Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/30/2010
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

The Essentials Of Database Assessment

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.New vulnerabilities require new patches, database configuration change over time, and new users come and go. So while these tasks are essential to database security, they are also annoying and repetitive. Collecting user authorization settings from a number of databases and putting them into a meaningful report can be hard enough: pouring through the information can make make you want to change professions.

The same can be said for looking at configuration settings over and over, or resetting privileged accounts back to a secure baseline. But this is what database assessment is all about: ensuring the basic security measures are in place and effective. And it's the automation of these tasks that makes database assessment tools so useful. This post focuses on the operational tasks -- my next post will cover what you need to look for in assessment tools that support these functions.

It's the database privileges, misconfigurations, and vulnerabilities that are most commonly exploited by attackers. The three main defenses to verify database security are: assessing configuration, assessing user configuration, and patching the database.

* User Permissions and Roles: This includes default passwords, public roles of database features, databases owned by local administrator account, normal users with any administrative add/modify functions. Smaller firms may tolerate a DBA that has all privileges, but mid-sized to large firms do not. And just because you got these setting right last quarter does not mean that they stayed that way. Finally, you want to review both permissions assigned to each user, as well as user participation in each group. * Database Configuration: Every database platform is different, and every one will have specific options that require unique attention. But there are a handful of common settings that you need to pay careful attention to, such as any external code access, network SSL/TLS setup, and keeping functions or modules installed that you don't use. Review the database vendor best practices, because there are usually some handy tips there.

* Database Patching: Security issues are so common that your vendor will likely produces a security patch once a quarter. Sign up to get patch notifications so that you get pre-announcements and release details when the patches are ready. You should get into a routine to determine if the patch is relevant to you, and if so, have a test environment so you can quickly verify that the patch or workaround does not kill some critical application or function. Most zero-day attacks, such as SQL injection and buffer overflows, don't have specific workarounds so you need to patch quickly. Task injection and authentication escalation may have temporary workarounds, so look for those.

This is really the bare minimum you need to look at -- I am not getting into advanced settings, blocking, or automated patching. But you need to get the basics right. In my next post I'll talk about tools.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...