Application Security // Database Security
6/10/2013
04:22 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Why Database Assessment?

How FIS bungled the basics

Why do we validate database configurations? This is why: 10,000 systems with default passwords -- this at a financial company that processes credit card transactions. Worse, these default settings were confirmed one year after a data breach. You would expect this level of security in 1995, not in 2012.

When I go into large organizations, I expect to find a few accounts on a handful of database to be set with default passwords. When you have thousands of databases, it happens. Ten thousand systems left with default password, across applications and network devices, is a systemic disregard of security. It's not forgetfulness; it's willful choice. Many systems prompt you to change defaults after the first login, so you have to intentionally type in the default password to keep it in place. I don't really have a lesson here other than to point out that easy security stuff is easy security stuff, and there is no reason to be burned by it. Database vulnerability assessment tools, across the board, included password checking about eight years ago. Each one checks for default passwords for all default accounts across every major type of relational database platform. These tools are fast. They identify exactly which accounts are at risk. They offer centralized management, easy-to-read reports, and tie into trouble-ticketing systems so people get the work rders automatically. And default password resets are really easy to do!

If you're someone in IT who worries that if you set a password, your co-workers won't have the password and will not be able to gain access, that's a reasonable concern. But it's also why we have password managers, both corporate and personal versions. You can share passwords across a group if need be.

I recommend reading the full article because it's interesting, and the attack looks very similar to the one mentioned in my "Why Monitor Databases" post. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Apprentice
6/12/2013 | 7:34:11 PM
re: Why Database Assessment?
Mr. Lane,

Do you remember this comment "Yet the security team advocates controls that restrict access, adds complexity and slow database performance."? You said that, and other things in the article you wrote, "What Every Database Administrator Should Know About Security". I commented, that everything you had written in that article was only from the point of view of that DBA, now, when you walk into an organization has 10,000 default passwords on multiple database, I say welcome to my world.

I have come to the realization (at least for me) that it really doesn't matter who is right or wrong about database security, it needs to be fixed and the two individuals that can do it need to work together and respect what the other brings to the effort. My organization uses the standards developed by the Center for Internet Security and/or DISA for database standards and best practice. We also use the Tenable Nessus to conduct database compliance checks which are a mirror of those respective frameworks.

I could tell you about all of the bloody battles that we've had regarding database security, but instead I'll tell you that once management started taking it serious and realized that if you want secure, sometimes (not all) it will cost on the performance side, because as you're now seeing, how do you compensate for a default password when anyone who can spell GOOGLE can find that default password as well as anything else to exploit that poorly configured system or database. Personally, I try to work with the DBA the same as I would any other SysAdmin, they are the experts on how whatever it is that they manage, it's my job to show them how to secure "whatever that is" in accordance with approved business requirements, and sometimes plain old common sense.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web