Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/10/2013
04:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Why Database Assessment?

How FIS bungled the basics

Why do we validate database configurations? This is why: 10,000 systems with default passwords -- this at a financial company that processes credit card transactions. Worse, these default settings were confirmed one year after a data breach. You would expect this level of security in 1995, not in 2012.

When I go into large organizations, I expect to find a few accounts on a handful of database to be set with default passwords. When you have thousands of databases, it happens. Ten thousand systems left with default password, across applications and network devices, is a systemic disregard of security. It's not forgetfulness; it's willful choice. Many systems prompt you to change defaults after the first login, so you have to intentionally type in the default password to keep it in place. I don't really have a lesson here other than to point out that easy security stuff is easy security stuff, and there is no reason to be burned by it. Database vulnerability assessment tools, across the board, included password checking about eight years ago. Each one checks for default passwords for all default accounts across every major type of relational database platform. These tools are fast. They identify exactly which accounts are at risk. They offer centralized management, easy-to-read reports, and tie into trouble-ticketing systems so people get the work rders automatically. And default password resets are really easy to do!

If you're someone in IT who worries that if you set a password, your co-workers won't have the password and will not be able to gain access, that's a reasonable concern. But it's also why we have password managers, both corporate and personal versions. You can share passwords across a group if need be.

I recommend reading the full article because it's interesting, and the attack looks very similar to the one mentioned in my "Why Monitor Databases" post. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
6/12/2013 | 7:34:11 PM
re: Why Database Assessment?
Mr. Lane,

Do you remember this comment "Yet the security team advocates controls that restrict access, adds complexity and slow database performance."? You said that, and other things in the article you wrote, "What Every Database Administrator Should Know About Security". I commented, that everything you had written in that article was only from the point of view of that DBA, now, when you walk into an organization has 10,000 default passwords on multiple database, I say welcome to my world.

I have come to the realization (at least for me) that it really doesn't matter who is right or wrong about database security, it needs to be fixed and the two individuals that can do it need to work together and respect what the other brings to the effort. My organization uses the standards developed by the Center for Internet Security and/or DISA for database standards and best practice. We also use the Tenable Nessus to conduct database compliance checks which are a mirror of those respective frameworks.

I could tell you about all of the bloody battles that we've had regarding database security, but instead I'll tell you that once management started taking it serious and realized that if you want secure, sometimes (not all) it will cost on the performance side, because as you're now seeing, how do you compensate for a default password when anyone who can spell GOOGLE can find that default password as well as anything else to exploit that poorly configured system or database. Personally, I try to work with the DBA the same as I would any other SysAdmin, they are the experts on how whatever it is that they manage, it's my job to show them how to secure "whatever that is" in accordance with approved business requirements, and sometimes plain old common sense.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...