資料外洩稽核工具之設計與實作 / Design and implementation of an audit tool for data leakage

高華志, Kao, Hua Chih

Unknown Date

隨著國內法令規範對於隱私政策更加重視，國內外企業組織因應鉅額罰款與政策的施行，再加上個人資料外洩事件頻傳，各企業無不擔心客戶資料的保護與落實內部資料控制。而大型政府機關或企業，由於服務範圍廣大，應用系統繁多，針對資料外洩的保護與落實，將更加的複雜。大部份的組織針對實體文件、安全性儲存設備管制、使用採購防火牆設備等，皆有進行相關的管理與設備的採購，但上述機制未能解決應用系統的資料外洩問題。對稽核人員而言稽查應用程式是否有資料外洩之虞，由應用程式原始程式碼相當實為不易，而新制定一套更安全存取控管的介面更需投入相當高的成本與時間。 / 本研究在設計與實作資料外洩稽核工具，參考國際標準ISO27002與ISO 13569資訊安全作法，摘選出應用系統資訊安全指引，並根據實務經驗與金融產業的系統特性，找出資料外洩存取規則(Rules)。除此之外需搭配資料庫執行指令記錄器(DB Logger)，由大量的資料庫指令紀錄中快速產生稽核報表，藉以協助稽核人員查核資料外洩的線索並督促組織內部問題的改善，以落實內部資料控管政策與外部法令要求。 / The rapid spread of information technologies into every facet of our life results in a surge in attention to privacy recently. Bills are enacted and a comprehensive privacy policy becomes a sign of a responsible corporation. However, the complexity and diversity of application systems of information makes it very difficult to ensure that the information systems conform to all the privacy regulations and polices. Although most corporations have established some privacy policies for controlling physical documents and various hardware devices, the main problem for data leakage is at application layer. Application developers could retrieve sensitive data by exploiting application flaws. This poses great challenges to information system auditors. Firstly, it is rather difficult for auditors to review the code to spot the flaws. Secondly, it is impractical to make a new coding standard and re-write the legacy applications accordingly. Thirdly, application developers lack the motivation to improve the protection level of existing systems. / This thesis argues that a database audit tool can partly address the above difficulties faced by auditors. Specifically, we design and implement a tool for data leakage auditing. We derive right rules for identifying the potential sources of data leakage by referencing to information security practices such as ISO27002 and ISO 13569, and our practical experience in financial industry. Our tool makes good use of the database logger to produce an audit report based on those rules. The audit reports provide not only useful hints for auditors to detect possible data leakage, but also good evidence for urging developers to enhance their applications for privacy protection.

資料外洩

稽核工具

資訊安全

隱碼攻擊

ISO27002

ISO 13569

Data Leakage Prevention

Audit Tools

Information Security

ISO27002

ISO 13569

Injection Flaws

SQL Injection

DLP

運用使用者輸入欄位屬性偵測防禦資料隱碼攻擊 / Preventing SQL Injection Attacks Using the Field Attributes of User Input

賴淑美, Lai, Shu Mei

Unknown Date

在網路的應用蓬勃發展與上網使用人口不斷遞增的情況之下，透過網路提供客戶服務及從事商業行為已經是趨勢與熱潮，而伴隨而來的風險也逐步顯現。在一個無國界的網路世界，威脅來自四面八方，隨著科技進步，攻擊手法也隨之加速且廣泛。網頁攻擊防範作法的演進似乎也只能一直追隨著攻擊手法而不斷改進。但最根本的方法應為回歸原始的程式設計，網頁欄位輸入資料的檢核。確實做好欄位內容檢核並遵守網頁安全設計原則，嚴謹的資料庫存取授權才能安心杜絕不斷變化的攻擊。但因既有系統對於輸入欄位內容，並無確切根據應輸入的欄位長度及屬性或是特殊表示式進行檢核，以致造成類似Injection Flaws[1]及部分XSS（Cross Site Scripting）[2]攻擊的形成。 面對不斷變化的網站攻擊，大都以系統原始碼重覆修改、透過滲透測試服務檢視漏洞及購買偵測防禦設備防堵威脅。因原始碼重覆修改工作繁重，滲透測試也不能經常施行，購買偵測防禦設備也相當昂貴。 本研究回歸網頁資料輸入檢核，根據輸入資料的長度及屬性或是特殊的表示式進行檢核，若能堅守此項原則應可抵禦大部分的攻擊。但因既有系統程式龐大，若要重新檢視所有輸入欄位屬性及進行修改恐為曠日費時。本文中研究以側錄分析、資料庫SCHEMA的結合及方便的欄位屬性定義等功能，自動化的處理流程，快速產生輸入欄位的檢核依據。再以網站動態欄位檢核的方式，於網站接收使用者需求，且應用程式尚未處理前攔截網頁輸入資料，根據事先明確定義的網站欄位屬性及長度進行資料檢核，如此既有系統即無須修改，能在最低的成本下達到有效防禦的目的。 / With the dynamic development of network application and the increasing population of using internet, providing customer service and making business through network has been a prevalent trend recently. However, the risk appears with this trend. In a borderless net world, threaten comes from all directions. With the progress of information technology, the technique of network attack becomes timeless and widespread. It seems that defense methods have to develop against these attack techniques. But the root of all should regress on the original program design – check the input data of data fields. The prevention of unceasing network attack is precisely check the content of data field and adhere to the webpage security design on principle, furthermore, the authority to access database is essential. Since most existing systems do not have exactly checkpoints of those data fields such as the length, the data type, and the data format, as a result, those conditions resulted in several network attacks like Injection Flaws and XSS. In response to various website attack constantly, the majority remodify the system source code, inspect vulnerabilities by the service of penetration test, and purchase the equipment of Intrusion Prevention Systems(IPS). However, several limitations influence the performance, such as the massive workload of remodify source code, the difficulty to implement the daily penetration test, and the costly expenses of IPS equipment. The fundamental method of this research is to check the input data of data fields which bases on the length, the data type and the data format to check input data. The hypothesis is that to implement the original design principle should prevent most website attacks. Unfortunately, most legacy system programs are massive and numerous. It is time-consuming to review and remodify all the data fields. This research investigates the analysis of network interception, integrates with the database schema and the easy-defined data type, to automatically process these procedures and rapidly generates the checklist of input data. Then, using the method of website dynamic captures technique to receive user request first and webpage input data before the system application commences to process it. According to those input data can be checked by the predefined data filed type and the length, there is no necessary to modify existing systems and can achieve the goal to prevent web attack with the minimum cost.

跨站腳本攻擊

注入弱點

網站攻擊

動態攔截檢核

檢查網頁輸入資料

Injection Flaws

Cross Site Scripting

website attack

website dynamic captures technique

check the input data of data fields