Tag Archives: databases

Securing Databases

Securing Databases

Database security is very important to consider in any organization or company.  It’s where an entities most valuable data is stored.  Personal identifiable information has been stolen from databases over and over in the last decade.  (Blackhat, n.d.) says, “By one estimate, 53 million people have had data about themselves exposed over the past 13 months.”  This was in 2006 after large data breaches from Bank of America, Time Warner, and Marriott International.  Today you could only imagine that there are many more.  A few suggested things to consider when securing any database or distributed system.  Separate the database from the web servers.  Encrypt any stored files in the database.  Keep patches current.

Keep the database server’s separate from the web servers is a great help.  Usually software when installed on a server will include a database and install it on the same server.  If an attacker can compromise the administrator account of the webserver he then has access to the database files.  (Applicure Technologies, n.d.) suggests, “instead, a database should reside on a separate database server located behind a firewall, not in the DMZ with the web server.”  Agreed this would increase the complexity of the installation but the benefits on the security are well worth it.

Another factor to consider is the way in which the data will be stored.  Encryption is an option for all data but will decrease performance in certain areas.  Knowing the kind of data like car information color, make, and model versus vin number and license plate number would help in determining the information that needs to be encrypted and does not.  Depending upon the business compliance whether HIPAA, SOX, and PCI may make this decision for us.  Encryption of also website files for instance a web configuration file may contain information to the databases the website needs to connect to.  Many times this is in clear text. (Applicure Technologies, n.d.) says, “WhiteHat security estimates that 83 percent of all web sites are vulnerable to at least one form of attack.”  These types of attacks are very frequent in number.

Lastly keep databases patched regularly.  Many databases have many other third party plugins that create other entry points into databases. At the time of their publication there were 8 DB2, 2 Informix and greater than 50 Oracle 0day vulnerabilities, (Blackhat, n.d.).  So the general consensus would be to keep the need for third party vendors and databases to a minimum.

Overall there is no exact method of database security it’s a practice and everyones implementation will be different based off of the needs of each business and the regulatory requirements that the business is subject to.

 

costofdata

Figure 1. Shows the cost of different types of data on the blackmarket.

topcompanies

Figure 2. Shows the top companies with data breaches in 2005.

 

References

Applicure Technologies. (n.d.). Best practices for database security. Retrieved from http://www.applicure.com/blog/database-security-best-practice

Blackhat. (n.d.). Hacking databases for owning your data. Retrieved from https://www.blackhat.com/presentations/bh-europe-07/Cerrudo/Whitepaper/bh-eu-07-cerrudo-WP-up.pdf

Protecting SQL Databases

SQL Database Vulnerabilities

With more and more information being accessed on line through publicly visible web applications as well as API’s, both mobile and web, finding ways to protect a company’s data isn’t getting any easier.  The top 4 databases are Oracle, MS SQL Server and PostgreSQL.  Most companies are using some flavor of this to retrieve their information, (ServerWatch, 2015).  Each of these servers has specific vulnerabilities however we can look at the broader categories of vulnerabilities that they share when exposed to the public internet.  The top 2 vulnerabilities to web based databases are default and or blank passwords, SQL injection (DarkReading, 2012).

Default and blank accounts are very common.  Keeping up with thousands of blank accounts with weak passwords seems almost impossible in a large company and has exposed many databases.  There are a variety of reasons of why this may happen. (SANS Technology Institute, n.d.) states, “Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so.”  But ultimately the administrators need to know that many of these default accounts are publicly accessible on the internet. Many viruses and malware have the default accounts programmed in their code to test these multiple accounts.  The Voyager Alpha for instance scans the internet for port 1433 which is the port for MS SQL server and upon discovery will attempt to login with the blank password to gain access, (SANS Technology Institute, n.d.).  Removing default, blank and weak log-in credentials is an important first step for filling chinks in your database armor, (DarkReading, 2012).

SQL Injection is another top vulnerability which tops on almost every list which includes DarkReadings top 10 and also OWASP top 10.  (DarkReading, 2012) defines it best by stating, “When your database platform fails to sanitize inputs, attackers are able to execute SQL injections similar to the way they do in Web-based attacks.”   In a recent study 65 percent of companies experienced SQL injection in a 12-month period which evaded their web based defenses, (Ponemon Institute, 2014).  The defenses for SQL injection can be prepared statements instead of the dynamic statements which allow user input directly in the query.  Use of stored procedures in a safe way which means the stored procedures does not contain any unsafe dynamic SQL can also benefit the defenses of SQL Injection.

 

References

DarkReading. (2012, November 1). The 10 most common database vulnerabilities. Retrieved from http://www.darkreading.com/vulnerabilities—threats/the-10-most-common-database-vulnerabilities/d/d-id/1134676

OWASP. (n.d.). sql injection prevention cheat sheet – owasp. Retrieved from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Ponemon Institute. (2014, April 12). The sql injection threat study. Retrieved from http://www.ponemon.org/local/upload/file/DB%20Networks%20Research%20Report%20FINAL5.pdf

SANS Technology Institute. (n.d.). The risk of default passwords. Retrieved from http://www.sans.edu/research/security-laboratory/article/default-psswd

ServerWatch. (2015, September 8). Top 10 enterprise database systems in 2015. Retrieved from http://www.serverwatch.com/server-trends/slideshows/top-10-enterprise-database-systems-to-consider-2015.html