Protecting SQL Databases

SQL Database Vulnerabilities

With more and more information being accessed on line through publicly visible web applications as well as API’s, both mobile and web, finding ways to protect a company’s data isn’t getting any easier.  The top 4 databases are Oracle, MS SQL Server and PostgreSQL.  Most companies are using some flavor of this to retrieve their information, (ServerWatch, 2015).  Each of these servers has specific vulnerabilities however we can look at the broader categories of vulnerabilities that they share when exposed to the public internet.  The top 2 vulnerabilities to web based databases are default and or blank passwords, SQL injection (DarkReading, 2012).

Default and blank accounts are very common.  Keeping up with thousands of blank accounts with weak passwords seems almost impossible in a large company and has exposed many databases.  There are a variety of reasons of why this may happen. (SANS Technology Institute, n.d.) states, “Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so.”  But ultimately the administrators need to know that many of these default accounts are publicly accessible on the internet. Many viruses and malware have the default accounts programmed in their code to test these multiple accounts.  The Voyager Alpha for instance scans the internet for port 1433 which is the port for MS SQL server and upon discovery will attempt to login with the blank password to gain access, (SANS Technology Institute, n.d.).  Removing default, blank and weak log-in credentials is an important first step for filling chinks in your database armor, (DarkReading, 2012).

SQL Injection is another top vulnerability which tops on almost every list which includes DarkReadings top 10 and also OWASP top 10.  (DarkReading, 2012) defines it best by stating, “When your database platform fails to sanitize inputs, attackers are able to execute SQL injections similar to the way they do in Web-based attacks.”   In a recent study 65 percent of companies experienced SQL injection in a 12-month period which evaded their web based defenses, (Ponemon Institute, 2014).  The defenses for SQL injection can be prepared statements instead of the dynamic statements which allow user input directly in the query.  Use of stored procedures in a safe way which means the stored procedures does not contain any unsafe dynamic SQL can also benefit the defenses of SQL Injection.

 

References

DarkReading. (2012, November 1). The 10 most common database vulnerabilities. Retrieved from http://www.darkreading.com/vulnerabilities—threats/the-10-most-common-database-vulnerabilities/d/d-id/1134676

OWASP. (n.d.). sql injection prevention cheat sheet – owasp. Retrieved from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Ponemon Institute. (2014, April 12). The sql injection threat study. Retrieved from http://www.ponemon.org/local/upload/file/DB%20Networks%20Research%20Report%20FINAL5.pdf

SANS Technology Institute. (n.d.). The risk of default passwords. Retrieved from http://www.sans.edu/research/security-laboratory/article/default-psswd

ServerWatch. (2015, September 8). Top 10 enterprise database systems in 2015. Retrieved from http://www.serverwatch.com/server-trends/slideshows/top-10-enterprise-database-systems-to-consider-2015.html

Set up your lair

I decided to create this post to show people how to get up and running.  Ideally you would want to have a workstation (host) and multiple VMs which can be numerous ISO’s for you to practice on.  For people to learn how to get started this video explains a lot of initial setup.  This shows the ISO Metasploitable.  There is a bunch of video’s on this topic but this one seems the most thorough and clear.  I’ll continue to update this post with new links to some of my favorite VMs and links.

Hardware

SANS Suggestions from 2014 – Pentest Lab Hardware – https://pen-testing.sans.org/blog/2014/02/27/building-a-pen-test-infrastructure-hacking-at-home-on-the-cheap

Operating System Protection

 

Operating System Protection

With the ever changing landscape of potential operating system risks the challenge to secure any one computer becomes more and more difficult.  Operating systems have gone through an enormous change in recent years as the operating system isn’t highly dependent on installed software. The evolution of the browser has given users the ability to access large resources on other computers more readily in day to day usage via multiple API calls.  With these malicious API calls the need for more protection at this level is becoming more critical.  With the dominant website vulnerabilities being Injection, Broken Authentication, and Cross-site scripting the ability to secure an operating system has to be solved with a sophisticated solution.  There have been many different solutions to try and tackle the multiple issues with viruses and malware infecting computers.  Some of the best solutions to this heavily debated problem are Microkernel Kernel OS, Trusted Platform Module, and user based protection.

When examining creation of secure operating systems, one has to take into account the Microkernel Kernel secure OS’s, we can see how this is an ever evolving solution.  From projects such as the IBOS, Illinois Browser Operating System to the secure microkernel project (sel4).  The theory of microkernels according to (CSIRO, n.d.) says,” a bigger system has inherently more bugs than a small system.”  Taking into account for every thousand lines of code there are an average amount of bugs that can be introduced. The kernel is always apart of the trusted computing base and minimizing this allows for a smaller TCB which is a smaller kernel. Which leaves for a more secure operating system.  Another noteworthy advantage of using Micro kernel operating systems is there potential in solving the availability component of the CIA triad.  If a service fails other services will be able to work without crashing also, (Abualrob, 2012).  The downside to the secure OS or microkernel is the performance loss.  Because every request needs to go through the kernel the system would make exponentially more calls than a monolithic kernel based OS.

Another solution to the security issues that operating systems face is Trusted Platform Module or TPM.  TPM is actually a chip that was created by the TCG group, which is made up of industry leaders. (Kleyman, n.d.) states, “The TPM contains several Platform Configuration Registers (PCRs) that allow secure storage and reporting of security-relevant data (unauthorized changes to the BIOS, possible root-based modifications, boot-sector changes, etc).” The ability to have vendors collect data about OS behavior based on possible harmful changes can greatly decrease unsecure practices.  However, this is also the disadvantage of the TPM chip as many users are weary of how the vendor may use this information and its somewhat invasion of privacy.  TPM if implement is best implemented with other layers of security this isn’t a standalone solution.

Users have seen many changes in protection in OS’s. Many solutions dare stand the test of time.  One of these solutions that has still been around is antivirus based protection.  Which when done correctly offers many benefits.  Antivirus software that scans a computer has been around for quite some time and was the go to method for operating system level security for years.  Its benefits are the ability to prevent known virus’s and malware based off of a signature that is known.  If there is a known virus in the wild and a security professional has alerted the necessary vendors, then another user will share that knowledge and be prevented from the same attacks.  Granted that users are continually updating their antivirus software definitions.  Disadvantages to using this method alone to secure an operating system are customization of attacks. Attackers have evolved with the security methods.  If an attack isn’t known or in the definitions database, it won’t be stopped.

User based protection is a great method of making sure that a non-privileged user cannot execute code against critical parts of an operating system.  A perfect example of this would be in Windows OS using the UAC or user access controls.  The benefit is that a user of the operating system will be notified when a significant change to the operating system is about to occur.  The user would then need to allow this function to continue.  As this is a great way of being able to hand pick which applications are allowed to modify parts of the OS, the concepts start to breakdown when understanding modern computer usage.  The amount of calls that are being made to modify critical parts of the operating system are very high.  The notifications decrease the usage of the operating system.  Also educating users to be able to understand what’s a good modification and what is a bad modification becomes quite a challenge.

As all approaches to secure operating system take a unique look at what the user will use the OS for.  The implementation of many of these are very unrealistic and corporate environments.  However, with ease of implementation the approach needs to be on Hybrid Kernel approach.  This approach instead of loading the whole thing into memory, core modules are loaded dynamically to memory on demand. One disadvantage is that a module may destabilize a running kernel.

 

  1. Hybrid Kernel with performance being easier then MicroKernel or Monolithic by themselves if you could deal with it would be the most secure.
  2. TPM chip in conjunction with other security measures if you trust vendors.
  3. Trusted Computing Antivirus software file protection with its ease of implementation and great track record.

 

References

Abualrob, M. (2012, November 17). Microkernel vs. Monolithic os architectures. Retrieved from www.8bitavenue.com/2012/11/microkernel-vs-monolithic-os-architectures/

Anderson, R. (2008). Security engineering – A guide to building dependable distributed systems(2nd ed.). New York, NY: John Wiley & Sons Publishing, Inc.

Beuchelt, G. (2013). Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.

CSIRO. (n.d.). sel4 secure embedded l4 ssrg | data 61. Retrieved from http://ssrg.nicta.com.au/projects/seL4/

Kleyman, B. (n.d.). Weighing the pros and cons of the trusted computing platform. Retrieved from http://searchitoperations.techtarget.com/tip/Weighing-the-pros-and-cons-of-the-Trusted-Computing-Platform