Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/10/2013
04:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Why Database Assessment?

How FIS bungled the basics

Why do we validate database configurations? This is why: 10,000 systems with default passwords -- this at a financial company that processes credit card transactions. Worse, these default settings were confirmed one year after a data breach. You would expect this level of security in 1995, not in 2012.

When I go into large organizations, I expect to find a few accounts on a handful of database to be set with default passwords. When you have thousands of databases, it happens. Ten thousand systems left with default password, across applications and network devices, is a systemic disregard of security. It's not forgetfulness; it's willful choice. Many systems prompt you to change defaults after the first login, so you have to intentionally type in the default password to keep it in place. I don't really have a lesson here other than to point out that easy security stuff is easy security stuff, and there is no reason to be burned by it. Database vulnerability assessment tools, across the board, included password checking about eight years ago. Each one checks for default passwords for all default accounts across every major type of relational database platform. These tools are fast. They identify exactly which accounts are at risk. They offer centralized management, easy-to-read reports, and tie into trouble-ticketing systems so people get the work rders automatically. And default password resets are really easy to do!

If you're someone in IT who worries that if you set a password, your co-workers won't have the password and will not be able to gain access, that's a reasonable concern. But it's also why we have password managers, both corporate and personal versions. You can share passwords across a group if need be.

I recommend reading the full article because it's interesting, and the attack looks very similar to the one mentioned in my "Why Monitor Databases" post. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
6/12/2013 | 7:34:11 PM
re: Why Database Assessment?
Mr. Lane,

Do you remember this comment "Yet the security team advocates controls that restrict access, adds complexity and slow database performance."? You said that, and other things in the article you wrote, "What Every Database Administrator Should Know About Security". I commented, that everything you had written in that article was only from the point of view of that DBA, now, when you walk into an organization has 10,000 default passwords on multiple database, I say welcome to my world.

I have come to the realization (at least for me) that it really doesn't matter who is right or wrong about database security, it needs to be fixed and the two individuals that can do it need to work together and respect what the other brings to the effort. My organization uses the standards developed by the Center for Internet Security and/or DISA for database standards and best practice. We also use the Tenable Nessus to conduct database compliance checks which are a mirror of those respective frameworks.

I could tell you about all of the bloody battles that we've had regarding database security, but instead I'll tell you that once management started taking it serious and realized that if you want secure, sometimes (not all) it will cost on the performance side, because as you're now seeing, how do you compensate for a default password when anyone who can spell GOOGLE can find that default password as well as anything else to exploit that poorly configured system or database. Personally, I try to work with the DBA the same as I would any other SysAdmin, they are the experts on how whatever it is that they manage, it's my job to show them how to secure "whatever that is" in accordance with approved business requirements, and sometimes plain old common sense.
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.