2 hours 23 minutes
Oh, and welcome back to I t. Security policy. This is a continuation of Module four. We're going to start with the first policy, which is the database credentials policy,
and it's storing myself. Troy Lemaire here on SCIRI.
The learning objective for this training is gonna be
general information and specific requirements of
So if we look at our sand sample policy
beginning, we have an overview
database Database authentication credentials are a necessary part of
to connect to internal databases. However incorrect you storage and transmission
good lead to compromise a very sensitive
assets and be a springboard, a wider compromise within the organization.
We look at the purpose. The policy states that the requirements for securely storing and retrieving database user names and passwords for use by program
now access the database running on one of the company's networks.
Software applications running on the company's network may require access to one of the many internal database servers in order to access these databases of program US authenticate to the database by presenting acceptable credentials.
So basically what they're saying
if you wrap it up in a nutshell, is that certain systems and our applications are going to connect to a database that's within the network
and is on one of the servers for it to connect. You don't want just anybody to connect to that database and get access to that information. So that's why you're gonna use credentials and specify the type of credentials that are gonna be used with some requirements on
now, if we look at the policy itself in the general section in order to maintain the security of the internal databases, access by software programs must be granted on Lee after authentication with credentials
credentials use must not reside in the main executing body of the program's source code in clear text. So basically, this is requiring any type of program that is created by internal employees or third party contractors to make sure that they are encrypting their authentication method of the username password of whatever's being used
and not being clear. Text where somebody can
take apart that source code and then see what the database credentials to then make their own programs.
guards the storage of the database, user name and passwords.
It may be stored and file separate from the executing body of program,
but the file must not be were world readable or rideable, meaning it must be encrypted in some kind of way.
the credentials may reside on the database server,
but a hash function number identifying the credentials may be stored in the executing body of the program, meaning that it has been hashed or encrypted
database. Create jobs may be stored as part of an authentication server
such as L doubt,
meaning that the authentication happens once the user logs in
through a system and then connect. It uses a L DAP connection, which grants rights to that user to be ableto have that authentication into the database.
Database cleaners may not reside in the documents. Tree of a Web server
asked. The authentication must not allow access to the database that they solely upon a remote user. Authentication on the remote host
and passwords or pass phrases used to access database must here at here to password policy.
If we're looking at the retrieval of the database user names and passwords,
if it's stored in a file that is not source coast, that database username password must be read from the file immediately prior to use
scope into which you may store database credentials must be physically separated from the other areas of your code. Again, don't put your
authentication database credentials inside of the code if anything's being programmed.
Languages that execute from search source code. The credentials source file must not reside in the same brows of or excusable file directory tree, in which the executing body of the code resides again. If you're looking at Windows file structure are Lennox file structure. You don't want the credential source file to be in within that same directory,
and that way you can go in and
password protect or have different rights on that separate directory so that
you cannot get to that automatically
access the database usernames and passwords, every program or every collection of programs.
Implementing a sitting single business function must have unique database credentials. Sheridan Credentials
between programs is not allowed
in databases. Use our our system level passwords and their defining the password policy.
Developer groups must have a process in place to ensure that database passwords are controlled and change in accordance with the password policy.
So if we look at what we covered today
database Prince has recovered general information as well a specific requirements for database credentials.
If we look at one of our policy recap questions, database credentials must not be stored in a location that could be accessed through a
and that would be through a Web server
database. User names and passwords may be stored in a file separate from the blank blank of the program's code,
and that is the executing body of the program's code.
Looking forward in our next lecture will be looking at server policies and the disposal policy.
In questions. Clarification. Reach me on side Very message user name Troy Lemaire and thank you for attending this cyber ery training.