UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Ms Access App Specific Cyber Security Implementation, Access 2010    
 
   
Adecypher
post Apr 19 2019, 12:18 PM
Post#1



Posts: 109
Joined: 3-October 14



Hello Guys,

With ever evolving Cyber threats these days I was wondering have anyone here came across a process, standard and or guidelines which detail out Cyber Security implementation for MS Access applications such as a list of Software controls to check and verify (on a periodic basis) to be in compliance etc etc.

Note: If this question is out of place and or posted in a wrong section of the forum please accept my apologies in advance.
This post has been edited by Adecypher: Apr 19 2019, 12:25 PM
Go to the top of the page
 
DanielPineault
post Apr 19 2019, 12:55 PM
Post#2


UtterAccess VIP
Posts: 6,832
Joined: 30-June 11



Access isn't truly much of a concern. The real concern is your PC, if it is compromised, then everything it has access to is compromised, including databases. So you need to secure your PC, Network, ...
I personally use encryption to lock down my files and only decrypt when actively working on them, so even if breached access will be limited and if my PC is ever stolen, the data is unrecoverable.
You can always encrypt the BE, but that kind of useless if the FE is available unless you encrypt that as well, but then that becomes a serious PITA to use the db thereafter.
Also, if you db data is important, then SQL Server is required from a security perspective.

--------------------
Daniel Pineault (2010-2019 Microsoft MVP)
Professional Help: http://www.cardaconsultants.com
Free MS Access Code, Tips, Tricks and Samples: http://www.devhut.net

* Design should never say "Look at me". It should always say "Look at this". -- David Craib
* A user interface is like a joke, if you have to explain it, it's not that good! -- Martin LeBlanc


All code samples, demonstration databases, links,... are provided 'AS IS' and are to be used at your own risk! Take the necessary steps to check, validate ...(you are responsible for your choices and actions)
Go to the top of the page
 
Adecypher
post Apr 19 2019, 01:05 PM
Post#3



Posts: 109
Joined: 3-October 14



@DanielPineault
Ok, so the guidelines if available truly represents and focus on enterprise wide cyber security implementation which include all software applications (not just MS Access). What you exactly mean't by encryption? Is it data obfuscation?

I have my FE and BE "password protected" that's all...
Go to the top of the page
 
jleach
post Apr 19 2019, 01:13 PM
Post#4


UtterAccess Editor
Posts: 10,085
Joined: 7-December 09
From: St Augustine, FL


Encryption is not obfuscation: it's the process of putting data through an algorithm with some sort of key that produces a different set of data (typically unreadable), which in turn requires the same key to decrypt it and turn it back into the data set that was originally encrypted. Obfuscation is the process of making something harder to read, but is not reversible and does not change the function of the asset (e.g., code is often obfuscated, to make it hard to read, but still operates as if it were in fact readable, whereas encrypted data cannot be made use of unless it is first decrypted)

It's a very broad topic: https://www.techworld.com/security/what-is-...yption-3659671/

The key point being that encrypted data is unsable, and only those with the correct credentials can decrypt it.

--------------------
Go to the top of the page
 
DanielPineault
post Apr 19 2019, 01:33 PM
Post#5


UtterAccess VIP
Posts: 6,832
Joined: 30-June 11



I'm referring to using things like TrueCrypt, VeraCrypt, BitLocker, ...

I've also used encryption/decryption directly on my FE so everything in the BE is secure, but once again, if someone has access to the FE, then then can get the decryption routine and unlock everything. This is why if security is a true concern, then SQL Server, or another BE technology becomes required.

--------------------
Daniel Pineault (2010-2019 Microsoft MVP)
Professional Help: http://www.cardaconsultants.com
Free MS Access Code, Tips, Tricks and Samples: http://www.devhut.net

* Design should never say "Look at me". It should always say "Look at this". -- David Craib
* A user interface is like a joke, if you have to explain it, it's not that good! -- Martin LeBlanc


All code samples, demonstration databases, links,... are provided 'AS IS' and are to be used at your own risk! Take the necessary steps to check, validate ...(you are responsible for your choices and actions)
Go to the top of the page
 
Adecypher
post Apr 19 2019, 01:38 PM
Post#6



Posts: 109
Joined: 3-October 14



@jleach and @DanielPineault

Great explanation, can you point me to resources related to Cyber Security implementation for a small company/business? or which help me understand the following:

-Understand the evolving cyber security protective strategies and security controls.
-Developing a process to analyse the impact that advancements in cyber security threats and protective strategy have on the security, safety and operation of systems and networks etc
-Developing cyber security test and evaluation plan.

So far by googling I was able to compile the listing below which geared towards web app development and to some extent desktop app development as well (but I am looking for resources which will help me create the above listed artifacts):

• Reduce any unnecessary complexity.
• Keep your code efficient and readable while meeting requirements.
• As you code, resist adding new features that were not planned in the design process.
• Pay attention to feedback from the code analysis.
• Compile code using the highest warning level.
• Use static and dynamic analysis tools to detect and eliminate additional security defects.
• Exercise care at all input and output points.
• Review all third-party applications, code, libraries, and APIs.
• Do not allow your code to directly issue operating system commands, such as through command shells.
• Prevent race conditions.
• Use static analysis tools to identify buffer overflows and memory leaks.
• Perform a manual secure code review.
• Follow consistent coding patterns agreed upon by everyone on the development team.
• Validate input provided by all untrusted data sources.
• Sanitize data and web output you pass to other systems.
• Protect data in transit and at rest.
This post has been edited by Adecypher: Apr 19 2019, 01:41 PM
Go to the top of the page
 
jleach
post Apr 19 2019, 02:36 PM
Post#7


UtterAccess Editor
Posts: 10,085
Joined: 7-December 09
From: St Augustine, FL


This is such a broad topic. People devote their entire careers towards tackling these problems. The requirements you're citing are those seen in large organizations, typically by teams responsible for implementing and maintaining these controls. There is nothing highly specific that can be done in Access alone to address what you're looking for.

Application security is an integral part of software development. It's not something you can do after the fact: it's something you work in from the ground up. There are many other areas of information security aside from application development as well. Usually people will specialize in one particular area, and tend to make a (good) career out of that as well.

As an Access developer, I'm not sure there's much more that you can do aside from be aware of security best practices and implement them as they pertain to the software you're developing. Don't allow unauthorized users to see certain information. Prevent SQL Injection attacks. Don't store passwords in plaintext. Etc., etc. The list goes on (and on (and on (and on))).

In 15-20 years (or however long I've been doing this) of application development across multiple platforms and industries, and probably more keen of an ear for security stuff than most non-security specialization people, I know only just barely enough to know that my knowledge just scratches the surface.

MS Access (as opposed to many other platforms I've worked with) is particularly lax in this area. It was never designed to be a highly secure environment. Anyone that knows what they're doing can piggyback off a COM instance of Access and tap into the connection string to steal it, no matter how hard you try to hide it (I've known some amazing people that have worked on this, but have never known anyone to take Access off COM's ROT to prevent 3rd party automation instances). Moving to a SQL Server backend database is a huge step, but still: any MS Access application that can access a SQL Server via connection string with SQL Auth can be sniffed and taken. Even SQL Server's own security infrastructure requires a specialist to fully utilize, let alone things like where to put certain data to conform to HIPAA or PCI compliance, or how to ensure data is encrypted at rest and in transit, so on and so forth (and that's just the database layer, having nothing to do with the application layers, and the environments hosting the applications, so and on so forth).

I guess what I'm really trying to say is that if you absolutely must have this: prepare for a long learning curve (and perhaps take some basic security courses: not to sound rude, but not knowing the difference between obfuscation and encryption means you have a lot knowledge gaps to fill), or hire an audit agency to review your information and counsel on what your next steps can be.

And finally: realize that security controls are neverending. You are never "done" - you finish one task to smooth over one attack surface so (you hope) nobody can get a handhold there, and you can move on to the next most risky issue...

hth

--------------------
Go to the top of the page
 
jleach
post Apr 19 2019, 02:53 PM
Post#8


UtterAccess Editor
Posts: 10,085
Joined: 7-December 09
From: St Augustine, FL


OWASP is a good reference. The organization is geared toward web applications, but much of it is applicable to desktop applications as well. Specifically, look up the "OWASP Top 10" for what they consider to be the 10 most critical security risks (this gets updated every couple of years). At least half of those will apply to desktop environments as well.

Also, keep an eye out here as well: you'll come across a lot of helpful information, and sometimes a "big bang": https://security.stackexchange.com/

There's a number of relevant websites and publications that would be of interest as well, feel free to search around.

hth

--------------------
Go to the top of the page
 
Adecypher
post Apr 22 2019, 09:09 AM
Post#9



Posts: 109
Joined: 3-October 14



@jleach

Thanks for such a detailed explanation. Read some stuff on Cyber Security this last weekend and you are correct I need lots and lots of reading it is not something I ONLY can implement at my work place. There has to be discussions needed on how to handle enterprise-wide Cyber Security. There are some good e-books I found on Cyber Security which I can read to get knowledge of off.

This is a good resource for knowledge and implementation geared towards small businesses:
https://www.fcc.gov/general/cybersecurity-small-business
This post has been edited by Adecypher: Apr 22 2019, 09:55 AM
Go to the top of the page
 
isladogs
post Apr 22 2019, 09:55 AM
Post#10


UtterAccess VIP
Posts: 1,602
Joined: 4-June 18
From: Somerset, UK


PMFBI rather late to this thread.
You might be interested in an example app I created as a proof of concept Encrypted split no strings database

--------------------
Go to the top of the page
 
Adecypher
post Apr 22 2019, 10:08 AM
Post#11



Posts: 109
Joined: 3-October 14



@isladogs

Thanks I will definitely read information provided for the encrypted access split DB you provided...might have questions afterwards...
Go to the top of the page
 
Adecypher
post Apr 22 2019, 10:27 AM
Post#12



Posts: 109
Joined: 3-October 14



For everyone's benefit:
The link below is a very good starting point for help in documenting your "Security Plan"
https://adeliarisk.com/13-fantastic-resourc...ecurity-policy/
Go to the top of the page
 


Custom Search


RSSSearch   Top   Lo-Fi    15th September 2019 - 09:10 PM