Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

03:40 PM
Connect Directly

Database Misconfigurations: Windows To Vulnerable Data

Experts recommend developing configuration baselines and regularly comparing database configurations to those standards to prevent configuration drift

As enterprises continue to struggle with large-scale data breaches and quiet exfiltration of sensitive information from databases, database security experts warn of the big role misconfigured databases play in these compromises.

"Almost all the data that gets stolen every year comes out of the database one way or another -- particularly if you are going to steal a lot of data at once," says Josh Shaul, CTO of Application Security Inc. "The reason why people are able to steal a lot of data out of databases is because nobody really bothers to secure them; breaking into databases is so ridiculously easy. There are so few organizations that actually take the security of their databases seriously."

Database configurations are among the top elements either ignored or mishandled, he says. They range from insecure default settings left unaltered to changes made by administrators that leave the database open to attack.

In the first category, default accounts still remain a big problem in enterprise database settings.

"We see them all over the place," Shaul says. "The databases all ship with default accounts, and when you install applications on your database, they install default accounts, too. All those default accounts have default passwords, and all those default passwords are easy to find on the Internet. So if you leave them in place, it's kind of like you're leaving a window open into the database."

[Do you see the perimeter half empty or half full? See Is The Perimeter Really Dead?]

Similarly, most databases come out of the box with a smorgasbord of applications installed, many of which will be unnecessary to the organization. But each enterprise has its own needs, so the list of extraneous apps varies by use case.

"We all talk about surface area in security. You want to cut down the surface area and give the hacker less area to go after. Well, if you're in the database business, your goal is to put as much functionality into the database out of the box as possible -- you want to make it easy for people to start up their apps, get them going, give them features they want," Shaul says. "There's so much stuff that just gets installed by default, including lots of functionality to access the operating system through the database."

Even when not turned on by default, many potentially dangerous database features are ticking time bombs for misconfigurations should they be flipped on. For example, Shaul calls a certain TRUST_ALLCLNTS parameter in DB2 a security knife-switch just waiting to stick enterprises where it hurts.

"If you turn TRUST_ALLCLNTS to 'yes,' that turns off all authentication authorization of the database. I see people turn TRUST_ALLCLNTS on," he says. "When you put features in your software -- even if they're stupid -- people use the features in the software."

According to Roxana Bradescu, senior director of security product management for Oracle, many of the database misconfiguration pain felt by organizations today stem from the fact that they're still managing database configurations manually, typically tracking them with spreadsheets.

"That's how most organizations do it. They have to manually compare those spreadsheets, so someone is literally comparing one spreadsheet versus another," she says. "It's very time-consuming, error-prone, and very reactive."

Without automation, simply tracking configurations is hard enough. But then there is the issue of also keeping tabs on configuration dependencies. Understanding these dependencies are important for operational resiliency and forensics analysis.

"A lot of times having these configuration dependencies also allows you very valuable analysis in forensics after a potential breach or potential exfiltration to see exactly what other things may have been compromised," Bradescu says.

But before even automating the tracking of configurations and their dependencies, organizations have to have some kind of baseline to compare current configurations against. Without standards, it is impossible to tell whether a configuration is right or wrong, secure or insecure.

At the moment, the industry has two big standards most commonly used to develop database configuration baselines. One, the Defense Information Systems Agency Database Security Technical Implementation Guide (DISA STIG), is "pretty heavyweight," according to Shaul, and primarily used in the government defense space. The other is a standard from the Center of Internet Security, one that's "pretty good, but not rock-solid," he adds. According to Shaul, probably only 10 percent to 15 percent of organizations have adopted either standard, with perhaps another 10 percent of organizations with their own internal standards.

"But that leaves you with 70 to 80 percent of organizations out there that don't have a target," he says. "And it's so hard to hit a target when you don't have a target. How do you ask people to go and set up a secure database when there is no definition for what that looks like?"

Bradescu is of a similar mind, explaining that the only way to prevent database configurations from drifting into insecurity over time is by creating a gold image for databases to compare configurations against.

"You probably are going to have multiple images for different types of databases," she says. "They may be application-specific, clusters versus single instance, [and so on], but you want to be able to compare that configuration against the baseline, making sure throughout the life cycle that the configuration stays consistent."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ericka Chickowski
Ericka Chickowski,
User Rank: Moderator
9/18/2013 | 7:00:28 PM
re: Database Misconfigurations: Windows To Vulnerable Data
If you're an Oracle user, there's always Oracle Configuration Manager. Though Shaul claims that it leaks data. Of course, he's got a dog in this fight--big database activity monitoring (DAM) vendors offer configuration management as a part of their feature set. So vendors like Application Security, IBM Guardium, Imperva, McAfee, and Fortinet. For smaller implementations there's also GreenSQL.
User Rank: Apprentice
9/18/2013 | 4:47:33 PM
re: Database Misconfigurations: Windows To Vulnerable Data
What are some tools to automate the tracking of database configuration settings? Any recommendations?
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.