Application Security // Database Security
6/10/2013
04:22 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Why Database Assessment?

How FIS bungled the basics

Why do we validate database configurations? This is why: 10,000 systems with default passwords -- this at a financial company that processes credit card transactions. Worse, these default settings were confirmed one year after a data breach. You would expect this level of security in 1995, not in 2012.

When I go into large organizations, I expect to find a few accounts on a handful of database to be set with default passwords. When you have thousands of databases, it happens. Ten thousand systems left with default password, across applications and network devices, is a systemic disregard of security. It's not forgetfulness; it's willful choice. Many systems prompt you to change defaults after the first login, so you have to intentionally type in the default password to keep it in place. I don't really have a lesson here other than to point out that easy security stuff is easy security stuff, and there is no reason to be burned by it. Database vulnerability assessment tools, across the board, included password checking about eight years ago. Each one checks for default passwords for all default accounts across every major type of relational database platform. These tools are fast. They identify exactly which accounts are at risk. They offer centralized management, easy-to-read reports, and tie into trouble-ticketing systems so people get the work rders automatically. And default password resets are really easy to do!

If you're someone in IT who worries that if you set a password, your co-workers won't have the password and will not be able to gain access, that's a reasonable concern. But it's also why we have password managers, both corporate and personal versions. You can share passwords across a group if need be.

I recommend reading the full article because it's interesting, and the attack looks very similar to the one mentioned in my "Why Monitor Databases" post. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Apprentice
6/12/2013 | 7:34:11 PM
re: Why Database Assessment?
Mr. Lane,

Do you remember this comment "Yet the security team advocates controls that restrict access, adds complexity and slow database performance."? You said that, and other things in the article you wrote, "What Every Database Administrator Should Know About Security". I commented, that everything you had written in that article was only from the point of view of that DBA, now, when you walk into an organization has 10,000 default passwords on multiple database, I say welcome to my world.

I have come to the realization (at least for me) that it really doesn't matter who is right or wrong about database security, it needs to be fixed and the two individuals that can do it need to work together and respect what the other brings to the effort. My organization uses the standards developed by the Center for Internet Security and/or DISA for database standards and best practice. We also use the Tenable Nessus to conduct database compliance checks which are a mirror of those respective frameworks.

I could tell you about all of the bloody battles that we've had regarding database security, but instead I'll tell you that once management started taking it serious and realized that if you want secure, sometimes (not all) it will cost on the performance side, because as you're now seeing, how do you compensate for a default password when anyone who can spell GOOGLE can find that default password as well as anything else to exploit that poorly configured system or database. Personally, I try to work with the DBA the same as I would any other SysAdmin, they are the experts on how whatever it is that they manage, it's my job to show them how to secure "whatever that is" in accordance with approved business requirements, and sometimes plain old common sense.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web