Time
2 hours 23 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:01
Oh, and welcome back to I t. Security policy. This is a continuation of Module four. We're going to start with the first policy, which is the database credentials policy,
00:10
and it's storing myself. Troy Lemaire here on SCIRI.
00:14
The learning objective for this training is gonna be
00:18
general information and specific requirements of
00:21
database credentials.
00:23
So if we look at our sand sample policy
00:30
beginning, we have an overview
00:32
database Database authentication credentials are a necessary part of
00:36
authorizing applications
00:38
to connect to internal databases. However incorrect you storage and transmission
00:42
good lead to compromise a very sensitive
00:45
assets and be a springboard, a wider compromise within the organization.
00:51
We look at the purpose. The policy states that the requirements for securely storing and retrieving database user names and passwords for use by program
00:59
now access the database running on one of the company's networks.
01:03
Software applications running on the company's network may require access to one of the many internal database servers in order to access these databases of program US authenticate to the database by presenting acceptable credentials.
01:15
So basically what they're saying
01:17
if you wrap it up in a nutshell, is that certain systems and our applications are going to connect to a database that's within the network
01:25
and is on one of the servers for it to connect. You don't want just anybody to connect to that database and get access to that information. So that's why you're gonna use credentials and specify the type of credentials that are gonna be used with some requirements on
01:41
now, if we look at the policy itself in the general section in order to maintain the security of the internal databases, access by software programs must be granted on Lee after authentication with credentials
01:52
credentials use must not reside in the main executing body of the program's source code in clear text. So basically, this is requiring any type of program that is created by internal employees or third party contractors to make sure that they are encrypting their authentication method of the username password of whatever's being used
02:12
and not being clear. Text where somebody can
02:15
take apart that source code and then see what the database credentials to then make their own programs.
02:21
Specific requirements
02:23
guards the storage of the database, user name and passwords.
02:27
It may be stored and file separate from the executing body of program,
02:30
but the file must not be were world readable or rideable, meaning it must be encrypted in some kind of way.
02:37
They
02:38
the credentials may reside on the database server,
02:40
but a hash function number identifying the credentials may be stored in the executing body of the program, meaning that it has been hashed or encrypted
02:50
database. Create jobs may be stored as part of an authentication server
02:53
such as L doubt,
02:55
meaning that the authentication happens once the user logs in
03:00
through a system and then connect. It uses a L DAP connection, which grants rights to that user to be ableto have that authentication into the database.
03:10
Database cleaners may not reside in the documents. Tree of a Web server
03:15
asked. The authentication must not allow access to the database that they solely upon a remote user. Authentication on the remote host
03:23
and passwords or pass phrases used to access database must here at here to password policy.
03:30
If we're looking at the retrieval of the database user names and passwords,
03:32
if it's stored in a file that is not source coast, that database username password must be read from the file immediately prior to use
03:40
scope into which you may store database credentials must be physically separated from the other areas of your code. Again, don't put your
03:49
authentication database credentials inside of the code if anything's being programmed.
03:53
Languages that execute from search source code. The credentials source file must not reside in the same brows of or excusable file directory tree, in which the executing body of the code resides again. If you're looking at Windows file structure are Lennox file structure. You don't want the credential source file to be in within that same directory,
04:13
and that way you can go in and
04:15
password protect or have different rights on that separate directory so that
04:19
you cannot get to that automatically
04:24
access the database usernames and passwords, every program or every collection of programs.
04:29
Implementing a sitting single business function must have unique database credentials. Sheridan Credentials
04:33
between programs is not allowed
04:36
in databases. Use our our system level passwords and their defining the password policy.
04:43
Developer groups must have a process in place to ensure that database passwords are controlled and change in accordance with the password policy.
05:00
So if we look at what we covered today
05:02
database Prince has recovered general information as well a specific requirements for database credentials.
05:15
If we look at one of our policy recap questions, database credentials must not be stored in a location that could be accessed through a
05:20
blank blank,
05:24
and that would be through a Web server
05:28
database. User names and passwords may be stored in a file separate from the blank blank of the program's code,
05:34
and that is the executing body of the program's code.
05:41
Looking forward in our next lecture will be looking at server policies and the disposal policy.
05:47
In questions. Clarification. Reach me on side Very message user name Troy Lemaire and thank you for attending this cyber ery training.

Up Next

Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By

Instructor Profile Image
Troy LeMaire
IT Security Officer at Acadian Ambulance
Instructor