okay uh in this introduction part uh
3:48
okay uh in this introduction part uh
3:48
okay uh in this introduction part uh i have uh five slides uh it's simple
3:52
i have uh five slides uh it's simple
3:52
i have uh five slides uh it's simple uh it's a simple high level overview
3:55
uh it's a simple high level overview
3:55
uh it's a simple high level overview in the space uh in the look in the
3:58
in the space uh in the look in the
3:58
in the space uh in the look in the perspective
3:59
perspective
3:59
perspective of the modern environment and the data
4:02
of the modern environment and the data
4:02
of the modern environment and the data bridges that happening everywhere
4:03
bridges that happening everywhere
4:03
bridges that happening everywhere but before we start i believe uh this
4:06
but before we start i believe uh this
4:06
but before we start i believe uh this presentation
4:07
presentation
4:07
presentation will be interesting to developers and
4:10
will be interesting to developers and
4:10
will be interesting to developers and dbas
4:11
dbas
4:11
dbas and data developers this
4:14
and data developers this
4:14
and data developers this top temple's fun uh best security
4:16
top temple's fun uh best security
4:16
top temple's fun uh best security process is simply
4:18
process is simply
4:18
process is simply are from the uh their perspective uh
4:21
are from the uh their perspective uh
4:21
are from the uh their perspective uh each person that actually write the code
4:23
each person that actually write the code
4:23
each person that actually write the code uh i don't know python visual basic uh
4:27
uh i don't know python visual basic uh
4:27
uh i don't know python visual basic uh c plus plus uh doesn't matter should
4:30
c plus plus uh doesn't matter should
4:30
c plus plus uh doesn't matter should should uh try uh to implement uh
4:33
should uh try uh to implement uh
4:34
should uh try uh to implement uh this uh at least ten plus one is a bonus
4:37
this uh at least ten plus one is a bonus
4:37
this uh at least ten plus one is a bonus uh plus one is actually uh learn
4:40
uh plus one is actually uh learn
4:40
uh plus one is actually uh learn continuously
4:41
continuously
4:41
continuously but uh in this in this space uh if you
4:44
but uh in this in this space uh if you
4:44
but uh in this in this space uh if you doesn't follow uh this uh practice uh
4:47
doesn't follow uh this uh practice uh
4:47
doesn't follow uh this uh practice uh you can follow and trap
4:49
you can follow and trap
4:49
you can follow and trap that your code your application your
4:51
that your code your application your
4:51
that your code your application your around your environment
4:52
around your environment
4:52
around your environment uh become easy target uh to hackers
4:56
uh become easy target uh to hackers
4:56
uh become easy target uh to hackers to anybody with malicious intention uh
5:00
to anybody with malicious intention uh
5:00
to anybody with malicious intention uh the actually the one part is data
5:03
the actually the one part is data
5:03
the actually the one part is data related mostly
5:04
related mostly
5:04
related mostly and this is handle database care okay
5:07
and this is handle database care okay
5:07
and this is handle database care okay uh how did the which occur uh simple uh
5:10
uh how did the which occur uh simple uh
5:10
uh how did the which occur uh simple uh there's a many scenarios but uh in this
5:13
there's a many scenarios but uh in this
5:13
there's a many scenarios but uh in this uh
5:13
uh
5:14
uh simple slide uh we can start with this
5:16
simple slide uh we can start with this
5:16
simple slide uh we can start with this okay
5:18
okay
5:18
okay but the more important part is that you
5:21
but the more important part is that you
5:21
but the more important part is that you never underestimate the person the group
5:24
never underestimate the person the group
5:24
never underestimate the person the group or population that are trying to to be
5:28
or population that are trying to to be
5:28
or population that are trying to to be malicious to you to you personally to
5:30
malicious to you to you personally to
5:30
malicious to you to you personally to your as a business
5:31
your as a business
5:31
your as a business to you as a company to you as a group
5:34
to you as a company to you as a group
5:34
to you as a company to you as a group doesn't matter
5:35
doesn't matter
5:36
doesn't matter never do underestimate because
5:39
never do underestimate because
5:39
never do underestimate because we don't know the reasons uh we don't
5:42
we don't know the reasons uh we don't
5:42
we don't know the reasons uh we don't know the
5:43
know the
5:43
know the resources we don't know the financial
5:45
resources we don't know the financial
5:45
resources we don't know the financial cause that other side
5:47
cause that other side
5:47
cause that other side are is ready to sacrifice to to to make
5:50
are is ready to sacrifice to to to make
5:50
are is ready to sacrifice to to to make you
5:50
you
5:50
you to make you damage okay the research
5:53
to make you damage okay the research
5:53
to make you damage okay the research part
5:54
part
5:54
part is when the individual or group simple
5:57
is when the individual or group simple
5:57
is when the individual or group simple try to look the weakness uh and weakness
6:00
try to look the weakness uh and weakness
6:00
try to look the weakness uh and weakness inside
6:01
inside
6:01
inside your all environment to to spot the weak
6:05
your all environment to to spot the weak
6:05
your all environment to to spot the weak point sweet point
6:06
point sweet point
6:06
point sweet point and try to exploit okay uh when they
6:09
and try to exploit okay uh when they
6:09
and try to exploit okay uh when they find
6:10
find
6:10
find something that that they can use uh if
6:13
something that that they can use uh if
6:13
something that that they can use uh if we are jumping in phase two stage deck
6:16
we are jumping in phase two stage deck
6:16
we are jumping in phase two stage deck in stage attack uh
6:17
in stage attack uh
6:17
in stage attack uh the person the group uh are trying
6:20
the person the group uh are trying
6:20
the person the group uh are trying trying to use
6:21
trying to use
6:21
trying to use different vectors of approaching social
6:23
different vectors of approaching social
6:23
different vectors of approaching social engineering
6:24
engineering
6:24
engineering infrastructures weakness uh webster
6:27
infrastructures weakness uh webster
6:27
infrastructures weakness uh webster weakness
6:27
weakness
6:27
weakness uh phishing emails there's a dozen
6:30
uh phishing emails there's a dozen
6:30
uh phishing emails there's a dozen examples how how this part can be used
6:33
examples how how this part can be used
6:33
examples how how this part can be used for example
6:35
for example
6:35
for example let let person a malicious user
6:38
let let person a malicious user
6:38
let let person a malicious user find the open port inside your server
6:41
find the open port inside your server
6:41
find the open port inside your server that that port is not blocked on your
6:43
that that port is not blocked on your
6:44
that that port is not blocked on your firewall
6:44
firewall
6:44
firewall and it will accept the the the network
6:48
and it will accept the the the network
6:48
and it will accept the the the network command
6:48
command
6:48
command and it will accept the command from
6:50
and it will accept the command from
6:50
and it will accept the command from other side command part
6:52
other side command part
6:52
other side command part i don't know sql server port uh ftp
6:55
i don't know sql server port uh ftp
6:55
i don't know sql server port uh ftp port uh remote access there's a
6:57
port uh remote access there's a
6:57
port uh remote access there's a different
6:58
different
6:58
different kind of ports where other parts other
7:01
kind of ports where other parts other
7:01
kind of ports where other parts other party
7:02
party
7:02
party can try to exploit also another scenario
7:05
can try to exploit also another scenario
7:05
can try to exploit also another scenario the user can
7:07
the user can
7:07
the user can send unfusion email uh with the with a
7:10
send unfusion email uh with the with a
7:10
send unfusion email uh with the with a payload
7:11
payload
7:11
payload inside inside that email inside the link
7:14
inside inside that email inside the link
7:14
inside inside that email inside the link and send to all company emails i i can
7:18
and send to all company emails i i can
7:18
and send to all company emails i i can bet
7:19
bet
7:19
bet that at least one of the emails will get
7:21
that at least one of the emails will get
7:22
that at least one of the emails will get the click
7:22
the click
7:22
the click and the click is is enough because we
7:24
and the click is is enough because we
7:24
and the click is is enough because we are only working
7:26
are only working
7:26
are only working let's say with admin permissions on our
7:29
let's say with admin permissions on our
7:29
let's say with admin permissions on our own pcs
7:30
own pcs
7:30
own pcs on our business basis and that's enough
7:32
on our business basis and that's enough
7:32
on our business basis and that's enough that payload
7:33
that payload
7:33
that payload is simply delivered to target machine
7:36
is simply delivered to target machine
7:36
is simply delivered to target machine and payload
7:37
and payload
7:37
and payload will try to extra fluctuate the other
7:40
will try to extra fluctuate the other
7:40
will try to extra fluctuate the other resource inside your environment another
7:44
resource inside your environment another
7:44
resource inside your environment another step is
7:44
step is
7:44
step is step three access to database access to
7:47
step three access to database access to
7:47
step three access to database access to your files
7:48
your files
7:48
your files access to your emails name it you name
7:51
access to your emails name it you name
7:51
access to your emails name it you name it and
7:51
it and
7:51
it and the final step uh the user uh demolition
7:55
the final step uh the user uh demolition
7:55
the final step uh the user uh demolition is really sim can't simple
7:58
is really sim can't simple
7:58
is really sim can't simple uh copy that file uh as a
8:01
uh copy that file uh as a
8:01
uh copy that file uh as a control x control v to to their own pc
8:05
control x control v to to their own pc
8:05
control x control v to to their own pc they need to to to try to find the
8:08
they need to to to try to find the
8:08
they need to to to try to find the different ways to for example start http
8:12
different ways to for example start http
8:12
different ways to for example start http on another port uh open the the
8:15
on another port uh open the the
8:15
on another port uh open the the unknown website uh uh try to start
8:18
unknown website uh uh try to start
8:18
unknown website uh uh try to start ftp telnet session to simply uh
8:21
ftp telnet session to simply uh
8:21
ftp telnet session to simply uh tr transfer the the uh the files data
8:24
tr transfer the the uh the files data
8:24
tr transfer the the uh the files data files
8:25
files
8:25
files uh emails everything that's interesting
8:28
uh emails everything that's interesting
8:28
uh emails everything that's interesting to them
8:28
to them
8:28
to them to their own location and that's that's
8:31
to their own location and that's that's
8:31
to their own location and that's that's how
8:31
how
8:32
how data will just occur it's as simple as
8:33
data will just occur it's as simple as
8:33
data will just occur it's as simple as that but uh
8:35
that but uh
8:35
that but uh there's another scenario like this okay
8:36
there's another scenario like this okay
8:36
there's another scenario like this okay if you are looking from the
8:38
if you are looking from the
8:38
if you are looking from the db perspective the database uh i believe
8:42
db perspective the database uh i believe
8:42
db perspective the database uh i believe uh each one of you uh who actually write
8:45
uh each one of you uh who actually write
8:45
uh each one of you uh who actually write the code and and
8:47
the code and and
8:47
the code and and dealing with data on daily basis will
8:49
dealing with data on daily basis will
8:49
dealing with data on daily basis will recognize
8:50
recognize
8:50
recognize at at least one potential uh
8:54
at at least one potential uh
8:54
at at least one potential uh malicious point for example backup files
8:56
malicious point for example backup files
8:56
malicious point for example backup files uh
8:57
uh
8:57
uh how many of us uh is uh copy copy
9:01
how many of us uh is uh copy copy
9:01
how many of us uh is uh copy copy of backup files to usb drives sd cards
9:04
of backup files to usb drives sd cards
9:04
of backup files to usb drives sd cards uh
9:05
uh
9:05
uh mix mixing the staging environments um
9:07
mix mixing the staging environments um
9:08
mix mixing the staging environments um testing reminds production
9:09
testing reminds production
9:09
testing reminds production and simply that backup files are going
9:12
and simply that backup files are going
9:12
and simply that backup files are going from from a to b
9:13
from from a to b
9:13
from from a to b and that that's totally out of control
9:16
and that that's totally out of control
9:16
and that that's totally out of control uh also same as data log files uh
9:18
uh also same as data log files uh
9:18
uh also same as data log files uh attach and detach these files to to
9:21
attach and detach these files to to
9:21
attach and detach these files to to simply
9:22
simply
9:22
simply recreate environment to where you can do
9:25
recreate environment to where you can do
9:25
recreate environment to where you can do your daily job
9:26
your daily job
9:26
your daily job is also can be used as malicious
9:30
is also can be used as malicious
9:30
is also can be used as malicious also oversized permissions what it means
9:36
also oversized permissions what it means
9:36
also oversized permissions what it means don't give the user over the maximum
9:38
don't give the user over the maximum
9:38
don't give the user over the maximum permissions
9:39
permissions
9:39
permissions because simple we are too lazy to click
9:42
because simple we are too lazy to click
9:42
because simple we are too lazy to click deny deny allow allow right for example
9:46
deny deny allow allow right for example
9:46
deny deny allow allow right for example uh we begin we get an essay and we give
9:49
uh we begin we get an essay and we give
9:49
uh we begin we get an essay and we give them security admin
9:50
them security admin
9:50
them security admin and from that point uh you are creating
9:53
and from that point uh you are creating
9:53
and from that point uh you are creating you are creating the
9:54
you are creating the
9:54
you are creating the the totally new endpoint in security
9:57
the totally new endpoint in security
9:58
the totally new endpoint in security with the the possibility that that group
10:00
with the the possibility that that group
10:00
with the the possibility that that group or user
10:01
or user
10:01
or user uh inherent permission uh and
10:04
uh inherent permission uh and
10:04
uh inherent permission uh and paste that permission to other users
10:07
paste that permission to other users
10:07
paste that permission to other users and you will you will create a whole
10:09
and you will you will create a whole
10:09
and you will you will create a whole bunch of new
10:10
bunch of new
10:10
bunch of new users inside your ddb that you simply
10:13
users inside your ddb that you simply
10:13
users inside your ddb that you simply can't control the situation and so on
10:17
can't control the situation and so on
10:17
can't control the situation and so on and if you uh watch this uh pie chart on
10:20
and if you uh watch this uh pie chart on
10:20
and if you uh watch this uh pie chart on the right of the slide
10:21
the right of the slide
10:21
the right of the slide this site data is doing uh uh uh
10:24
this site data is doing uh uh uh
10:24
this site data is doing uh uh uh analysis uh you will see that uh
10:28
analysis uh you will see that uh
10:28
analysis uh you will see that uh in all these scenarios uh 90 are hacked
10:32
in all these scenarios uh 90 are hacked
10:32
in all these scenarios uh 90 are hacked so uh people from outside of your
10:35
so uh people from outside of your
10:35
so uh people from outside of your company
10:36
company
10:36
company outside of your environments are easily
10:40
outside of your environments are easily
10:40
outside of your environments are easily uh can hack through one of these attack
10:43
uh can hack through one of these attack
10:43
uh can hack through one of these attack vectors
10:44
vectors
10:44
vectors ten percent is other what is the other
10:46
ten percent is other what is the other
10:46
ten percent is other what is the other we will see later
10:48
we will see later
10:48
we will see later okay more details uh
10:52
okay more details uh
10:52
okay more details uh black data let's say black data if you
10:55
black data let's say black data if you
10:55
black data let's say black data if you see it down
10:55
see it down
10:55
see it down down below on the left uh these are the
10:58
down below on the left uh these are the
10:58
down below on the left uh these are the trends
11:00
trends
11:00
trends on in four segments uh laptops dbs
11:03
on in four segments uh laptops dbs
11:03
on in four segments uh laptops dbs email and tapes in in the timeline
11:07
email and tapes in in the timeline
11:07
email and tapes in in the timeline and you will see that for example uh
11:10
and you will see that for example uh
11:10
and you will see that for example uh laptops uh in in all this scenario
11:15
laptops uh in in all this scenario
11:15
laptops uh in in all this scenario we have 47 of attempts
11:18
we have 47 of attempts
11:18
we have 47 of attempts and of of that 40 47
11:22
and of of that 40 47
11:22
and of of that 40 47 25 in success and the risk is 11
11:26
25 in success and the risk is 11
11:26
25 in success and the risk is 11 okay let's jump in db
11:29
okay let's jump in db
11:29
okay let's jump in db uh in all the pool
11:32
uh in all the pool
11:32
uh in all the pool of attempts in one timeline
11:35
of attempts in one timeline
11:36
of attempts in one timeline the 40 percent is on db and the most
11:39
the 40 percent is on db and the most
11:39
the 40 percent is on db and the most scary part
11:40
scary part
11:40
scary part is that 64 of that attempt a success
11:44
is that 64 of that attempt a success
11:44
is that 64 of that attempt a success and you see the total risk is 84 and you
11:46
and you see the total risk is 84 and you
11:46
and you see the total risk is 84 and you see that this red
11:47
see that this red
11:47
see that this red red line is going sky sky high uh
11:50
red line is going sky sky high uh
11:50
red line is going sky sky high uh what it means it means that uh we are
11:53
what it means it means that uh we are
11:53
what it means it means that uh we are using uh
11:54
using uh
11:54
using uh db we are speaking about security we are
11:56
db we are speaking about security we are
11:56
db we are speaking about security we are using encryption
11:58
using encryption
11:58
using encryption uh policies uh there is a lot of
12:01
uh policies uh there is a lot of
12:01
uh policies uh there is a lot of security story a lot of
12:03
security story a lot of
12:03
security story a lot of a lot of heat and funds about this but
12:05
a lot of heat and funds about this but
12:05
a lot of heat and funds about this but the green line is going high
12:07
the green line is going high
12:07
the green line is going high high sky so what is going on why is that
12:10
high sky so what is going on why is that
12:10
high sky so what is going on why is that i will try to explain that later in the
12:13
i will try to explain that later in the
12:13
i will try to explain that later in the presentation i will i i believe
12:15
presentation i will i i believe
12:15
presentation i will i i believe you will get it on the end uh why
12:19
you will get it on the end uh why
12:19
you will get it on the end uh why why the why in this situation
12:22
why the why in this situation
12:22
why the why in this situation we are speaking about security in every
12:24
we are speaking about security in every
12:24
we are speaking about security in every day data
12:26
day data
12:26
day data are still every day okay and i believe
12:29
are still every day okay and i believe
12:29
are still every day okay and i believe this slide
12:29
this slide
12:30
this slide uh it will be simply mind-blowing uh
12:33
uh it will be simply mind-blowing uh
12:33
uh it will be simply mind-blowing uh you can type in your in your search
12:34
you can type in your in your search
12:34
you can type in your in your search engine uh world biggest data which is
12:37
engine uh world biggest data which is
12:37
engine uh world biggest data which is hacks and you'll
12:38
hacks and you'll
12:38
hacks and you'll get the first link it's called
12:40
get the first link it's called
12:40
get the first link it's called information are beautiful
12:42
information are beautiful
12:42
information are beautiful slash world biggest data which is an x
12:45
slash world biggest data which is an x
12:45
slash world biggest data which is an x so
12:46
so
12:46
so what is this this is a
12:49
what is this this is a
12:49
what is this this is a reported cases
12:52
reported cases
12:52
reported cases on the timeline on the timeline
12:55
on the timeline on the timeline
12:55
on the timeline on the timeline grouped by companies and also grouped by
12:58
grouped by companies and also grouped by
12:58
grouped by companies and also grouped by the
12:59
the
12:59
the number of database records actually
13:02
number of database records actually
13:02
number of database records actually breached
13:03
breached
13:03
breached and you'll see there's a lot of famous
13:05
and you'll see there's a lot of famous
13:05
and you'll see there's a lot of famous famous name
13:06
famous name
13:06
famous name facebook uh mario hotels twitter oxford
13:10
facebook uh mario hotels twitter oxford
13:10
facebook uh mario hotels twitter oxford and microsoft
13:11
and microsoft
13:11
and microsoft equals uber yahoo
13:15
equals uber yahoo
13:15
equals uber yahoo and also down there in in 2016
13:18
and also down there in in 2016
13:18
and also down there in in 2016 1514 there's a there's a
13:21
1514 there's a there's a
13:21
1514 there's a there's a winner epic winner two times
13:25
winner epic winner two times
13:25
winner epic winner two times two times uh with one billion
13:29
two times uh with one billion
13:29
two times uh with one billion i would say again one billion records
13:31
i would say again one billion records
13:31
i would say again one billion records inside it's yahoo
13:33
inside it's yahoo
13:33
inside it's yahoo so two times in history yahoo was
13:36
so two times in history yahoo was
13:36
so two times in history yahoo was breached
13:36
breached
13:36
breached and it was leaked one billion per league
13:40
and it was leaked one billion per league
13:40
and it was leaked one billion per league number of records and okay now let me
13:43
number of records and okay now let me
13:43
number of records and okay now let me see yahoo microsoft facebook
13:45
see yahoo microsoft facebook
13:46
see yahoo microsoft facebook actually made the song uber government
13:48
actually made the song uber government
13:48
actually made the song uber government situation
13:49
situation
13:49
situation uh delight and also uh
13:53
uh delight and also uh
13:53
uh delight and also uh we can simply as ask the question
13:56
we can simply as ask the question
13:56
we can simply as ask the question uh why uh is this it is possible
13:59
uh why uh is this it is possible
13:59
uh why uh is this it is possible that this can happen to me yes it is
14:02
that this can happen to me yes it is
14:02
that this can happen to me yes it is possible
14:02
possible
14:02
possible and the the most uh dangerous
14:06
and the the most uh dangerous
14:06
and the the most uh dangerous danger part uh in this situation is uh
14:09
danger part uh in this situation is uh
14:09
danger part uh in this situation is uh when we say to us it's it's it's a false
14:12
when we say to us it's it's it's a false
14:12
when we say to us it's it's it's a false sense of security
14:13
sense of security
14:13
sense of security when we say to to ourselves
14:17
when we say to to ourselves
14:17
when we say to to ourselves this will not happen to me i am not so
14:19
this will not happen to me i am not so
14:20
this will not happen to me i am not so interesting
14:20
interesting
14:20
interesting i'm not dealing with that kind of data
14:23
i'm not dealing with that kind of data
14:23
i'm not dealing with that kind of data who will blackmail me
14:24
who will blackmail me
14:24
who will blackmail me and so on and so on and so on in one
14:26
and so on and so on and so on in one
14:26
and so on and so on and so on in one point in time
14:28
point in time
14:28
point in time we are hacked you are hacked and uh
14:31
we are hacked you are hacked and uh
14:31
we are hacked you are hacked and uh that's the point if you are and and we
14:34
that's the point if you are and and we
14:34
that's the point if you are and and we if we are
14:35
if we are
14:35
if we are not prepared it can it can knock down uh
14:38
not prepared it can it can knock down uh
14:38
not prepared it can it can knock down uh our business
14:39
our business
14:39
our business uh our company ourselves uh really
14:42
uh our company ourselves uh really
14:42
uh our company ourselves uh really down below okay so what is missing uh
14:46
down below okay so what is missing uh
14:46
down below okay so what is missing uh why this is happening uh we can speak
14:50
why this is happening uh we can speak
14:50
why this is happening uh we can speak we can speak believe me uh in next eight
14:52
we can speak believe me uh in next eight
14:52
we can speak believe me uh in next eight hours so
14:53
hours so
14:53
hours so why is this and i believe each one of
14:56
why is this and i believe each one of
14:56
why is this and i believe each one of you
14:56
you
14:56
you uh will will give give a reasonable
14:59
uh will will give give a reasonable
14:59
uh will will give give a reasonable argument
15:00
argument
15:00
argument in their opinion that makes sense uh
15:03
in their opinion that makes sense uh
15:03
in their opinion that makes sense uh this is a
15:04
this is a
15:04
this is a one of my opinions uh uh in
15:07
one of my opinions uh uh in
15:08
one of my opinions uh uh in my proposals uh what we can do uh in
15:11
my proposals uh what we can do uh in
15:11
my proposals uh what we can do uh in our own environments to to make this uh
15:14
our own environments to to make this uh
15:14
our own environments to to make this uh cyber security story much much better
15:17
cyber security story much much better
15:17
cyber security story much much better uh than it is now i believe uh
15:21
uh than it is now i believe uh
15:21
uh than it is now i believe uh on other side of this conference uh
15:24
on other side of this conference uh
15:24
on other side of this conference uh to all of you who are now listening and
15:26
to all of you who are now listening and
15:26
to all of you who are now listening and you listen maybe
15:28
you listen maybe
15:28
you listen maybe later uh recording session that you have
15:31
later uh recording session that you have
15:31
later uh recording session that you have some kind of cyber security department
15:33
some kind of cyber security department
15:33
some kind of cyber security department in the company and that's cool that's
15:35
in the company and that's cool that's
15:35
in the company and that's cool that's nice
15:36
nice
15:36
nice but is this this cyber security
15:38
but is this this cyber security
15:38
but is this this cyber security department
15:39
department
15:39
department funded on the right direction i'll try
15:42
funded on the right direction i'll try
15:42
funded on the right direction i'll try to explain
15:42
to explain
15:42
to explain in in next couple of slides okay the
15:45
in in next couple of slides okay the
15:45
in in next couple of slides okay the first part
15:46
first part
15:46
first part is threat modeling uh the
15:49
is threat modeling uh the
15:49
is threat modeling uh the the abc of all security uh start with
15:52
the abc of all security uh start with
15:52
the abc of all security uh start with the risk so
15:55
the risk so
15:55
the risk so we can't just just jump jump
15:58
we can't just just jump jump
15:58
we can't just just jump jump uh on web interface and say okay
16:01
uh on web interface and say okay
16:02
uh on web interface and say okay uh i will on this form uh pay attention
16:05
uh i will on this form uh pay attention
16:05
uh i will on this form uh pay attention on this
16:05
on this
16:05
on this uh on this input i will take care about
16:08
uh on this input i will take care about
16:08
uh on this input i will take care about that uh in
16:09
that uh in
16:09
that uh in in db i will try to put encryption or i
16:12
in db i will try to put encryption or i
16:12
in db i will try to put encryption or i will try to use ssl
16:14
will try to use ssl
16:14
will try to use ssl uh all these arguments make sense but
16:17
uh all these arguments make sense but
16:17
uh all these arguments make sense but they are not systematic uh they are
16:20
they are not systematic uh they are
16:20
they are not systematic uh they are simply
16:21
simply
16:21
simply just brainstormed and that's okay but in
16:24
just brainstormed and that's okay but in
16:24
just brainstormed and that's okay but in security
16:25
security
16:25
security this is not so okay so uh there is a
16:29
this is not so okay so uh there is a
16:29
this is not so okay so uh there is a for formal approach it's called trust
16:31
for formal approach it's called trust
16:31
for formal approach it's called trust modeling
16:32
modeling
16:32
modeling there's a lot of books uh blogs
16:34
there's a lot of books uh blogs
16:34
there's a lot of books uh blogs tutorials
16:35
tutorials
16:36
tutorials uh how you can do trend modeling
16:38
uh how you can do trend modeling
16:38
uh how you can do trend modeling basically
16:40
basically
16:40
basically is this is about describing security
16:43
is this is about describing security
16:43
is this is about describing security aspects of our systems what it means it
16:46
aspects of our systems what it means it
16:46
aspects of our systems what it means it means
16:47
means
16:47
means that you you will divide yours your
16:49
that you you will divide yours your
16:49
that you you will divide yours your security project
16:50
security project
16:50
security project all your sprints your your user stories
16:54
all your sprints your your user stories
16:54
all your sprints your your user stories every step every step in mind should be
16:57
every step every step in mind should be
16:57
every step every step in mind should be as a security uh there is a there's a
17:01
as a security uh there is a there's a
17:01
as a security uh there is a there's a there i i simply miss miss to to give
17:04
there i i simply miss miss to to give
17:04
there i i simply miss miss to to give to to put one one more slightly
17:06
to to put one one more slightly
17:06
to to put one one more slightly representation and apologies for that
17:08
representation and apologies for that
17:08
representation and apologies for that it is about agile i believe uh
17:12
it is about agile i believe uh
17:12
it is about agile i believe uh many of you using agile in their job and
17:15
many of you using agile in their job and
17:15
many of you using agile in their job and agile
17:16
agile
17:16
agile is fine uh the agile
17:19
is fine uh the agile
17:19
is fine uh the agile from from one side and
17:22
from from one side and
17:22
from from one side and then ops on the other side uh simply
17:26
then ops on the other side uh simply
17:26
then ops on the other side uh simply uh make makes things better faster
17:29
uh make makes things better faster
17:29
uh make makes things better faster and more more agile as the same name but
17:32
and more more agile as the same name but
17:32
and more more agile as the same name but uh
17:33
uh
17:33
uh uh there is a if if you look tenant of
17:36
uh there is a if if you look tenant of
17:36
uh there is a if if you look tenant of documents of azure augmentation and you
17:39
documents of azure augmentation and you
17:39
documents of azure augmentation and you and if you
17:39
and if you
17:39
and if you if you search uh but by control f in
17:42
if you search uh but by control f in
17:42
if you search uh but by control f in your
17:43
your
17:43
your browser in your word you know i don't
17:44
browser in your word you know i don't
17:44
browser in your word you know i don't know the tool you're using
17:46
know the tool you're using
17:46
know the tool you're using if you search for world security you
17:49
if you search for world security you
17:49
if you search for world security you will get
17:49
will get
17:49
will get zero results uh i was thought against
17:51
zero results uh i was thought against
17:51
zero results uh i was thought against zero result
17:52
zero result
17:52
zero result no no security at all so security is
17:56
no no security at all so security is
17:56
no no security at all so security is left behind in agile
17:57
left behind in agile
17:57
left behind in agile and that's the major that's i respect
18:01
and that's the major that's i respect
18:01
and that's the major that's i respect agile
18:01
agile
18:01
agile but uh lack of security
18:04
but uh lack of security
18:04
but uh lack of security uh in that methodology uh simply
18:08
uh in that methodology uh simply
18:08
uh in that methodology uh simply produced in in last 10 years a lot of
18:11
produced in in last 10 years a lot of
18:11
produced in in last 10 years a lot of data breaches
18:13
data breaches
18:13
data breaches because uh programmers simply that
18:16
because uh programmers simply that
18:16
because uh programmers simply that does not care about security if there is
18:19
does not care about security if there is
18:19
does not care about security if there is no specific request
18:21
no specific request
18:21
no specific request so we need to put security back in the
18:23
so we need to put security back in the
18:24
so we need to put security back in the process
18:24
process
18:24
process from the from the analysis and
18:28
from the from the analysis and
18:28
from the from the analysis and to design to divide in the code through
18:31
to design to divide in the code through
18:31
to design to divide in the code through to the deploy and back
18:32
to the deploy and back
18:32
to the deploy and back on the square one and and through it
18:35
on the square one and and through it
18:35
on the square one and and through it iteration
18:35
iteration
18:36
iteration so it will minimize potential cost
18:38
so it will minimize potential cost
18:38
so it will minimize potential cost minimize need to write code
18:39
minimize need to write code
18:39
minimize need to write code there's a lot of uh benefits about this
18:43
there's a lot of uh benefits about this
18:43
there's a lot of uh benefits about this and the
18:43
and the
18:43
and the the more the most important part uh
18:47
the more the most important part uh
18:47
the more the most important part uh you will spot you you will spot this uh
18:50
you will spot you you will spot this uh
18:50
you will spot you you will spot this uh the security uh potential big spot
18:53
the security uh potential big spot
18:53
the security uh potential big spot uh in the early beginning phase not not
18:56
uh in the early beginning phase not not
18:56
uh in the early beginning phase not not later
18:57
later
18:57
later for example uh uh
19:01
for example uh uh
19:01
for example uh uh one web one web form and that web form
19:04
one web one web form and that web form
19:04
one web one web form and that web form for example
19:05
for example
19:05
for example uh has some login data uh
19:08
uh has some login data uh
19:08
uh has some login data uh two text boxes uh username password
19:11
two text boxes uh username password
19:11
two text boxes uh username password login cancel and i forgot the password
19:13
login cancel and i forgot the password
19:13
login cancel and i forgot the password uh so when you uh put this form
19:17
uh so when you uh put this form
19:17
uh so when you uh put this form uh through the thread analysis uh uh
19:21
uh through the thread analysis uh uh
19:21
uh through the thread analysis uh uh for forum at all the the major
19:24
for forum at all the the major
19:24
for forum at all the the major major point of security is sql injection
19:27
major point of security is sql injection
19:27
major point of security is sql injection that you prevent user uh to not type
19:31
that you prevent user uh to not type
19:31
that you prevent user uh to not type a sql code sql command to the user
19:34
a sql code sql command to the user
19:34
a sql code sql command to the user interface
19:35
interface
19:36
interface and uh to to prevent that uh you will
19:39
and uh to to prevent that uh you will
19:39
and uh to to prevent that uh you will need to to
19:39
need to to
19:39
need to to take take care take care uh through the
19:43
take take care take care uh through the
19:43
take take care take care uh through the different layers
19:44
different layers
19:44
different layers of the application uh application layer
19:47
of the application uh application layer
19:47
of the application uh application layer uh business logic uh user stories
19:51
uh business logic uh user stories
19:51
uh business logic uh user stories uh uh database layer uh there's a
19:54
uh uh database layer uh there's a
19:54
uh uh database layer uh there's a different layers of your system
19:56
different layers of your system
19:56
different layers of your system that you need you need to take care the
19:58
that you need you need to take care the
19:58
that you need you need to take care the the most important part
20:00
the most important part
20:00
the most important part in signal jersey is that you uh use
20:03
in signal jersey is that you uh use
20:03
in signal jersey is that you uh use a dynamic sql and there is a mitigation
20:06
a dynamic sql and there is a mitigation
20:06
a dynamic sql and there is a mitigation techniques
20:07
techniques
20:07
techniques and if you are if you are not not using
20:11
and if you are if you are not not using
20:11
and if you are if you are not not using uh input validation you will get the
20:13
uh input validation you will get the
20:14
uh input validation you will get the conjunction attack
20:15
conjunction attack
20:15
conjunction attack so based on this example
20:18
so based on this example
20:18
so based on this example uh i believe you are getting the the
20:20
uh i believe you are getting the the
20:20
uh i believe you are getting the the picture
20:21
picture
20:21
picture what is about threat modeling now uh
20:25
what is about threat modeling now uh
20:25
what is about threat modeling now uh i will leave you uh simply to think
20:27
i will leave you uh simply to think
20:27
i will leave you uh simply to think about the
20:28
about the
20:28
about the this process and try to to see is there
20:31
this process and try to to see is there
20:31
this process and try to to see is there any chance to to think and to to
20:34
any chance to to think and to to
20:34
any chance to to think and to to implement
20:35
implement
20:35
implement this kind of technique inside your
20:37
this kind of technique inside your
20:38
this kind of technique inside your environments
20:38
environments
20:38
environments okay and the last part
20:41
okay and the last part
20:41
okay and the last part of this uh what is missing uh in
20:45
of this uh what is missing uh in
20:45
of this uh what is missing uh in in security story and why security is so
20:47
in security story and why security is so
20:47
in security story and why security is so bad is simply
20:48
bad is simply
20:48
bad is simply that the most organization uh and that's
20:51
that the most organization uh and that's
20:51
that the most organization uh and that's unfortunately
20:52
unfortunately
20:52
unfortunately uh still look on security
20:56
uh still look on security
20:56
uh still look on security as non-functional requirements so
20:59
as non-functional requirements so
20:59
as non-functional requirements so i need you when something goes wrong i
21:02
i need you when something goes wrong i
21:02
i need you when something goes wrong i need you
21:03
need you
21:03
need you to to to to implement encryption i need
21:06
to to to to implement encryption i need
21:06
to to to to implement encryption i need you to
21:07
you to
21:07
you to to take care about this but not i need
21:10
to take care about this but not i need
21:10
to take care about this but not i need you to take care of security from
21:12
you to take care of security from
21:12
you to take care of security from a until why through
21:15
a until why through
21:15
a until why through to my company in all segments and
21:19
to my company in all segments and
21:19
to my company in all segments and that that's one of the problems so you
21:22
that that's one of the problems so you
21:22
that that's one of the problems so you need the
21:22
need the
21:22
need the siso uh c position
21:25
siso uh c position
21:25
siso uh c position side command is inside your company uh
21:28
side command is inside your company uh
21:28
side command is inside your company uh who will take it
21:29
who will take it
21:29
who will take it who will take care or she will take care
21:31
who will take care or she will take care
21:31
who will take care or she will take care about security
21:32
about security
21:32
about security through the policies strategy standards
21:36
through the policies strategy standards
21:36
through the policies strategy standards uh iso to simply to to to create a plan
21:40
uh iso to simply to to to create a plan
21:40
uh iso to simply to to to create a plan how to integrate and maintain security
21:43
how to integrate and maintain security
21:43
how to integrate and maintain security now you need implementation part
21:45
now you need implementation part
21:45
now you need implementation part operational part that will actually
21:48
operational part that will actually
21:48
operational part that will actually implement this the this let's say war
21:51
implement this the this let's say war
21:51
implement this the this let's say war plan
21:52
plan
21:52
plan insecurity and this is our security
21:54
insecurity and this is our security
21:54
insecurity and this is our security specialist
21:55
specialist
21:55
specialist uh uh there's a different kind of names
21:59
uh uh there's a different kind of names
21:59
uh uh there's a different kind of names but one of the uh mostly used are
22:01
but one of the uh mostly used are
22:01
but one of the uh mostly used are security
22:02
security
22:02
security specialists so uh application security
22:06
specialists so uh application security
22:06
specialists so uh application security assistant security network security
22:08
assistant security network security
22:08
assistant security network security and so on and also you need you need an
22:11
and so on and also you need you need an
22:11
and so on and also you need you need an ethical hacker
22:12
ethical hacker
22:12
ethical hacker so you need a person uh that will uh
22:15
so you need a person uh that will uh
22:15
so you need a person uh that will uh try on on the ethical way uh
22:18
try on on the ethical way uh
22:18
try on on the ethical way uh to to break down security inside your
22:21
to to break down security inside your
22:21
to to break down security inside your company and
22:22
company and
22:22
company and in this part we are jumping and we are
22:25
in this part we are jumping and we are
22:26
in this part we are jumping and we are speaking about
22:27
speaking about
22:27
speaking about red team and blue team i believe uh that
22:30
red team and blue team i believe uh that
22:30
red team and blue team i believe uh that if you put on the table uh let's let's
22:32
if you put on the table uh let's let's
22:32
if you put on the table uh let's let's say 10
22:33
say 10
22:33
say 10 10 companies uh maybe and i say maybe
22:36
10 companies uh maybe and i say maybe
22:36
10 companies uh maybe and i say maybe one or ten have the red team and blue
22:38
one or ten have the red team and blue
22:38
one or ten have the red team and blue team what is that
22:40
team what is that
22:40
team what is that a red team is a one number of people
22:45
a red team is a one number of people
22:45
a red team is a one number of people let's say five let's say two and the
22:48
let's say five let's say two and the
22:48
let's say five let's say two and the major
22:49
major
22:49
major the major goal is to break the security
22:52
the major goal is to break the security
22:52
the major goal is to break the security inside the company in all aspects
22:55
inside the company in all aspects
22:55
inside the company in all aspects application
22:56
application
22:56
application network system they will simply try to
22:58
network system they will simply try to
22:58
network system they will simply try to to
22:59
to
22:59
to to to to to knock knock knock the
23:02
to to to to knock knock knock the
23:02
to to to to knock knock knock the company
23:02
company
23:02
company out but in the ethical way because these
23:05
out but in the ethical way because these
23:05
out but in the ethical way because these are
23:06
are
23:06
are our boys and girls so they will explain
23:09
our boys and girls so they will explain
23:09
our boys and girls so they will explain to us
23:09
to us
23:09
to us we are finding and we are fine these
23:12
we are finding and we are fine these
23:12
we are finding and we are fine these exploits
23:12
exploits
23:12
exploits and we need we need to fix it and also
23:15
and we need we need to fix it and also
23:15
and we need we need to fix it and also the blue team
23:16
the blue team
23:16
the blue team the blue team is a uh let's say good
23:19
the blue team is a uh let's say good
23:19
the blue team is a uh let's say good guys
23:20
guys
23:20
guys that that actually tried to prevent uh
23:23
that that actually tried to prevent uh
23:23
that that actually tried to prevent uh rape him
23:23
rape him
23:23
rape him uh to hate the company so basically it's
23:26
uh to hate the company so basically it's
23:26
uh to hate the company so basically it's a struggle it's a fight uh
23:27
a struggle it's a fight uh
23:28
a struggle it's a fight uh it's a good fight between inside the
23:30
it's a good fight between inside the
23:30
it's a good fight between inside the inside the company
23:31
inside the company
23:31
inside the company uh inside our own people to defend
23:34
uh inside our own people to defend
23:34
uh inside our own people to defend uh offensive and defensive security but
23:37
uh offensive and defensive security but
23:38
uh offensive and defensive security but but in nuts in in not on the structural
23:41
but in nuts in in not on the structural
23:41
but in nuts in in not on the structural way
23:42
way
23:42
way and the final part is when the when the
23:45
and the final part is when the when the
23:45
and the final part is when the when the bridge is happened
23:46
bridge is happened
23:46
bridge is happened uh when the something goes wrong when
23:49
uh when the something goes wrong when
23:49
uh when the something goes wrong when when
23:50
when
23:50
when security incident is a
23:53
security incident is a
23:53
security incident is a lower level and the bridge as a higher
23:55
lower level and the bridge as a higher
23:55
lower level and the bridge as a higher level
23:57
level
23:57
level shows up the team needs to to jumps in
24:01
shows up the team needs to to jumps in
24:01
shows up the team needs to to jumps in and simply
24:02
and simply
24:02
and simply execute the steps abc the adg and so on
24:06
execute the steps abc the adg and so on
24:06
execute the steps abc the adg and so on uh and if you don't have the the the the
24:09
uh and if you don't have the the the the
24:09
uh and if you don't have the the the the instant team response team uh you are
24:12
instant team response team uh you are
24:12
instant team response team uh you are stuck
24:12
stuck
24:12
stuck uh with with with security
24:16
uh with with with security
24:16
uh with with with security inside the company uh which they are
24:18
inside the company uh which they are
24:18
inside the company uh which they are blaming their sales you are guilty i am
24:21
blaming their sales you are guilty i am
24:21
blaming their sales you are guilty i am guilty
24:21
guilty
24:21
guilty you are not guilty who will do that and
24:24
you are not guilty who will do that and
24:24
you are not guilty who will do that and that that's a scenario
24:25
that that's a scenario
24:25
that that's a scenario uh that you can afford to to your
24:28
uh that you can afford to to your
24:28
uh that you can afford to to your company
24:29
company
24:29
company especially in that case so you need to
24:31
especially in that case so you need to
24:31
especially in that case so you need to have a
24:32
have a
24:32
have a team drill team simply will jump to
24:35
team drill team simply will jump to
24:35
team drill team simply will jump to start
24:36
start
24:36
start to to fix the situation depends on the
24:39
to to fix the situation depends on the
24:39
to to fix the situation depends on the size of the company
24:40
size of the company
24:40
size of the company depends on the business depends on or
24:43
depends on the business depends on or
24:43
depends on the business depends on or the actual
24:43
the actual
24:43
the actual business plan you will need to inside
24:46
business plan you will need to inside
24:46
business plan you will need to inside this this couple of
24:48
this this couple of
24:48
this this couple of bullet points to see i need this or i
24:50
bullet points to see i need this or i
24:50
bullet points to see i need this or i don't need this
24:51
don't need this
24:51
don't need this but you you need the sis too you need a
24:54
but you you need the sis too you need a
24:54
but you you need the sis too you need a plan
24:55
plan
24:55
plan and you need at least one ethical hacker
24:58
and you need at least one ethical hacker
24:58
and you need at least one ethical hacker to actually
24:59
to actually
24:59
to actually try to direct you okay
25:02
try to direct you okay
25:02
try to direct you okay now we are jumping uh in the in the
25:04
now we are jumping uh in the in the
25:04
now we are jumping uh in the in the concrete part
25:05
concrete part
25:05
concrete part uh handle data with care and this this
25:08
uh handle data with care and this this
25:08
uh handle data with care and this this this part of presentation
25:09
this part of presentation
25:09
this part of presentation uh is simply uh tied to sql server
25:12
uh is simply uh tied to sql server
25:12
uh is simply uh tied to sql server because uh
25:13
because uh
25:13
because uh if i want to be more concrete i need to
25:16
if i want to be more concrete i need to
25:16
if i want to be more concrete i need to to to start with two to one db platform
25:20
to to start with two to one db platform
25:20
to to start with two to one db platform uh if i try to be more general uh
25:23
uh if i try to be more general uh
25:23
uh if i try to be more general uh to to cover sequel postgraduate miles
25:25
to to cover sequel postgraduate miles
25:25
to to cover sequel postgraduate miles super mario debbie oracle i don't know
25:28
super mario debbie oracle i don't know
25:28
super mario debbie oracle i don't know then i will say a lot but i will
25:31
then i will say a lot but i will
25:31
then i will say a lot but i will say in in essence nothing so i will try
25:35
say in in essence nothing so i will try
25:35
say in in essence nothing so i will try uh to to to be more more specific
25:38
uh to to to be more more specific
25:38
uh to to to be more more specific uh more concrete but uh because it i
25:41
uh more concrete but uh because it i
25:41
uh more concrete but uh because it i need to
25:42
need to
25:42
need to to use one platform as a role model okay
25:46
to use one platform as a role model okay
25:46
to use one platform as a role model okay database server security model i believe
25:49
database server security model i believe
25:50
database server security model i believe uh
25:50
uh
25:50
uh all of you here are at least familiar
25:53
all of you here are at least familiar
25:53
all of you here are at least familiar with one or not or or all
25:57
with one or not or or all
25:57
with one or not or or all items on this slide so database as a
26:00
items on this slide so database as a
26:00
items on this slide so database as a server
26:00
server
26:00
server and database as a data collection
26:03
and database as a data collection
26:04
and database as a data collection as a as an instance on server uh gives
26:07
as a as an instance on server uh gives
26:07
as a as an instance on server uh gives you
26:07
you
26:07
you a different spectrum of security items
26:10
a different spectrum of security items
26:10
a different spectrum of security items uh
26:12
uh
26:12
uh to to tune to configure everything start
26:15
to to tune to configure everything start
26:15
to to tune to configure everything start with the login
26:16
with the login
26:16
with the login so uh the login is the first part of
26:19
so uh the login is the first part of
26:19
so uh the login is the first part of authentication
26:20
authentication
26:20
authentication who am i uh okay that's the one question
26:24
who am i uh okay that's the one question
26:24
who am i uh okay that's the one question who are you uh i'm yasmin
26:28
who are you uh i'm yasmin
26:28
who are you uh i'm yasmin but uh second part of the question are
26:31
but uh second part of the question are
26:31
but uh second part of the question are you really asking
26:32
you really asking
26:32
you really asking and that's the more most important
26:34
and that's the more most important
26:34
and that's the more most important important part everyone
26:36
important part everyone
26:36
important part everyone can lose the credentials you can be
26:39
can lose the credentials you can be
26:39
can lose the credentials you can be hacked
26:40
hacked
26:40
hacked you can be sniffed you can be simple uh
26:43
you can be sniffed you can be simple uh
26:43
you can be sniffed you can be simple uh target of the attack and that your
26:45
target of the attack and that your
26:45
target of the attack and that your conditions are leaked out
26:47
conditions are leaked out
26:47
conditions are leaked out you are not aware of it and someone is
26:50
you are not aware of it and someone is
26:50
you are not aware of it and someone is using
26:51
using
26:51
using i don't know to access your resource
26:54
i don't know to access your resource
26:54
i don't know to access your resource and you simply don't know that and does
26:57
and you simply don't know that and does
26:58
and you simply don't know that and does this
26:58
this
26:58
this that part are you are you really that
27:01
that part are you are you really that
27:01
that part are you are you really that person
27:01
person
27:01
person and that's that that section uh very
27:05
and that's that that section uh very
27:05
and that's that that section uh very very i would just dimension uh 2fa
27:08
very i would just dimension uh 2fa
27:08
very i would just dimension uh 2fa 2 factor application so i'm asked me
27:12
2 factor application so i'm asked me
27:12
2 factor application so i'm asked me yes this is this is challenge i give you
27:15
yes this is this is challenge i give you
27:15
yes this is this is challenge i give you a request i give me your number i'm
27:17
a request i give me your number i'm
27:18
a request i give me your number i'm giving you
27:18
giving you
27:18
giving you one more factor and give me a response
27:21
one more factor and give me a response
27:21
one more factor and give me a response and that response
27:23
and that response
27:23
and that response is one it mostly one
27:26
is one it mostly one
27:26
is one it mostly one time password and that password
27:29
time password and that password
27:29
time password and that password or that token will be never reused again
27:33
or that token will be never reused again
27:33
or that token will be never reused again so really we will enforce the versions
27:36
so really we will enforce the versions
27:36
so really we will enforce the versions and we'll enforce this application part
27:39
and we'll enforce this application part
27:39
and we'll enforce this application part uh
27:40
uh
27:40
uh on twitter we are speaking about
27:41
on twitter we are speaking about
27:41
on twitter we are speaking about authorization okay
27:43
authorization okay
27:43
authorization okay what are you can do inside my system
27:45
what are you can do inside my system
27:46
what are you can do inside my system read
27:46
read
27:46
read write modify delete and so on and this
27:49
write modify delete and so on and this
27:49
write modify delete and so on and this this part of authorization are going in
27:52
this part of authorization are going in
27:52
this part of authorization are going in two directions
27:53
two directions
27:53
two directions server side server side permissions and
27:56
server side server side permissions and
27:56
server side server side permissions and database site permission
27:58
database site permission
27:58
database site permission and we are going uh to the column level
28:01
and we are going uh to the column level
28:01
and we are going uh to the column level so sql server
28:02
so sql server
28:02
so sql server sql server uh can give you out of the
28:05
sql server uh can give you out of the
28:05
sql server uh can give you out of the box
28:06
box
28:06
box on the click uh permissions to the
28:09
on the click uh permissions to the
28:09
on the click uh permissions to the column level
28:10
column level
28:10
column level uh with some kind of command with a
28:15
uh with some kind of command with a
28:15
uh with some kind of command with a sql server uh 2017
28:18
sql server uh 2017
28:18
sql server uh 2017 and 19 we are speaking about raw level
28:21
and 19 we are speaking about raw level
28:21
and 19 we are speaking about raw level security
28:22
security
28:22
security uh you can when you can say okay first
28:25
uh you can when you can say okay first
28:25
uh you can when you can say okay first five records
28:25
five records
28:25
five records uh you can read next file you can write
28:29
uh you can read next file you can write
28:29
uh you can read next file you can write and uh and you can do anything simple
28:31
and uh and you can do anything simple
28:31
and uh and you can do anything simple you don't see them
28:33
you don't see them
28:33
you don't see them is that out of the box uh and when i say
28:37
is that out of the box uh and when i say
28:37
is that out of the box uh and when i say out of the box i mean you can simply
28:39
out of the box i mean you can simply
28:39
out of the box i mean you can simply click it so you need to
28:40
click it so you need to
28:40
click it so you need to type command so yes
28:44
type command so yes
28:44
type command so yes it's on inside the engine you can use it
28:47
it's on inside the engine you can use it
28:47
it's on inside the engine you can use it but it requires uh more more more sql
28:51
but it requires uh more more more sql
28:51
but it requires uh more more more sql skill set
28:51
skill set
28:51
skill set to implement a raw level security but
28:55
to implement a raw level security but
28:55
to implement a raw level security but you can go easily uh to do colonial
28:57
you can go easily uh to do colonial
28:57
you can go easily uh to do colonial security
28:58
security
28:58
security okay also when you install
29:02
okay also when you install
29:02
okay also when you install your db engine in in cloud uh
29:05
your db engine in in cloud uh
29:05
your db engine in in cloud uh on premise or on heavy solution you name
29:08
on premise or on heavy solution you name
29:08
on premise or on heavy solution you name it
29:08
it
29:08
it there is a couple of steps during
29:11
there is a couple of steps during
29:11
there is a couple of steps during and after installation uh
29:14
and after installation uh
29:14
and after installation uh if you if you leave them like that and
29:17
if you if you leave them like that and
29:17
if you if you leave them like that and if you don't pay
29:18
if you don't pay
29:18
if you don't pay uh attention good enough you can create
29:22
uh attention good enough you can create
29:22
uh attention good enough you can create uh end points uh that can uh
29:25
uh end points uh that can uh
29:25
uh end points uh that can uh attacker can can use and use uh to do
29:29
attacker can can use and use uh to do
29:29
attacker can can use and use uh to do uh some uh most uh steps uh just uh i
29:33
uh some uh most uh steps uh just uh i
29:33
uh some uh most uh steps uh just uh i will
29:33
will
29:33
will go off topics uh for for 10 seconds uh
29:36
go off topics uh for for 10 seconds uh
29:36
go off topics uh for for 10 seconds uh there was the cases
29:37
there was the cases
29:37
there was the cases uh i i saw them
29:40
uh i i saw them
29:40
uh i i saw them in my career in my career in couple in
29:43
in my career in my career in couple in
29:43
in my career in my career in couple in the last 10 years
29:44
the last 10 years
29:44
the last 10 years uh where the attacker was inside the
29:48
uh where the attacker was inside the
29:48
uh where the attacker was inside the system
29:48
system
29:48
system for four years uh for months uh
29:51
for four years uh for months uh
29:51
for four years uh for months uh until uh they are supported
29:55
until uh they are supported
29:55
until uh they are supported uh and they are mostly spotted uh on
29:58
uh and they are mostly spotted uh on
29:58
uh and they are mostly spotted uh on their way out
29:59
their way out
29:59
their way out because when they are leaving the
30:01
because when they are leaving the
30:01
because when they are leaving the environment uh
30:03
environment uh
30:03
environment uh it was really hard to to to to
30:06
it was really hard to to to to
30:06
it was really hard to to to to to clear all traces of activity
30:09
to clear all traces of activity
30:09
to clear all traces of activity so the alarm is uh uh turn on the
30:12
so the alarm is uh uh turn on the
30:12
so the alarm is uh uh turn on the situation
30:13
situation
30:13
situation but it is too late so uh
30:16
but it is too late so uh
30:16
but it is too late so uh and all of these situations are
30:19
and all of these situations are
30:19
and all of these situations are generated
30:19
generated
30:19
generated uh because uh that the person's or tit
30:23
uh because uh that the person's or tit
30:23
uh because uh that the person's or tit teams
30:23
teams
30:24
teams uh does not pay attention especially in
30:26
uh does not pay attention especially in
30:26
uh does not pay attention especially in these uh
30:27
these uh
30:27
these uh uh steps during an affirmative
30:29
uh steps during an affirmative
30:29
uh steps during an affirmative installation so sql server example
30:31
installation so sql server example
30:31
installation so sql server example uh is simple it is childless childless
30:35
uh is simple it is childless childless
30:35
uh is simple it is childless childless but uh
30:36
but uh
30:36
but uh childish but uh look uh i believe
30:39
childish but uh look uh i believe
30:40
childish but uh look uh i believe that where is the problem uh uh then
30:43
that where is the problem uh uh then
30:43
that where is the problem uh uh then when when the thing uh create a software
30:46
when when the thing uh create a software
30:46
when when the thing uh create a software write the code
30:46
write the code
30:46
write the code they are doing that in staging on
30:50
they are doing that in staging on
30:50
they are doing that in staging on farms or on testing remnants and so on
30:53
farms or on testing remnants and so on
30:53
farms or on testing remnants and so on and uh
30:53
and uh
30:54
and uh in that in that in that environment they
30:56
in that in that in that environment they
30:56
in that in that in that environment they have
30:57
have
30:57
have almost almost by therefore full access
31:00
almost almost by therefore full access
31:00
almost almost by therefore full access in most cases we are speaking about sr
31:03
in most cases we are speaking about sr
31:03
in most cases we are speaking about sr account
31:04
account
31:04
account essay so uh sarah administrator so
31:07
essay so uh sarah administrator so
31:08
essay so uh sarah administrator so if if you have source control and if
31:11
if if you have source control and if
31:11
if if you have source control and if that code
31:12
that code
31:12
that code goes on stage and go on production
31:15
goes on stage and go on production
31:15
goes on stage and go on production uh it can it can easily uh
31:19
uh it can it can easily uh
31:19
uh it can it can easily uh it can be it can you can easily go it
31:20
it can be it can you can easily go it
31:20
it can be it can you can easily go it goes out
31:22
goes out
31:22
goes out with sr as a account or sr password
31:25
with sr as a account or sr password
31:25
with sr as a account or sr password hardcoded
31:26
hardcoded
31:26
hardcoded inside your connection strings and i see
31:28
inside your connection strings and i see
31:28
inside your connection strings and i see it a lot also
31:30
it a lot also
31:30
it a lot also the protocols uh for example uh
31:33
the protocols uh for example uh
31:33
the protocols uh for example uh depends on the sql server version uh
31:36
depends on the sql server version uh
31:36
depends on the sql server version uh when i say version i mean standard
31:38
when i say version i mean standard
31:38
when i say version i mean standard enterprise developer for group web and
31:40
enterprise developer for group web and
31:40
enterprise developer for group web and so on
31:41
so on
31:41
so on different set of protocols are turned
31:44
different set of protocols are turned
31:44
different set of protocols are turned off by default
31:45
off by default
31:45
off by default and and see this uh uh share memory
31:48
and and see this uh uh share memory
31:48
and and see this uh uh share memory name types attach type enable why one
31:51
name types attach type enable why one
31:51
name types attach type enable why one why i need for all three of them i need
31:54
why i need for all three of them i need
31:54
why i need for all three of them i need for example only pc5p
31:56
for example only pc5p
31:56
for example only pc5p disable any any attack surface as
32:00
disable any any attack surface as
32:00
disable any any attack surface as possible
32:01
possible
32:01
possible don't turn it off deleted uh simple
32:04
don't turn it off deleted uh simple
32:04
don't turn it off deleted uh simple simple you need you need you need you
32:06
simple you need you need you need you
32:06
simple you need you need you need you need to be gone
32:07
need to be gone
32:07
need to be gone because if you leave shave memory and
32:10
because if you leave shave memory and
32:10
because if you leave shave memory and name pipes
32:11
name pipes
32:11
name pipes and you will never use it you will you
32:12
and you will never use it you will you
32:12
and you will never use it you will you will forget on it
32:14
will forget on it
32:14
will forget on it and someone will scan your network and
32:16
and someone will scan your network and
32:16
and someone will scan your network and try and they will find it
32:18
try and they will find it
32:18
try and they will find it uh this uh protocols
32:21
uh this uh protocols
32:21
uh this uh protocols they are by default and and they are
32:24
they are by default and and they are
32:24
they are by default and and they are believing they are in
32:25
believing they are in
32:25
believing they are in and also uh the third part uh in
32:28
and also uh the third part uh in
32:28
and also uh the third part uh in installation part
32:29
installation part
32:29
installation part uh uh it is mostly typed by database
32:33
uh uh it is mostly typed by database
32:33
uh uh it is mostly typed by database is about user password password if you
32:36
is about user password password if you
32:36
is about user password password if you use a sql server application
32:39
use a sql server application
32:39
use a sql server application uh please enforce password policy
32:42
uh please enforce password policy
32:42
uh please enforce password policy please enforce password expiration
32:44
please enforce password expiration
32:44
please enforce password expiration policy and please enforce
32:46
policy and please enforce
32:46
policy and please enforce that user must change password or next
32:49
that user must change password or next
32:49
that user must change password or next slogan
32:50
slogan
32:50
slogan when you create password for them uh yes
32:53
when you create password for them uh yes
32:53
when you create password for them uh yes i know
32:53
i know
32:53
i know uh it's painful with
32:57
uh it's painful with
32:57
uh it's painful with the focus it's boring to change who will
33:00
the focus it's boring to change who will
33:00
the focus it's boring to change who will uh remember password with 16 characters
33:04
uh remember password with 16 characters
33:04
uh remember password with 16 characters 12 characters special sign and so on but
33:07
12 characters special sign and so on but
33:07
12 characters special sign and so on but uh without uh these steps uh
33:10
uh without uh these steps uh
33:10
uh without uh these steps uh uh any sniffing attack will sniff
33:14
uh any sniffing attack will sniff
33:14
uh any sniffing attack will sniff sniff the the hashes of password and it
33:17
sniff the the hashes of password and it
33:17
sniff the the hashes of password and it can be easily
33:18
can be easily
33:18
can be easily brought uh and and hacked uh to the
33:21
brought uh and and hacked uh to the
33:21
brought uh and and hacked uh to the modern gpu cards uh serif arms
33:25
modern gpu cards uh serif arms
33:25
modern gpu cards uh serif arms and and so on also uh
33:28
and and so on also uh
33:28
and and so on also uh the part that most of us are are simply
33:31
the part that most of us are are simply
33:31
the part that most of us are are simply uh
33:32
uh
33:32
uh ignore and we are speaking about threats
33:35
ignore and we are speaking about threats
33:35
ignore and we are speaking about threats of unauthorized users what it means
33:38
of unauthorized users what it means
33:38
of unauthorized users what it means uh the users inside our companies so we
33:41
uh the users inside our companies so we
33:41
uh the users inside our companies so we are buying the firewalls
33:42
are buying the firewalls
33:42
are buying the firewalls uh application firewalls
33:46
uh application firewalls
33:46
uh application firewalls uh and so on to to defend ourselves
33:49
uh and so on to to defend ourselves
33:49
uh and so on to to defend ourselves outside but what he threats goes
33:52
outside but what he threats goes
33:52
outside but what he threats goes inside and there is a numerous cases
33:55
inside and there is a numerous cases
33:55
inside and there is a numerous cases where
33:56
where
33:56
where where employees because reasons a b
33:59
where employees because reasons a b
33:59
where employees because reasons a b c d name it uh simply they are trying to
34:03
c d name it uh simply they are trying to
34:03
c d name it uh simply they are trying to to do some activity that is a
34:06
to do some activity that is a
34:06
to do some activity that is a gray zone between uh a regular job
34:10
gray zone between uh a regular job
34:10
gray zone between uh a regular job or malicious job to to to to give the
34:14
or malicious job to to to to give the
34:14
or malicious job to to to to give the data to to the party to make the
34:18
data to to the party to make the
34:18
data to to the party to make the benefits
34:18
benefits
34:18
benefits to blackmail to because they hate you
34:22
to blackmail to because they hate you
34:22
to blackmail to because they hate you because they do the job
34:23
because they do the job
34:23
because they do the job so there's a different spec set of
34:26
so there's a different spec set of
34:26
so there's a different spec set of activities
34:27
activities
34:27
activities where these users can can
34:31
where these users can can
34:31
where these users can can try to exploit and that's that's that's
34:33
try to exploit and that's that's that's
34:34
try to exploit and that's that's that's why
34:34
why
34:34
why uh in in last year and especially last
34:37
uh in in last year and especially last
34:37
uh in in last year and especially last year in
34:38
year in
34:38
year in in this coming 19th situation uh one
34:41
in this coming 19th situation uh one
34:41
in this coming 19th situation uh one security model uh simple jump scene
34:44
security model uh simple jump scene
34:44
security model uh simple jump scene it's called zero trust zero trust i
34:47
it's called zero trust zero trust i
34:47
it's called zero trust zero trust i don't trust nobody
34:48
don't trust nobody
34:48
don't trust nobody so i treat you uh inside
34:51
so i treat you uh inside
34:51
so i treat you uh inside my environment same as outside so you
34:55
my environment same as outside so you
34:55
my environment same as outside so you need
34:55
need
34:55
need to paste to rigorous uh altercation
34:58
to paste to rigorous uh altercation
34:58
to paste to rigorous uh altercation attraction
34:59
attraction
34:59
attraction section each time uh yes i know uh
35:02
section each time uh yes i know uh
35:02
section each time uh yes i know uh implementation uh is is kind of
35:05
implementation uh is is kind of
35:05
implementation uh is is kind of expensive
35:06
expensive
35:06
expensive uh uh it takes time it takes
35:09
uh uh it takes time it takes
35:09
uh uh it takes time it takes expertise but zero trust model is
35:12
expertise but zero trust model is
35:12
expertise but zero trust model is something that we need today
35:14
something that we need today
35:14
something that we need today especially especially now uh
35:17
especially especially now uh
35:17
especially especially now uh when we are working from from homes uh
35:19
when we are working from from homes uh
35:19
when we are working from from homes uh for example
35:20
for example
35:20
for example this conference now is virtual i am not
35:23
this conference now is virtual i am not
35:23
this conference now is virtual i am not in your country
35:24
in your country
35:24
in your country i'm not in your time zone i'm thousand
35:27
i'm not in your time zone i'm thousand
35:27
i'm not in your time zone i'm thousand thousand miles away
35:28
thousand miles away
35:28
thousand miles away and for example that we are now in same
35:31
and for example that we are now in same
35:31
and for example that we are now in same network
35:31
network
35:31
network and my pc is compromised it means that
35:34
and my pc is compromised it means that
35:34
and my pc is compromised it means that from my pc attackers can compromise
35:37
from my pc attackers can compromise
35:37
from my pc attackers can compromise entire
35:38
entire
35:38
entire network of that company so vpns 2fa
35:42
network of that company so vpns 2fa
35:42
network of that company so vpns 2fa ssl https and all this story
35:47
ssl https and all this story
35:47
ssl https and all this story needs to be to be forced uh in this zero
35:50
needs to be to be forced uh in this zero
35:50
needs to be to be forced uh in this zero trust trust me okay so uh
35:53
trust trust me okay so uh
35:54
trust trust me okay so uh the the user user role simple is not
35:56
the the user user role simple is not
35:56
the the user user role simple is not enough
35:57
enough
35:57
enough so i'll just go back so if you
36:00
so i'll just go back so if you
36:00
so i'll just go back so if you you if your environment uh is based
36:03
you if your environment uh is based
36:03
you if your environment uh is based or just wrong i i will give you read it
36:06
or just wrong i i will give you read it
36:06
or just wrong i i will give you read it i will get you right
36:07
i will get you right
36:07
i will get you right i will give you deny some reasons uh
36:10
i will give you deny some reasons uh
36:10
i will give you deny some reasons uh that means
36:11
that means
36:11
that means uh your security and privacy is not good
36:14
uh your security and privacy is not good
36:14
uh your security and privacy is not good enough
36:14
enough
36:14
enough so this this is the story so i will give
36:17
so this this is the story so i will give
36:17
so this this is the story so i will give you select
36:18
you select
36:18
you select on on i don't know uh db
36:22
on on i don't know uh db
36:22
on on i don't know uh db uh with 50 tables it means you can read
36:25
uh with 50 tables it means you can read
36:25
uh with 50 tables it means you can read 50 tables uh with your summer statement
36:28
50 tables uh with your summer statement
36:28
50 tables uh with your summer statement so
36:29
so
36:29
so what is the problem i can read all of
36:32
what is the problem i can read all of
36:32
what is the problem i can read all of them
36:32
them
36:32
them so i can write this statement and to see
36:35
so i can write this statement and to see
36:35
so i can write this statement and to see salaries
36:36
salaries
36:36
salaries uh just to see reviews to see you know
36:39
uh just to see reviews to see you know
36:40
uh just to see reviews to see you know patients records uh students raise uh it
36:43
patients records uh students raise uh it
36:43
patients records uh students raise uh it depends on the system
36:44
depends on the system
36:44
depends on the system and i can use and reuse that information
36:48
and i can use and reuse that information
36:48
and i can use and reuse that information ethically or not ethically so company
36:51
ethically or not ethically so company
36:51
ethically or not ethically so company is is now based and it depends on my
36:53
is is now based and it depends on my
36:53
is is now based and it depends on my ethical principles
36:55
ethical principles
36:55
ethical principles so mitigation uh is to to
36:59
so mitigation uh is to to
36:59
so mitigation uh is to to it in this scenario is also not enough
37:03
it in this scenario is also not enough
37:03
it in this scenario is also not enough but it is something based if using this
37:06
but it is something based if using this
37:06
but it is something based if using this this is simply not good enough but if
37:09
this is simply not good enough but if
37:09
this is simply not good enough but if you try to to do
37:10
you try to to do
37:10
you try to to do to this you will meet a situation and
37:13
to this you will meet a situation and
37:13
to this you will meet a situation and you will
37:14
you will
37:14
you will make it uh harder uh to users
37:17
make it uh harder uh to users
37:17
make it uh harder uh to users with permissions to to break through uh
37:20
with permissions to to break through uh
37:20
with permissions to to break through uh in private and more secure part
37:23
in private and more secure part
37:23
in private and more secure part of the system so give access to the deny
37:27
of the system so give access to the deny
37:27
of the system so give access to the deny uh use store procedures use views to to
37:30
uh use store procedures use views to to
37:30
uh use store procedures use views to to map tables
37:31
map tables
37:31
map tables uh deny artwork queries
37:34
uh deny artwork queries
37:34
uh deny artwork queries and use encryption uh i will speak
37:36
and use encryption uh i will speak
37:36
and use encryption uh i will speak encryption uh
37:38
encryption uh
37:38
encryption uh more later in presentation and that's
37:41
more later in presentation and that's
37:41
more later in presentation and that's the most important part
37:42
the most important part
37:42
the most important part in this prevention and mitigation
37:45
in this prevention and mitigation
37:45
in this prevention and mitigation database techniques
37:47
database techniques
37:47
database techniques okay uh physical data stealing what it
37:51
okay uh physical data stealing what it
37:51
okay uh physical data stealing what it means
37:51
means
37:51
means it means that we are forgetting that
37:55
it means that we are forgetting that
37:55
it means that we are forgetting that inside threads we can easily uh
37:59
inside threads we can easily uh
37:59
inside threads we can easily uh can get data files data paths and
38:02
can get data files data paths and
38:02
can get data files data paths and all other files inside our company if
38:05
all other files inside our company if
38:05
all other files inside our company if that user
38:07
that user
38:07
that user is authorized to to copy backups to
38:09
is authorized to to copy backups to
38:09
is authorized to to copy backups to create backups
38:10
create backups
38:10
create backups uh uh to use company drives
38:14
uh uh to use company drives
38:14
uh uh to use company drives cloud drives google i don't know
38:16
cloud drives google i don't know
38:16
cloud drives google i don't know microsoft office
38:17
microsoft office
38:18
microsoft office 3 office 365 and so on it means
38:21
3 office 365 and so on it means
38:21
3 office 365 and so on it means that that user can copy all that
38:24
that that user can copy all that
38:24
that that user can copy all that on their own pc remote not remote it
38:27
on their own pc remote not remote it
38:27
on their own pc remote not remote it means
38:27
means
38:28
means that that he or she can attach the
38:30
that that he or she can attach the
38:30
that that he or she can attach the attach and copy
38:31
attach and copy
38:31
attach and copy that files so you hear the potential
38:33
that files so you hear the potential
38:33
that files so you hear the potential bridge
38:34
bridge
38:34
bridge uh and i will tell you to think about
38:37
uh and i will tell you to think about
38:37
uh and i will tell you to think about this part
38:39
this part
38:39
this part part two is outside dba so
38:43
part two is outside dba so
38:43
part two is outside dba so yes i'm db i'm db owner i can handle
38:46
yes i'm db i'm db owner i can handle
38:46
yes i'm db i'm db owner i can handle data but
38:47
data but
38:47
data but outside of db planet you are going
38:50
outside of db planet you are going
38:50
outside of db planet you are going outside in totally
38:52
outside in totally
38:52
outside in totally totally different ecosystem file system
38:55
totally different ecosystem file system
38:56
totally different ecosystem file system operating level network layer where the
38:58
operating level network layer where the
38:58
operating level network layer where the where the
38:59
where the
38:59
where the other threads simply are waiting to uh
39:01
other threads simply are waiting to uh
39:01
other threads simply are waiting to uh to
39:02
to
39:02
to extract your data so you put your db on
39:05
extract your data so you put your db on
39:05
extract your data so you put your db on network share
39:06
network share
39:06
network share on on cloud shape uh the file system
39:09
on on cloud shape uh the file system
39:09
on on cloud shape uh the file system permissions are weak there is exploit in
39:12
permissions are weak there is exploit in
39:12
permissions are weak there is exploit in in os so there's a numero numerous
39:15
in os so there's a numero numerous
39:15
in os so there's a numero numerous reasons
39:16
reasons
39:16
reasons where this outside threat can
39:19
where this outside threat can
39:19
where this outside threat can penetrate and and extroverted uh this
39:22
penetrate and and extroverted uh this
39:22
penetrate and and extroverted uh this kind
39:22
kind
39:22
kind of sensitivity okay mitigation
39:26
of sensitivity okay mitigation
39:26
of sensitivity okay mitigation mitigation of this part is very simple
39:29
mitigation of this part is very simple
39:29
mitigation of this part is very simple you need to use encryption your knees
39:32
you need to use encryption your knees
39:32
you need to use encryption your knees you need to use encryption
39:34
you need to use encryption
39:34
you need to use encryption in all levels table column
39:37
in all levels table column
39:37
in all levels table column and entire database again and it depends
39:40
and entire database again and it depends
39:40
and entire database again and it depends it depends on your business practice
39:43
it depends on your business practice
39:43
it depends on your business practice you need to anchor backups all the time
39:46
you need to anchor backups all the time
39:46
you need to anchor backups all the time because the backups
39:47
because the backups
39:47
because the backups are the most weakest part because they
39:50
are the most weakest part because they
39:50
are the most weakest part because they are put aside
39:51
are put aside
39:51
are put aside they are putting aside backup on
39:53
they are putting aside backup on
39:54
they are putting aside backup on off-site location
39:55
off-site location
39:55
off-site location on primary secondary terrace location so
39:58
on primary secondary terrace location so
39:58
on primary secondary terrace location so you have the one backup on the location
40:01
you have the one backup on the location
40:01
you have the one backup on the location uh you can can you guarantee that all
40:04
uh you can can you guarantee that all
40:04
uh you can can you guarantee that all these three locations are
40:06
these three locations are
40:06
these three locations are top security i can't but if i
40:09
top security i can't but if i
40:09
top security i can't but if i do the steps and uh made the backup
40:12
do the steps and uh made the backup
40:12
do the steps and uh made the backup uh really hard to penetrate even if you
40:16
uh really hard to penetrate even if you
40:16
uh really hard to penetrate even if you have the physical access
40:17
have the physical access
40:17
have the physical access then it's a whole different story you
40:20
then it's a whole different story you
40:20
then it's a whole different story you need to decrypt
40:21
need to decrypt
40:21
need to decrypt the volumes uh uh disk drives uh
40:25
the volumes uh uh disk drives uh
40:25
the volumes uh uh disk drives uh usb partitions uh with bitlocker
40:29
usb partitions uh with bitlocker
40:29
usb partitions uh with bitlocker and different set of those also
40:32
and different set of those also
40:32
and different set of those also passwords
40:33
passwords
40:33
passwords uh if you use classic archives zip seven
40:35
uh if you use classic archives zip seven
40:35
uh if you use classic archives zip seven zip and redraw
40:36
zip and redraw
40:36
zip and redraw please because because uh these archives
40:40
please because because uh these archives
40:40
please because because uh these archives using also uh encryption limit the
40:44
using also uh encryption limit the
40:44
using also uh encryption limit the number
40:44
number
40:44
number of admin staff if you have 25 admins
40:48
of admin staff if you have 25 admins
40:48
of admin staff if you have 25 admins inside your administration you have the
40:50
inside your administration you have the
40:50
inside your administration you have the 25 problems
40:51
25 problems
40:51
25 problems so you need to have really small number
40:54
so you need to have really small number
40:54
so you need to have really small number of admin staff
40:56
of admin staff
40:56
of admin staff with higher approaches also the really
40:59
with higher approaches also the really
40:59
with higher approaches also the really important part
41:00
important part
41:00
important part is audit if you don't have outlets
41:04
is audit if you don't have outlets
41:04
is audit if you don't have outlets if you don't who what and when
41:07
if you don't who what and when
41:07
if you don't who what and when is using copying modify your data
41:11
is using copying modify your data
41:11
is using copying modify your data and if breach is occurring and if
41:13
and if breach is occurring and if
41:13
and if breach is occurring and if incident is occur
41:14
incident is occur
41:14
incident is occur uh you will really you you will really
41:17
uh you will really you you will really
41:17
uh you will really you you will really have
41:17
have
41:18
have have a really difficult time to to point
41:21
have a really difficult time to to point
41:21
have a really difficult time to to point the finger and say you you are guilty in
41:25
the finger and say you you are guilty in
41:25
the finger and say you you are guilty in almost every case you will just say we
41:27
almost every case you will just say we
41:28
almost every case you will just say we are the bridge
41:28
are the bridge
41:28
are the bridge we are dumb sorry we will try our best
41:31
we are dumb sorry we will try our best
41:31
we are dumb sorry we will try our best but you will
41:32
but you will
41:32
but you will never find who is with it but if you
41:35
never find who is with it but if you
41:35
never find who is with it but if you implement
41:35
implement
41:35
implement how it in all levels and this is totally
41:38
how it in all levels and this is totally
41:38
how it in all levels and this is totally different presentation
41:39
different presentation
41:39
different presentation how you simply don't have time to to go
41:42
how you simply don't have time to to go
41:42
how you simply don't have time to to go deep down
41:43
deep down
41:43
deep down but application level web server ftp
41:46
but application level web server ftp
41:46
but application level web server ftp server
41:47
server
41:47
server db uh and even when you load
41:51
db uh and even when you load
41:51
db uh and even when you load you need to make that logs are temper
41:53
you need to make that logs are temper
41:54
you need to make that logs are temper proof
41:54
proof
41:54
proof because the person with most
41:58
because the person with most
41:58
because the person with most uh with most rights to access to that
42:00
uh with most rights to access to that
42:00
uh with most rights to access to that logs
42:01
logs
42:01
logs you can modify the logs so you can
42:04
you can modify the logs so you can
42:04
you can modify the logs so you can falsify them
42:05
falsify them
42:05
falsify them so you need to to make the temp proof
42:08
so you need to to make the temp proof
42:08
so you need to to make the temp proof mechanism inside
42:09
mechanism inside
42:09
mechanism inside your box and now concrete sql server
42:13
your box and now concrete sql server
42:13
your box and now concrete sql server sql server has a state-of-the-art uh
42:17
sql server has a state-of-the-art uh
42:17
sql server has a state-of-the-art uh encryption uh mechanisms so everything
42:20
encryption uh mechanisms so everything
42:20
encryption uh mechanisms so everything starts
42:21
starts
42:21
starts on the operating system level what it
42:23
on the operating system level what it
42:23
on the operating system level what it means it means
42:25
means it means
42:25
means it means when you install sql server windows data
42:29
when you install sql server windows data
42:29
when you install sql server windows data protection api
42:30
protection api
42:30
protection api create server master key service master
42:33
create server master key service master
42:34
create server master key service master key
42:34
key
42:34
key is iso 256 into encryption and it's a
42:37
is iso 256 into encryption and it's a
42:37
is iso 256 into encryption and it's a it's a guard
42:38
it's a guard
42:38
it's a guard inside the master db each
42:41
inside the master db each
42:41
inside the master db each each new database will have
42:45
each new database will have
42:45
each new database will have its own database master key and that
42:49
its own database master key and that
42:49
its own database master key and that database master key is encrypted guarded
42:53
database master key is encrypted guarded
42:53
database master key is encrypted guarded with service master key so it means if
42:56
with service master key so it means if
42:56
with service master key so it means if you need to
42:56
you need to
42:56
you need to decrypt an acute db you will need this
43:00
decrypt an acute db you will need this
43:00
decrypt an acute db you will need this service master key and now inside db
43:04
service master key and now inside db
43:04
service master key and now inside db you can create the old tree all the
43:06
you can create the old tree all the
43:06
you can create the old tree all the leaves
43:07
leaves
43:07
leaves of the certificates encryption case
43:09
of the certificates encryption case
43:09
of the certificates encryption case symmetric asymmetric
43:11
symmetric asymmetric
43:11
symmetric asymmetric to to encrypt the concrete data inside
43:14
to to encrypt the concrete data inside
43:14
to to encrypt the concrete data inside your your
43:14
your your
43:14
your your db and in each of them and each of them
43:19
db and in each of them and each of them
43:19
db and in each of them and each of them can be failed saved of one below
43:22
can be failed saved of one below
43:22
can be failed saved of one below so for example if if this symmetrically
43:26
so for example if if this symmetrically
43:26
so for example if if this symmetrically is used to encrypt column for example uh
43:30
is used to encrypt column for example uh
43:30
is used to encrypt column for example uh credit card number inside the the
43:33
credit card number inside the the
43:33
credit card number inside the the bank bank customers table if you
43:37
bank bank customers table if you
43:37
bank bank customers table if you use this key that key is guarded with a
43:40
use this key that key is guarded with a
43:40
use this key that key is guarded with a symmetrically
43:41
symmetrically
43:41
symmetrically and it is it is guarded with the
43:44
and it is it is guarded with the
43:44
and it is it is guarded with the db master key and it's guarded by
43:47
db master key and it's guarded by
43:47
db master key and it's guarded by service master key so attacker
43:49
service master key so attacker
43:49
service master key so attacker needs to have one two three four keys
43:53
needs to have one two three four keys
43:53
needs to have one two three four keys and known to passwords to unlock the
43:55
and known to passwords to unlock the
43:55
and known to passwords to unlock the case
43:57
case
43:57
case if attackers have the for for all four
44:00
if attackers have the for for all four
44:00
if attackers have the for for all four keys it means
44:01
keys it means
44:01
keys it means it has the physical access to server or
44:04
it has the physical access to server or
44:04
it has the physical access to server or the server
44:04
the server
44:04
the server is on location where attacker can simply
44:07
is on location where attacker can simply
44:08
is on location where attacker can simply goes and and and copy all this all this
44:11
goes and and and copy all this all this
44:11
goes and and and copy all this all this key
44:11
key
44:11
key uh on the application level i can get 1k
44:16
uh on the application level i can get 1k
44:16
uh on the application level i can get 1k but if i just pull out this key
44:19
but if i just pull out this key
44:19
but if i just pull out this key inside it his comfort zone
44:22
inside it his comfort zone
44:22
inside it his comfort zone that he is totally useless uh without
44:25
that he is totally useless uh without
44:25
that he is totally useless uh without uh this old all these three
44:28
uh this old all these three
44:28
uh this old all these three three three story trickies uh below
44:32
three three story trickies uh below
44:32
three three story trickies uh below above above so this hierarchy
44:37
above above so this hierarchy
44:37
above above so this hierarchy simplified simply ensure that that keys
44:40
simplified simply ensure that that keys
44:40
simplified simply ensure that that keys are secure enough in these situations
44:43
are secure enough in these situations
44:44
are secure enough in these situations and these are the algorithms that sql
44:46
and these are the algorithms that sql
44:46
and these are the algorithms that sql server can
44:47
server can
44:47
server can use to anchor db and data
44:50
use to anchor db and data
44:50
use to anchor db and data this triple that's triple k simply
44:52
this triple that's triple k simply
44:52
this triple that's triple k simply ignore it
44:53
ignore it
44:53
ignore it it's uh it's it's absolute and uh from
44:56
it's uh it's it's absolute and uh from
44:56
it's uh it's it's absolute and uh from sql server 2016
44:58
sql server 2016
44:58
sql server 2016 it simply is not supported so if you use
45:00
it simply is not supported so if you use
45:00
it simply is not supported so if you use it uh because this
45:02
it uh because this
45:02
it uh because this uh try to to to change it and
45:05
uh try to to to change it and
45:05
uh try to to to change it and avoid it because triple this is simple
45:09
avoid it because triple this is simple
45:09
avoid it because triple this is simple not is not secure enough so if you need
45:12
not is not secure enough so if you need
45:12
not is not secure enough so if you need to
45:12
to
45:12
to use something use a yes and usa 2
45:15
use something use a yes and usa 2
45:15
use something use a yes and usa 2 5 6 simple as that and if you are
45:18
5 6 simple as that and if you are
45:18
5 6 simple as that and if you are speaking about
45:19
speaking about
45:19
speaking about a symmetric algorithm and there is error
45:22
a symmetric algorithm and there is error
45:22
a symmetric algorithm and there is error say
45:23
say
45:23
say uh again uh the the longest uh
45:26
uh again uh the the longest uh
45:26
uh again uh the the longest uh the longest key is more secure but uh
45:29
the longest key is more secure but uh
45:29
the longest key is more secure but uh longest key in bid it means it it will
45:31
longest key in bid it means it it will
45:31
longest key in bid it means it it will be
45:32
be
45:32
be it will be slower so uh how much slower
45:35
it will be slower so uh how much slower
45:35
it will be slower so uh how much slower it depends on on your cpu power it
45:37
it depends on on your cpu power it
45:37
it depends on on your cpu power it depends on your network it depends
45:39
depends on your network it depends
45:39
depends on your network it depends on your client so you need to test it uh
45:41
on your client so you need to test it uh
45:42
on your client so you need to test it uh to trade
45:43
to trade
45:43
to trade the the pros and cons to say okay i'll
45:45
the the pros and cons to say okay i'll
45:45
the the pros and cons to say okay i'll use this
45:46
use this
45:46
use this and i'll use that and now it's a balance
45:48
and i'll use that and now it's a balance
45:48
and i'll use that and now it's a balance about security
45:49
about security
45:49
about security and performance okay in this example
45:53
and performance okay in this example
45:53
and performance okay in this example uh of one column first name i will
45:57
uh of one column first name i will
45:57
uh of one column first name i will i'll show you later in in in live demo
46:00
i'll show you later in in in live demo
46:00
i'll show you later in in in live demo where symmetric key is used to encrypt
46:03
where symmetric key is used to encrypt
46:03
where symmetric key is used to encrypt first name to rank it first name inside
46:06
first name to rank it first name inside
46:06
first name to rank it first name inside data database
46:10
always it's a really cool feature always
46:13
always it's a really cool feature always
46:13
always it's a really cool feature always encrypted
46:14
encrypted
46:14
encrypted eliminate the dba from equation what it
46:18
eliminate the dba from equation what it
46:18
eliminate the dba from equation what it means
46:19
means
46:19
means it means that uh always uh
46:22
it means that uh always uh
46:22
it means that uh always uh one person and each dba have
46:25
one person and each dba have
46:26
one person and each dba have access to server have access to okay and
46:28
access to server have access to okay and
46:28
access to server have access to okay and have access
46:29
have access
46:29
have access to data so you you can you can't
46:33
to data so you you can you can't
46:33
to data so you you can you can't uh you can't simply create
46:37
uh you can't simply create
46:37
uh you can't simply create enough good wall to to defend
46:41
enough good wall to to defend
46:41
enough good wall to to defend data from from from dba so how you can
46:44
data from from from dba so how you can
46:44
data from from from dba so how you can how we can uh uh eliminate dba
46:47
how we can uh uh eliminate dba
46:48
how we can uh uh eliminate dba from uh security equation if we use uh
46:51
from uh security equation if we use uh
46:51
from uh security equation if we use uh always encrypted and this encryption
46:54
always encrypted and this encryption
46:54
always encrypted and this encryption uh pulls out pulls out
46:58
uh pulls out pulls out
46:58
uh pulls out pulls out encryption and decryption story on
47:00
encryption and decryption story on
47:00
encryption and decryption story on client side so
47:01
client side so
47:01
client side so for example uh db uh is with
47:05
for example uh db uh is with
47:05
for example uh db uh is with data on server and data are encrypted
47:09
data on server and data are encrypted
47:09
data on server and data are encrypted so table customers is equipped so i will
47:12
so table customers is equipped so i will
47:12
so table customers is equipped so i will say
47:12
say
47:12
say select name from customers where
47:15
select name from customers where
47:15
select name from customers where parameter
47:16
parameter
47:16
parameter uh at ssl is equal to that so this is
47:18
uh at ssl is equal to that so this is
47:18
uh at ssl is equal to that so this is the user input here
47:20
the user input here
47:20
the user input here now this input goes to age.net and
47:24
now this input goes to age.net and
47:24
now this input goes to age.net and use the key to encrypt the input so
47:27
use the key to encrypt the input so
47:27
use the key to encrypt the input so input looks now like this
47:28
input looks now like this
47:28
input looks now like this zero x seven f six c five four a
47:32
zero x seven f six c five four a
47:32
zero x seven f six c five four a a six d cipher text so
47:35
a six d cipher text so
47:35
a six d cipher text so uh sql server say give me give me the
47:37
uh sql server say give me give me the
47:38
uh sql server say give me give me the name from
47:38
name from
47:38
name from of customer where ssn is equal to this
47:42
of customer where ssn is equal to this
47:42
of customer where ssn is equal to this string
47:43
string
47:43
string because this string is inside the db it
47:46
because this string is inside the db it
47:46
because this string is inside the db it will results
47:48
will results
47:48
will results set create result and send back to the
47:50
set create result and send back to the
47:50
set create result and send back to the client uh
47:52
client uh
47:52
client uh the results came to a net library trust
47:54
the results came to a net library trust
47:54
the results came to a net library trust boundary zone
47:55
boundary zone
47:56
boundary zone it will be decrypted and say the name
47:59
it will be decrypted and say the name
47:59
it will be decrypted and say the name is wayne jefferson so encryption
48:02
is wayne jefferson so encryption
48:02
is wayne jefferson so encryption and decryption and key management
48:06
and decryption and key management
48:06
and decryption and key management is is pulled out from server to client
48:08
is is pulled out from server to client
48:08
is is pulled out from server to client side so
48:09
side so
48:09
side so we now need to handle uh security on
48:12
we now need to handle uh security on
48:12
we now need to handle uh security on client side
48:13
client side
48:13
client side but we are eliminate this high
48:16
but we are eliminate this high
48:16
but we are eliminate this high privilege user uh from this story but
48:19
privilege user uh from this story but
48:19
privilege user uh from this story but okay
48:20
okay
48:20
okay uh uh this story has also uh
48:23
uh uh this story has also uh
48:24
uh uh this story has also uh it's it's on side effects so what's
48:25
it's it's on side effects so what's
48:25
it's it's on side effects so what's inside of effect
48:27
inside of effect
48:27
inside of effect there's a two type of encryption that
48:30
there's a two type of encryption that
48:30
there's a two type of encryption that you can use uh
48:31
you can use uh
48:31
you can use uh uh in in in this case scenario uh
48:35
uh in in in this case scenario uh
48:35
uh in in in this case scenario uh if you use randomized encryption it
48:37
if you use randomized encryption it
48:37
if you use randomized encryption it means
48:38
means
48:38
means each time will create different
48:40
each time will create different
48:40
each time will create different encryption string
48:42
encryption string
48:42
encryption string of the same uh plain text so one two
48:45
of the same uh plain text so one two
48:45
of the same uh plain text so one two three to nine
48:46
three to nine
48:46
three to nine it will create uh one time like this
48:50
it will create uh one time like this
48:50
it will create uh one time like this next time like that second time like
48:52
next time like that second time like
48:52
next time like that second time like like this again and so on
48:54
like this again and so on
48:54
like this again and so on so each time it create different cipher
48:57
so each time it create different cipher
48:57
so each time it create different cipher text
48:57
text
48:57
text so yes you you'll be secure but
49:01
so yes you you'll be secure but
49:01
so yes you you'll be secure but uh you simply you can't do any any
49:04
uh you simply you can't do any any
49:04
uh you simply you can't do any any uh functional operation on your data
49:08
uh functional operation on your data
49:08
uh functional operation on your data so like uh comparations
49:11
so like uh comparations
49:11
so like uh comparations uh summarizing and so on uh it will be
49:14
uh summarizing and so on uh it will be
49:14
uh summarizing and so on uh it will be useless
49:15
useless
49:15
useless because uh each time same data
49:18
because uh each time same data
49:18
because uh each time same data looks different but and it's more secure
49:22
looks different but and it's more secure
49:22
looks different but and it's more secure but if you use a different approach
49:26
but if you use a different approach
49:26
but if you use a different approach so then each same string each time
49:30
so then each same string each time
49:30
so then each same string each time is encrypted on the same manner so one
49:33
is encrypted on the same manner so one
49:33
is encrypted on the same manner so one to nine
49:34
to nine
49:34
to nine each time will be same so you can use
49:37
each time will be same so you can use
49:37
each time will be same so you can use like operator
49:38
like operator
49:38
like operator because each time you compare the same
49:41
because each time you compare the same
49:41
because each time you compare the same string
49:41
string
49:41
string so basically this this case scenario so
49:44
so basically this this case scenario so
49:44
so basically this this case scenario so this query
49:45
this query
49:45
this query uh works works fine because vane
49:48
uh works works fine because vane
49:48
uh works works fine because vane jefferson each time is encrypted
49:51
jefferson each time is encrypted
49:51
jefferson each time is encrypted uh uh sorry because uh this
49:55
uh uh sorry because uh this
49:55
uh uh sorry because uh this ssn id is always encrypted
49:59
ssn id is always encrypted
49:59
ssn id is always encrypted on the same way so in each time if
50:02
on the same way so in each time if
50:02
on the same way so in each time if you're using a a
50:03
you're using a a
50:03
you're using a a as a primary key or foreign key you will
50:05
as a primary key or foreign key you will
50:05
as a primary key or foreign key you will have same result
50:06
have same result
50:06
have same result and that result can be used with query
50:09
and that result can be used with query
50:09
and that result can be used with query to create
50:10
to create
50:10
to create and and or operational cooperation very
50:12
and and or operational cooperation very
50:12
and and or operational cooperation very close join this
50:13
close join this
50:13
close join this detection ruby and so on so it's more
50:16
detection ruby and so on so it's more
50:16
detection ruby and so on so it's more more flexible but it's less secure so
50:20
more flexible but it's less secure so
50:20
more flexible but it's less secure so uh attacker uh can uh
50:23
uh attacker uh can uh
50:23
uh attacker uh can uh sneak the network extracted data
50:26
sneak the network extracted data
50:26
sneak the network extracted data and through the time uh
50:29
and through the time uh
50:30
and through the time uh he or she or group can find the patterns
50:32
he or she or group can find the patterns
50:32
he or she or group can find the patterns on data
50:33
on data
50:33
on data and maybe maybe can decrypt the string
50:36
and maybe maybe can decrypt the string
50:36
and maybe maybe can decrypt the string and actually to see
50:38
and actually to see
50:38
and actually to see what we are talking about in our uh
50:41
what we are talking about in our uh
50:41
what we are talking about in our uh so-called encrypted communication
50:43
so-called encrypted communication
50:43
so-called encrypted communication okay uh before demo uh
50:47
okay uh before demo uh
50:47
okay uh before demo uh if you don't have the money for example
50:48
if you don't have the money for example
50:48
if you don't have the money for example because encryption is kind of still
50:51
because encryption is kind of still
50:51
because encryption is kind of still uh still uh expands the sport um but
50:55
uh still uh expands the sport um but
50:55
uh still uh expands the sport um but uh it it it it is becoming cheaper and
50:58
uh it it it it is becoming cheaper and
50:58
uh it it it it is becoming cheaper and cheaper
50:59
cheaper
50:59
cheaper you can use uh to uh to defend your
51:02
you can use uh to uh to defend your
51:02
you can use uh to uh to defend your your backups your archives uh with for
51:05
your backups your archives uh with for
51:05
your backups your archives uh with for example seven zip
51:06
example seven zip
51:06
example seven zip uh seven uh is is open source
51:09
uh seven uh is is open source
51:09
uh seven uh is is open source it's free and use uh as256
51:13
it's free and use uh as256
51:13
it's free and use uh as256 it's a military-grade encryption uh to
51:16
it's a military-grade encryption uh to
51:16
it's a military-grade encryption uh to to defend your archive
51:17
to defend your archive
51:17
to defend your archive so there is no difference at all
51:21
so there is no difference at all
51:21
so there is no difference at all uh if you enter the backup on sql 7 with
51:24
uh if you enter the backup on sql 7 with
51:24
uh if you enter the backup on sql 7 with as256 and you create the backup and
51:27
as256 and you create the backup and
51:27
as256 and you create the backup and increment services you will you will get
51:30
increment services you will you will get
51:30
increment services you will you will get the same
51:31
the same
51:31
the same same level of protection what is an
51:33
same level of protection what is an
51:34
same level of protection what is an issue
51:34
issue
51:34
issue issue is a key management uh who will
51:37
issue is a key management uh who will
51:37
issue is a key management uh who will handle the key
51:39
handle the key
51:39
handle the key the keys who will have the the password
51:41
the keys who will have the the password
51:41
the keys who will have the the password so
51:42
so
51:42
so uh in seven zip story uh uh you will be
51:45
uh in seven zip story uh uh you will be
51:45
uh in seven zip story uh uh you will be more exposed
51:46
more exposed
51:46
more exposed in sickle cell story uh you are not so
51:49
in sickle cell story uh you are not so
51:49
in sickle cell story uh you are not so exposed
51:50
exposed
51:50
exposed so it's a game balance but it's better
51:52
so it's a game balance but it's better
51:52
so it's a game balance but it's better than that nothing
51:54
than that nothing
51:54
than that nothing okay now i will show you a short demo uh
51:57
okay now i will show you a short demo uh
51:57
okay now i will show you a short demo uh before i finish my session
51:58
before i finish my session
51:58
before i finish my session about how to encrypt the data uh on
52:01
about how to encrypt the data uh on
52:01
about how to encrypt the data uh on sequester amount
52:02
sequester amount
52:02
sequester amount in couple of comments okay
52:07
i will now create a quickly debbie
52:11
i will now create a quickly debbie
52:11
i will now create a quickly debbie and jump in and i will create a
52:14
and jump in and i will create a
52:14
and jump in and i will create a database master key and this database
52:17
database master key and this database
52:17
database master key and this database master clip
52:18
master clip
52:18
master clip is guarded by service master key and if
52:21
is guarded by service master key and if
52:21
is guarded by service master key and if i
52:21
i
52:22
i query this symmetric is uh system you i
52:24
query this symmetric is uh system you i
52:24
query this symmetric is uh system you i will see
52:25
will see
52:25
will see that this is my key that i created
52:27
that this is my key that i created
52:28
that this is my key that i created before couple seconds ago you see
52:29
before couple seconds ago you see
52:29
before couple seconds ago you see it's s256 created modified
52:33
it's s256 created modified
52:33
it's s256 created modified and some other meta data important to
52:36
and some other meta data important to
52:36
and some other meta data important to understand
52:37
understand
52:37
understand what is going on under the hood okay
52:40
what is going on under the hood okay
52:40
what is going on under the hood okay i would love to create some test
52:42
i would love to create some test
52:42
i would love to create some test environment
52:43
environment
52:43
environment uh some hypothetical uh encrypted
52:46
uh some hypothetical uh encrypted
52:46
uh some hypothetical uh encrypted customer table
52:48
customer table
52:48
customer table with some set of columns and i will
52:51
with some set of columns and i will
52:51
with some set of columns and i will create certificate
52:52
create certificate
52:52
create certificate so now i will create the same scenario
52:54
so now i will create the same scenario
52:54
so now i will create the same scenario as
52:55
as
52:55
as as slide before so a db master key
52:59
as slide before so a db master key
52:59
as slide before so a db master key certificate and the systematic key
53:03
certificate and the systematic key
53:03
certificate and the systematic key and that key will be used to anchor the
53:05
and that key will be used to anchor the
53:05
and that key will be used to anchor the concrete data so
53:06
concrete data so
53:06
concrete data so certificate will be used used to
53:10
certificate will be used used to
53:10
certificate will be used used to defend the key the certificate
53:13
defend the key the certificate
53:13
defend the key the certificate is defended by master key so
53:17
is defended by master key so
53:17
is defended by master key so three level protections so far and i
53:19
three level protections so far and i
53:19
three level protections so far and i will now finally create
53:20
will now finally create
53:20
will now finally create a s a s k
53:24
a s a s k
53:24
a s a s k i just to see someone write to me or
53:28
i just to see someone write to me or
53:28
i just to see someone write to me or is everything we are fine okay nobody
53:31
is everything we are fine okay nobody
53:31
is everything we are fine okay nobody say anything
53:34
and now i will open the key in memory
53:37
and now i will open the key in memory
53:37
and now i will open the key in memory i open key in memory okay and i will now
53:40
i open key in memory okay and i will now
53:40
i open key in memory okay and i will now uh create the sub query
53:44
uh create the sub query
53:44
uh create the sub query to insert the customer data from
53:47
to insert the customer data from
53:47
to insert the customer data from adventure db
53:48
adventure db
53:48
adventure db and anchor that data by key google
53:50
and anchor that data by key google
53:50
and anchor that data by key google customer some key
53:51
customer some key
53:51
customer some key created in in couple days before and
53:54
created in in couple days before and
53:54
created in in couple days before and import it in my
53:55
import it in my
53:55
import it in my new table so it's simple query
54:00
nearly twenty thousand of course okay
54:02
nearly twenty thousand of course okay
54:02
nearly twenty thousand of course okay you'll see
54:03
you'll see
54:03
you'll see the this is a laptop so it simply
54:06
the this is a laptop so it simply
54:06
the this is a laptop so it simply import twenty thousand rows and
54:08
import twenty thousand rows and
54:08
import twenty thousand rows and encrypted some of them
54:09
encrypted some of them
54:09
encrypted some of them uh in no time so in no time it's like
54:12
uh in no time so in no time it's like
54:12
uh in no time so in no time it's like actually one second one one second one
54:15
actually one second one one second one
54:15
actually one second one one second one on laptop
54:17
on laptop
54:17
on laptop now i will close the key so it will be
54:19
now i will close the key so it will be
54:19
now i will close the key so it will be flashed out
54:20
flashed out
54:20
flashed out from memory and if i try to see
54:23
from memory and if i try to see
54:23
from memory and if i try to see data inside table i see last name
54:27
data inside table i see last name
54:27
data inside table i see last name credit card you see they are all
54:30
credit card you see they are all
54:30
credit card you see they are all encrypted
54:31
encrypted
54:31
encrypted so this is the data which attacker can
54:34
so this is the data which attacker can
54:34
so this is the data which attacker can see
54:35
see
54:35
see if he or she get the db so if
54:38
if he or she get the db so if
54:38
if he or she get the db so if data which occur uh this is a mitigation
54:41
data which occur uh this is a mitigation
54:41
data which occur uh this is a mitigation prevention and mitigation so prevention
54:44
prevention and mitigation so prevention
54:44
prevention and mitigation so prevention that
54:44
that
54:44
that uh uh customer data is not
54:48
uh uh customer data is not
54:48
uh uh customer data is not used and exposed in in deep web
54:51
used and exposed in in deep web
54:51
used and exposed in in deep web techniques is in this phase simply i
54:54
techniques is in this phase simply i
54:54
techniques is in this phase simply i will try
54:55
will try
54:55
will try to minimize damage if damage occurs so
54:58
to minimize damage if damage occurs so
54:58
to minimize damage if damage occurs so if i try to see
54:59
if i try to see
54:59
if i try to see data again so again i'll open the key
55:02
data again so again i'll open the key
55:02
data again so again i'll open the key open the key and i will
55:03
open the key and i will
55:03
open the key and i will show you side by side customer id
55:07
show you side by side customer id
55:07
show you side by side customer id last name last name uh encrypted form
55:11
last name last name uh encrypted form
55:11
last name last name uh encrypted form and
55:11
and
55:11
and on android phone you see okay this is a
55:14
on android phone you see okay this is a
55:14
on android phone you see okay this is a sanchez uh in clear text and sanchez
55:18
sanchez uh in clear text and sanchez
55:18
sanchez uh in clear text and sanchez and duffy and belter's erection and so
55:20
and duffy and belter's erection and so
55:20
and duffy and belter's erection and so on
55:21
on
55:21
on in uh empty way okay i will now go back
55:25
in uh empty way okay i will now go back
55:25
in uh empty way okay i will now go back in my presentation so i'm here to finish
55:28
in my presentation so i'm here to finish
55:28
in my presentation so i'm here to finish meditation
55:29
meditation
55:29
meditation it's four minutes four minutes until end
55:32
it's four minutes four minutes until end
55:32
it's four minutes four minutes until end so uh thank you for your attention uh
55:35
so uh thank you for your attention uh
55:35
so uh thank you for your attention uh about me
55:36
about me
55:36
about me uh 20 almost 20 years
55:39
uh 20 almost 20 years
55:39
uh 20 almost 20 years i am um professor at university
55:42
i am um professor at university
55:42
i am um professor at university and also i'm an siso in one company
55:46
and also i'm an siso in one company
55:46
and also i'm an siso in one company and mo and also for for 11-year
55:49
and mo and also for for 11-year
55:49
and mo and also for for 11-year i am max mvp uh
55:52
i am max mvp uh
55:52
i am max mvp uh but this is also important important
55:54
but this is also important important
55:54
but this is also important important part is that that
55:55
part is that that
55:55
part is that that i try to to share my experience uh
55:59
i try to to share my experience uh
55:59
i try to to share my experience uh to place my knowledge uh free of charge
56:01
to place my knowledge uh free of charge
56:01
to place my knowledge uh free of charge or through the conference
56:03
or through the conference
56:03
or through the conference uh through to the books and through to
56:05
uh through to the books and through to
56:05
uh through to the books and through to all my services uh
56:06
all my services uh
56:06
all my services uh maybe you noted on the first slide uh
56:09
maybe you noted on the first slide uh
56:09
maybe you noted on the first slide uh yesterday is my handle uh on twitter
56:13
yesterday is my handle uh on twitter
56:13
yesterday is my handle uh on twitter github linkedin where you can find a lot
56:16
github linkedin where you can find a lot
56:16
github linkedin where you can find a lot of
56:16
of
56:16
of stuff that i actually actually share
56:18
stuff that i actually actually share
56:18
stuff that i actually actually share with community
56:20
with community
56:20
with community uh on date plus cyber security privacy
56:23
uh on date plus cyber security privacy
56:23
uh on date plus cyber security privacy and digital products and one all that
56:24
and digital products and one all that
56:24
and digital products and one all that that resource that actually i share is
56:26
that resource that actually i share is
56:26
that resource that actually i share is this book so you can uh
56:28
this book so you can uh
56:28
this book so you can uh all of you can now go on rehab
56:31
all of you can now go on rehab
56:31
all of you can now go on rehab type my name and you will see some of
56:34
type my name and you will see some of
56:34
type my name and you will see some of the
56:34
the
56:34
the represent repositories down there and
56:37
represent repositories down there and
56:37
represent repositories down there and you can
56:38
you can
56:38
you can download this book free of charge
56:41
download this book free of charge
56:41
download this book free of charge with these examples and many more of
56:43
with these examples and many more of
56:43
with these examples and many more of them
56:45
them
56:45
them clearly explained how to implement
56:47
clearly explained how to implement
56:47
clearly explained how to implement security on september
56:48
security on september
56:48
security on september yes it's uh 2012 but uh
56:52
yes it's uh 2012 but uh
56:52
yes it's uh 2012 but uh most of the feature are simply the same
56:55
most of the feature are simply the same
56:55
most of the feature are simply the same and now seven years later and yes
56:58
and now seven years later and yes
56:58
and now seven years later and yes keep calm while we steal your data
#Business & Industrial