Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

4/19/2012
04:43 AM
50%
50%

Three Security Snags That Expose The Database

Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability

Sure, database security may be incomplete without database activity monitoring or encryption technology in place. But most security practitioners worth their salt know that more often than not, the effectiveness of a database security program rests just as much outside of a database environment as within.

The fact is that today's data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.

1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet -- and where do these apps lead their users? Why, to back-end databases, of course.

Progress in narrowing the vulnerability gap is slow, says David Litchfield, chief security architect for Accuvant LABS and a well-known database security researcher.

"It’s quite disheartening, actually, to see that the same toolkit I started using years ago still works quite well doing penetration tests today," Litchfield says.

The worst part about it, according to Litchfield, is that developers are still rolling out new apps featuring the same mistakes of yesteryear -- failing to validate input, for example. He says that higher education institutions are still failing to teach students secure coding principles that have been developed for years now.

"You’d think these developers coming out of university would understand these fundamentals, but they haven't been taught these things," he says.

2. Overprivileged System Accounts
Even within organizations that have implemented high-powered identity and access management tools and processes across IT infrastructure, databases tend to get left behind in no-man's-land.

"All too often, organizations forget to tie identity life-cycle management of database users, especially shared accounts and service accounts, to their IAM core," says Nishant Kaushik, chief architect of Identropy. "Database access must be tied to provisioning, strong authentication, and privileged account management tools."

The sad reality, though, is that for the sake of expediency, IT tends to allow developers and other IT system administrators to tap into the database through system accounts with nearly unlimited permissions enabled. These accounts are often operated outside the bounds of access control or monitoring systems and are ripe for abuse by knowledgeable insiders or outside attackers who find these useful vehicles for unmitigated access to the database.

3. Misconfigured Network Segmentation
Security best practices and regulations have heavily touted network segmentation as a critical way to limit the scope of risk mitigation efforts on high-value database assets. But when misconfigurations, particularly in firewall rule sets, poke holes in the security of those network segments, databases are left vulnerable.

Kevin Beaver, founder of security consultancy Principle Logic, spends much of his time performing network security and Web application security assessments for clients. His examinations frequently show how poorly organizations are doing at properly segmenting networks and keeping databases tucked into protected DMZs.

"I could go look at the firewall rule base [at many organizations] and point out all sorts of flaws, misconfigurations, network segments that shouldn't be talking to one another, ports open, and so on. I often see database servers that are sitting out on the public Internet, wide open for attack," he says. "I've actually been involved in a case not too long ago as an expert witness that involved a situation where somebody had to put a SQL Server database out on the Internet because a business partner required it, and they forgot about it. They poked a hole in the firewall, forgot about it, went back, and realized they had had a data breach. It turned really ugly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielcornell
50%
50%
danielcornell,
User Rank: Apprentice
4/20/2012 | 12:00:18 PM
re: Three Security Snags That Expose The Database
-The combination of highly privileged users and poorly coded web applications leads to pretty disastrous situations. I just got back from SOURCE Boston where I talked about that issue and released a tool called "sqlpermcalc" that calculates least-privilege database user rights based on analyzing legitimate query traffic to the database. Still pretty alpha, but I think the approach offers some promise to help reduce the impact of SQL injection exploitation. This can be especially useful in situations where the application code can't or won't be changed. Slides and more info online here:
http://blog.denimgroup.com/den...
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.