Perimeter
4/4/2012
12:41 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Database Security On The Cheap

A look at some free tools to help tackle database security

Every month I speak with a Fortune 500 firm about database security challenges. I love these conversations because simultaneously dealing with multiple security, regulatory, and performance requirements across multiple user groups is challenging to impossible.

But that's a very small part of the database security world, and every week I talk with someone about how to meet basic security requirements when there is no time and no money. The big shops have huge challenges, but they have personnel and budget. For small IT shops, resources are always scarce. Most DBAs wear three (or more) hats: administrator, architect, security expert. There's always too much to do, and it's the perfect environment where tools and automation help DBAs get their job done.

The problem is small companies also lack the budget to buy many of the expensive commercial tools to automate operations, assessments, monitoring, and auditing. Worse, there is not a lot of open-source development for database security tools.

So I thought it would be appropriate to mention some of the free resources that are available to help you get your job done. And what's cool about this is, besides the fact that they are free, some free tools provide capabilities that are not otherwise available.

A few weeks ago, I mentioned the v3rity tool for Oracle database forensics. It helps you construct an audit trail from the Oracle database. Yes, you can do that with Oracle natively, but this tool is a bit different in that you get multiple data sources for a more complete view, and it's a very forensics-focused perspective. Manually combing through audit logs or -- worse -- transaction logs is a nightmare. This is a handy tool for forensic analysis, answering the question, "What the heck just happened?"

McAfee recently announced a free plug-in for creating an audit trail for the MySQL database. If you've use MySQL, you know that there is about zero auditing capabilities, a problem exacerbated by the plug-and-play storage model. Rather than gathering audit logs from the database engine, it's monitoring user activity. This is database activity monitoring on a platform that is underserved by the database security vendors. There are lots of small shops using MySQL as core production database servers, and this is a handy way to monitor databases activity regardless of deployment model (in house, virtual server, cloud). And you can set policies to alert on specific events,

GreenSQL provides a free monitoring solution for MySQL, Postgres, and MS SQL Server. The product deploys in-line as a proxy server, so you need to route traffic through the software before it hits the database. It can both monitor user activity as well as block SQL requests deemed malicious.

I ran across a free SQL Injection Tool last week as well.

If you're a DBA, then you know that if the database gets hacked, you will get the blame -- despite the fact that the application developers failed to scrub input variables or used stored procedures. Or that the platform providers miss vulnerabilities all the time. I do recommend using these tools prior to production database and application deployment to detect application vulnerabilities. It's free tools like these that many of the hackers leverage, so you might as well test it before an unreliable third party does.

Nessus offers a free version of its vulnerability scanning tool. It examines configuration settings and patch levels, but omits the audit file capability, which is faster than logging into a bunch of machines and manually checking configuration and patch settings. Technically, the free version is only for home, noncommercial use, so you're not supposed to use it at work. It is limited to 16 IPs, but I don't know many people who run 16 systems at home, so you do the math. Some construe this to mean "no free version," but as I usually mimic my home and test configurations from my production databases, scan results were consistent.

For many years, Imperva has offered Scuba, a free database vulnerability assessment tool. It's cross-platform and examines patch levels, configuration settings, and administrative account settings. It even has reporting capabilities so you can integrate the results with other services.

If you're willing to put a little more time in to do some script development, then I've always found the local user groups a great source for ideas and sample scripts for database security. Some of the best user rights discovery and management scripts I've ever used came from regional Oracle database users groups. I've attended events over the years for Postgres, MS SQL Server, and DB2, and always came away with a new script for security. Finally, with a little patience and a search engine, there are lots of scripts published that help with sensitive data discovery.

One final note on the tools since were are referencing commercial vendors that offer free versions or trials: The products usually provide limited functionality or number of databases supported. These products are not "enterprise" quality despite marketing efforts to the contrary, but the enterprise audience is not the focus here.

And a further downside is possible phone solicitation from sales teams congratulating you on a successful download and inquiry as to when you will upgrade to the commercial version of the product. That said, it's a small price to pay for helpful security automation tools. I'm sure I've missed a few others out there, so feel free to list some that you use in the comments section below.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.

Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.