STIG Security | Database Security (DISA STIG Training)

Learn to Attack and Defend Critical Database Assets and How to Build Secure Databases from the Ground Up (within STIGs)

Course Code: TT8820

Skill Level: Introductory

Duration: 3 Days

Course Overview

DISA’s Database STIG, in conjunction with both generic and product-specific checklists, provides a comprehensive listing of requirements and needs for improving and maintaining the security of Database Management Systems within the Department of Defense. This course fills in the context, background, and best practices for fulfilling those requirements and needs. As with all of our courses, we maintain tight synchronization between the latest DISA releases and our materials. The close ties between this STIG and the Applications Security and Development STIG are reflected in the coverage of application issues within the context of this course. A key component to our coverage of DISA’s Security Technical Implementation Guides (STIGS), this course is a companion course with several developer-oriented courses and seminars

Database Security is an intense database security training course essential for DBAs, QA, Testing, and other personnel who need to deliver secure database applications and manage secure databases within the DoD. In addition to teaching basic skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices.

Data, databases, and related resources are at the heart of the DoD’s IT infrastructures, and must be protected accordingly. In this course, students repeatedly attack and then defend various assets associated with a fully-functional database. This approach illustrates the mechanics of how to secure databases in the most practical of terms.

Course Objectives

Students who attend Database Security (STIG) will leave the course armed with the skills required to recognize actual and potential database vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. This course quickly introduces students to the most common security vulnerabilities faced by databases today. Each vulnerability is examined from a database perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses.

Working in a dynamic learning environment attendees will learn to:

Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
Be able to review and test databases to determine the existence of and effectiveness of layered defenses and required checks
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the concepts and terminology behind supporting, designing, and deploying secure databases
Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
Understand the currently accepted best practices for supporting the many security needs of databases.
Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
Perform both static reviews and dynamic database testing to uncover vulnerabilities
Design and develop strong, robust authentication and authorization implementations
Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional STIG, application security, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an introduction to database security course for intermediate skilled team members. Attendees might include DBAs, system administrators, developers and other enterprise team members. Ideally, students should have approximately 6 months to a year of database working knowledge.

Course Agenda

Session: Securing Databases Foundation

Lesson: DISA’s Security Technical Implementation Guides (STIGS)

Purpose
Process
Areas Covered
Checklists
Scripts (SRRs)
Resources

Lesson: Fingerprinting Databases

Reconnaissance Goals
Data Collection Techniques
Fingerprinting the Environment
Enumerating Web Applications
Spidering, Dorks, and Other Tools

Lesson: Principles of Information Security

Security Is a Lifecycle Issue
Minimize Attack Surface Area
Layers of Defense: Tenacious D
Compartmentalize
Consider All Application States
Do NOT Trust the Untrusted

Session: Database Security Vulnerabilities

Lesson: Database Security Concerns

Data at Rest and in Motion
Privilege management
Boundary Defenses
Continuity of Service
Trusted Recovery

Lesson: Vulnerabilities

Unvalidated Input
Broken Authentication
Cross Site Scripting (XSS/CSRF)
Injection Flaws
Error Handling, Logging, and Information Leakage
Insecure Storage
Direct Object Access
XML Vulnerabilities
Web Services Vulnerabilities
Ajax Vulnerabilities

Lesson: Cryptography Overview

Strong Encryption
Message digests
Keys and key management
Certificate management
Encryption/Decryption

Lesson: Database Security

Design and Configuration
Identification and Authentication
Computing Environment
Database Auditing
Boundary Defenses
Continuity of Service
Vulnerability and Incident Management

Session: Moving Forward

Lesson: STIG Database Security Requirements

Identification and Authentication
Group and Individual
Key Management Practices
Token and Certificates Practices
Enclave/Computing Environment
Auditing Mechanics and Best Practices
Data Changes and Controls
Encryption
Privilege Management
Additional Controls and Practices
Enclave Boundary Defenses
Continuity of Service
Defending Backup/Restoration Assets
Data and Software Backups
Trusted Recovery
Vulnerability and Incident Management

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Process Overview

Revisiting Attack/Defense Basics
Types of Security Controls
Attack Phases: Offensive Actions and Defensive Controls
Secure Software Development Processes
Shifting Left
Actionable Items Moving Forward

Session: Taking Action Now

Lesson: Database Checklists

Checklist Overview, Conventions, and Best Practices
Generic Database Checks and Procedures
SQL Server Checks and Procedures (Optional)
Installation Checks
Database Checks
Database Checks and Procedures (Optional)
Database Automated Checks
Database Interview Checks
Database Manual Checks
Database Verify Checks
Home Automated Checks
Home Interview Checks
Home Manual Checks
Home Verify Checks
Practical Application of the Checklists

Lesson: Design Review

Asset Inventory and Design
Assets, Dataflows, and Trust Boundaries
Risk Escalators in Designs
Risk Mitigation Options

Lesson: Making Application Security Real

Cost of Continually Reinventing
Paralysis by Analysis
Actional Application Security

Additional Tools for the Toolbox

Course Materials

Student Materials: Each student will receive a Student Guide with course notes, code samples, setp-by-step written lab instructions, software tutorials, diagrams and related reference materials and links (as applicable). Students will also receive related (as applicable) project files, code files, data sets and solutions required for any hands-on work.

Classroom Setup Made Simple: Our dedicated tech team will work with you to ensure your classroom and lab environment is setup, tested and ready to go well in advance of the course delivery date, ensuring a smooth start to class and seamless hands-on experience for your students. We offer several flexible student machine setup options including guided manual set up for simple installation directly on student machines, or cloud based / remote hosted lab solutions where students can log in to a complete separate lab environment minus any installations, or we can supply complete turn-key, pre-loaded equipment to bring ready-to-go student machines to your facility. Please inquire for details, options and pricing.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!
Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price! Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course

Gain the skills you need with less time in the classroom with our short course, live-online hands-on events

Trivera QuickSkills: Free Courses and Webinars

Training on us! Keep your skills current with free live events, courses & webinars

Trivera AfterCourse: Coaching and Support

Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Excellent detail about the Spring framework which directly relates to my role as a senior engineer. I found the content and style to be very enjoyable, and would encourage me to ask questions where previously I might not have paid much attention, eg. pom version numbers / spring starters being imported. The focus on the different styles of unit testing was also excellent and I would plan to incorporate in day to day work.

Edward K

Both the instructor and the course material were very thorough - the course material has many helpful references - the labs were well laid out, making it easy to learn from and get done on time

Steve C.

Excellent training. Even though it was online, I did not have any issues understanding or getting the answers for the questions I had. The lab exercises are interesting to apply what was learnt. Overall very good training. Thank you!

Anitha

Instructor was beyond phenomenal. He had an in depth knowledge of the course material and always ensured that everyone understood what was being discussed. I really enjoyed the mix of theory and practical examples of each part of the course.

Cillian M

Great job overall. Great communicator and explained complex concepts in a simple, easier to understand format.

Jeremy G

Best programming class I've ever been in, head and shoulders above any thing I took in college as part of a computer science degree. The instructor was thorough and very detailed, he was very good abut explaining all possible scenarios a situation would apply to. The way the albs were structured and the class was conducted was very good for interaction and hand on learning.

Danish J

A very good balance of teaching time to lab time. I've done other courses that I found to be much lighter on content and heavy on labs to waste time. This was a refreshing change of pace.

Adam G

First time in my life I have attended remote class and I find it great. Personally I don't feel there is any area which require improvement!

Rishi M

The instructor was clearly knowledgeable about Java and programming in general. He was very attentive to every student's individual needs and constantly encouraged questions, concerns, student issues to be raised and addressed each one thoroughly.

Mark M

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More