Application Security // Database Security
04:43 AM
Connect Directly
Repost This

Three Security Snags That Expose The Database

Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability

Sure, database security may be incomplete without database activity monitoring or encryption technology in place. But most security practitioners worth their salt know that more often than not, the effectiveness of a database security program rests just as much outside of a database environment as within.

The fact is that today's data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.

1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet -- and where do these apps lead their users? Why, to back-end databases, of course.

Progress in narrowing the vulnerability gap is slow, says David Litchfield, chief security architect for Accuvant LABS and a well-known database security researcher.

"It’s quite disheartening, actually, to see that the same toolkit I started using years ago still works quite well doing penetration tests today," Litchfield says.

The worst part about it, according to Litchfield, is that developers are still rolling out new apps featuring the same mistakes of yesteryear -- failing to validate input, for example. He says that higher education institutions are still failing to teach students secure coding principles that have been developed for years now.

"You’d think these developers coming out of university would understand these fundamentals, but they haven't been taught these things," he says.

2. Overprivileged System Accounts
Even within organizations that have implemented high-powered identity and access management tools and processes across IT infrastructure, databases tend to get left behind in no-man's-land.

"All too often, organizations forget to tie identity life-cycle management of database users, especially shared accounts and service accounts, to their IAM core," says Nishant Kaushik, chief architect of Identropy. "Database access must be tied to provisioning, strong authentication, and privileged account management tools."

The sad reality, though, is that for the sake of expediency, IT tends to allow developers and other IT system administrators to tap into the database through system accounts with nearly unlimited permissions enabled. These accounts are often operated outside the bounds of access control or monitoring systems and are ripe for abuse by knowledgeable insiders or outside attackers who find these useful vehicles for unmitigated access to the database.

3. Misconfigured Network Segmentation
Security best practices and regulations have heavily touted network segmentation as a critical way to limit the scope of risk mitigation efforts on high-value database assets. But when misconfigurations, particularly in firewall rule sets, poke holes in the security of those network segments, databases are left vulnerable.

Kevin Beaver, founder of security consultancy Principle Logic, spends much of his time performing network security and Web application security assessments for clients. His examinations frequently show how poorly organizations are doing at properly segmenting networks and keeping databases tucked into protected DMZs.

"I could go look at the firewall rule base [at many organizations] and point out all sorts of flaws, misconfigurations, network segments that shouldn't be talking to one another, ports open, and so on. I often see database servers that are sitting out on the public Internet, wide open for attack," he says. "I've actually been involved in a case not too long ago as an expert witness that involved a situation where somebody had to put a SQL Server database out on the Internet because a business partner required it, and they forgot about it. They poked a hole in the firewall, forgot about it, went back, and realized they had had a data breach. It turned really ugly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/20/2012 | 12:00:18 PM
re: Three Security Snags That Expose The Database
-ŠThe combination of highly privileged users and poorly coded web applications leads to pretty disastrous situations. I just got back from SOURCE Boston where I talked about that issue and released a tool called "sqlpermcalc" that calculates least-privilege database user rights based on analyzing legitimate query traffic to the database. Still pretty alpha, but I think the approach offers some promise to help reduce the impact of SQL injection exploitation. This can be especially useful in situations where the application code can't or won't be changed. Slides and more info online here:
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web