Application Security //

Database Security

4/19/2012
04:43 AM
50%
50%

Three Security Snags That Expose The Database

Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability

Sure, database security may be incomplete without database activity monitoring or encryption technology in place. But most security practitioners worth their salt know that more often than not, the effectiveness of a database security program rests just as much outside of a database environment as within.

The fact is that today's data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.

1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet -- and where do these apps lead their users? Why, to back-end databases, of course.

Progress in narrowing the vulnerability gap is slow, says David Litchfield, chief security architect for Accuvant LABS and a well-known database security researcher.

"It’s quite disheartening, actually, to see that the same toolkit I started using years ago still works quite well doing penetration tests today," Litchfield says.

The worst part about it, according to Litchfield, is that developers are still rolling out new apps featuring the same mistakes of yesteryear -- failing to validate input, for example. He says that higher education institutions are still failing to teach students secure coding principles that have been developed for years now.

"You’d think these developers coming out of university would understand these fundamentals, but they haven't been taught these things," he says.

2. Overprivileged System Accounts
Even within organizations that have implemented high-powered identity and access management tools and processes across IT infrastructure, databases tend to get left behind in no-man's-land.

"All too often, organizations forget to tie identity life-cycle management of database users, especially shared accounts and service accounts, to their IAM core," says Nishant Kaushik, chief architect of Identropy. "Database access must be tied to provisioning, strong authentication, and privileged account management tools."

The sad reality, though, is that for the sake of expediency, IT tends to allow developers and other IT system administrators to tap into the database through system accounts with nearly unlimited permissions enabled. These accounts are often operated outside the bounds of access control or monitoring systems and are ripe for abuse by knowledgeable insiders or outside attackers who find these useful vehicles for unmitigated access to the database.

3. Misconfigured Network Segmentation
Security best practices and regulations have heavily touted network segmentation as a critical way to limit the scope of risk mitigation efforts on high-value database assets. But when misconfigurations, particularly in firewall rule sets, poke holes in the security of those network segments, databases are left vulnerable.

Kevin Beaver, founder of security consultancy Principle Logic, spends much of his time performing network security and Web application security assessments for clients. His examinations frequently show how poorly organizations are doing at properly segmenting networks and keeping databases tucked into protected DMZs.

"I could go look at the firewall rule base [at many organizations] and point out all sorts of flaws, misconfigurations, network segments that shouldn't be talking to one another, ports open, and so on. I often see database servers that are sitting out on the public Internet, wide open for attack," he says. "I've actually been involved in a case not too long ago as an expert witness that involved a situation where somebody had to put a SQL Server database out on the Internet because a business partner required it, and they forgot about it. They poked a hole in the firewall, forgot about it, went back, and realized they had had a data breach. It turned really ugly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielcornell
50%
50%
danielcornell,
User Rank: Apprentice
4/20/2012 | 12:00:18 PM
re: Three Security Snags That Expose The Database
-The combination of highly privileged users and poorly coded web applications leads to pretty disastrous situations. I just got back from SOURCE Boston where I talked about that issue and released a tool called "sqlpermcalc" that calculates least-privilege database user rights based on analyzing legitimate query traffic to the database. Still pretty alpha, but I think the approach offers some promise to help reduce the impact of SQL injection exploitation. This can be especially useful in situations where the application code can't or won't be changed. Slides and more info online here:
http://blog.denimgroup.com/den...
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20136
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20137
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20138
PUBLISHED: 2018-12-13
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
CVE-2018-1817
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021.
CVE-2018-1818
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.