Application Security //

Database Security

6/10/2013
04:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Why Database Assessment?

How FIS bungled the basics

Why do we validate database configurations? This is why: 10,000 systems with default passwords -- this at a financial company that processes credit card transactions. Worse, these default settings were confirmed one year after a data breach. You would expect this level of security in 1995, not in 2012.

When I go into large organizations, I expect to find a few accounts on a handful of database to be set with default passwords. When you have thousands of databases, it happens. Ten thousand systems left with default password, across applications and network devices, is a systemic disregard of security. It's not forgetfulness; it's willful choice. Many systems prompt you to change defaults after the first login, so you have to intentionally type in the default password to keep it in place. I don't really have a lesson here other than to point out that easy security stuff is easy security stuff, and there is no reason to be burned by it. Database vulnerability assessment tools, across the board, included password checking about eight years ago. Each one checks for default passwords for all default accounts across every major type of relational database platform. These tools are fast. They identify exactly which accounts are at risk. They offer centralized management, easy-to-read reports, and tie into trouble-ticketing systems so people get the work rders automatically. And default password resets are really easy to do!

If you're someone in IT who worries that if you set a password, your co-workers won't have the password and will not be able to gain access, that's a reasonable concern. But it's also why we have password managers, both corporate and personal versions. You can share passwords across a group if need be.

I recommend reading the full article because it's interesting, and the attack looks very similar to the one mentioned in my "Why Monitor Databases" post. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
6/12/2013 | 7:34:11 PM
re: Why Database Assessment?
Mr. Lane,

Do you remember this comment "Yet the security team advocates controls that restrict access, adds complexity and slow database performance."? You said that, and other things in the article you wrote, "What Every Database Administrator Should Know About Security". I commented, that everything you had written in that article was only from the point of view of that DBA, now, when you walk into an organization has 10,000 default passwords on multiple database, I say welcome to my world.

I have come to the realization (at least for me) that it really doesn't matter who is right or wrong about database security, it needs to be fixed and the two individuals that can do it need to work together and respect what the other brings to the effort. My organization uses the standards developed by the Center for Internet Security and/or DISA for database standards and best practice. We also use the Tenable Nessus to conduct database compliance checks which are a mirror of those respective frameworks.

I could tell you about all of the bloody battles that we've had regarding database security, but instead I'll tell you that once management started taking it serious and realized that if you want secure, sometimes (not all) it will cost on the performance side, because as you're now seeing, how do you compensate for a default password when anyone who can spell GOOGLE can find that default password as well as anything else to exploit that poorly configured system or database. Personally, I try to work with the DBA the same as I would any other SysAdmin, they are the experts on how whatever it is that they manage, it's my job to show them how to secure "whatever that is" in accordance with approved business requirements, and sometimes plain old common sense.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.