Application Security //

Database Security

4/19/2012
04:43 AM
50%
50%

Three Security Snags That Expose The Database

Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability

Sure, database security may be incomplete without database activity monitoring or encryption technology in place. But most security practitioners worth their salt know that more often than not, the effectiveness of a database security program rests just as much outside of a database environment as within.

The fact is that today's data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.

1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet -- and where do these apps lead their users? Why, to back-end databases, of course.

Progress in narrowing the vulnerability gap is slow, says David Litchfield, chief security architect for Accuvant LABS and a well-known database security researcher.

"It’s quite disheartening, actually, to see that the same toolkit I started using years ago still works quite well doing penetration tests today," Litchfield says.

The worst part about it, according to Litchfield, is that developers are still rolling out new apps featuring the same mistakes of yesteryear -- failing to validate input, for example. He says that higher education institutions are still failing to teach students secure coding principles that have been developed for years now.

"You’d think these developers coming out of university would understand these fundamentals, but they haven't been taught these things," he says.

2. Overprivileged System Accounts
Even within organizations that have implemented high-powered identity and access management tools and processes across IT infrastructure, databases tend to get left behind in no-man's-land.

"All too often, organizations forget to tie identity life-cycle management of database users, especially shared accounts and service accounts, to their IAM core," says Nishant Kaushik, chief architect of Identropy. "Database access must be tied to provisioning, strong authentication, and privileged account management tools."

The sad reality, though, is that for the sake of expediency, IT tends to allow developers and other IT system administrators to tap into the database through system accounts with nearly unlimited permissions enabled. These accounts are often operated outside the bounds of access control or monitoring systems and are ripe for abuse by knowledgeable insiders or outside attackers who find these useful vehicles for unmitigated access to the database.

3. Misconfigured Network Segmentation
Security best practices and regulations have heavily touted network segmentation as a critical way to limit the scope of risk mitigation efforts on high-value database assets. But when misconfigurations, particularly in firewall rule sets, poke holes in the security of those network segments, databases are left vulnerable.

Kevin Beaver, founder of security consultancy Principle Logic, spends much of his time performing network security and Web application security assessments for clients. His examinations frequently show how poorly organizations are doing at properly segmenting networks and keeping databases tucked into protected DMZs.

"I could go look at the firewall rule base [at many organizations] and point out all sorts of flaws, misconfigurations, network segments that shouldn't be talking to one another, ports open, and so on. I often see database servers that are sitting out on the public Internet, wide open for attack," he says. "I've actually been involved in a case not too long ago as an expert witness that involved a situation where somebody had to put a SQL Server database out on the Internet because a business partner required it, and they forgot about it. They poked a hole in the firewall, forgot about it, went back, and realized they had had a data breach. It turned really ugly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielcornell
50%
50%
danielcornell,
User Rank: Apprentice
4/20/2012 | 12:00:18 PM
re: Three Security Snags That Expose The Database
-The combination of highly privileged users and poorly coded web applications leads to pretty disastrous situations. I just got back from SOURCE Boston where I talked about that issue and released a tool called "sqlpermcalc" that calculates least-privilege database user rights based on analyzing legitimate query traffic to the database. Still pretty alpha, but I think the approach offers some promise to help reduce the impact of SQL injection exploitation. This can be especially useful in situations where the application code can't or won't be changed. Slides and more info online here:
http://blog.denimgroup.com/den...
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.