Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/23/2013
09:04 AM
Adrian Lane
Adrian Lane
Quick Hits
50%
50%

10 Most Common Security Vulnerabilities In Enterprise Databases

Databases are among the most vulnerable systems in the enterprise. Here's where they are weak -- and what you can do about it

[The following is excerpted from "10 Most Common Security Vulnerabilities in Enterprise Databases," a new report published this week on Dark Reading's Database Security Tech Center.]

Databases contain the largest -- and most sensitive -- store of enterprise data, making them a prime target for attackers. But it's often the enterprise's internal staff -- database developers, administrators, and even users -- who create the vulnerabilities that attackers exploit to compromise that data.

In this report, we look at how and why database vulnerabilities are created -- whether it's during the creation of a new database, during customization of an off-the-shelf application, or in the process of patching or updating the data. We examine the most common causes of database security vulnerabilities and recommend ways to prevent them.

Here are some of most common areas of database security weaknesses, based on the issues we've seen in customer environments we've evaluated during the last decade.

1. Deployment Fail
The most common cause of database vulnerabilities is the lack of care with which they are deployed. Sure, databases are often functionally tested to make sure they provide core functions for calling applications. In fact, the majority of predeployment tests are designed to verify that a database is doing what it should do; very few are checking to ensure that it isn't doing something it should not do.

Every database should pass a long checklist of tests prior to deployment. That list covers just about every facet of the database, but most map directly to common exploit vectors leveraged by attackers. Every relational database platform (including Oracle, DB2, SQL Server, Sybase, Postgres, and MySQL) is insecure after a fresh installation,and it will remain that way until you fix it.

2. Broken Databases
The Slammer worm put the issue of vulnerabilities at the forefront of DBAs' consciousness in 2003, when it took down thousands of databases in a matter of minutes. This worm exploited a buffer-overflow vulnerability and allowed for an attacker to crash, or gain control over, any database it discovered.

Slammer was the first of many such vulnerabilities, and it was the catalyst that pushed vendors to start offering regular security patches. Vulnerabilities like command injection and buffer overflows don't make headlines like they used to; fewer issues are found, and vendors are fairly responsive with patches when they are.

But this doesn't mean that new exploits have gone away. Quite the contrary. New exploits are found regularly, and we see critical security patches released several times a year. However, unbelievably, many companies don't install security patches, leaving their database systems vulnerable to attack and often subject to complete compromise. The reasons firms don't patch vary, but what we usually hear is that they lack time and resources to test patches prior to deployment, and thereby verify function and stability.

It's true that it takes time to test patches, but most patches are released on a regular schedule -- often every three months. A partial regression test to verify functions simply doesn't take that long. What's more, test tools are designed to automate testing processes like this for you, thus ensuring that you don't destabilize your applications.

Our recommendation here is simple and non-negotiable if you want to keep your database systems secure: Patch your databases.

3. Leaked Data
Some DBAs forget about network security. The common mindset is that the databases are in the "back office," a network secured from the Internet, so data communications to and from databases don't have to be encrypted. What these IT pros are forgetting -- or ignoring -- is the networking interface of their database. But make no mistake: It's trivial for an attacker to capture network traffic and parse interesting data from multiple user connections to the database -- in essence, seeing all data moving in and out.

In all cases, you should enable Transport Layer Security. Secure Sockets Layer has minimal impact on network performance and makes it very difficult for someone to collect data from the wire. Most relational platforms provide SSL- or TLS-encrypted communications as part of the basic database package, enabled through a simple configuration setting change.

For platforms that don't include encrypted network communications features, you will have to add a third-party option. Many good TLS options are available from the open source community.

To read about the other seven most common vulnerabilities in enterprise databases -- and what you can do about them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
a6kqcv
50%
50%
a6kqcv,
User Rank: Apprentice
2/13/2015 | 11:42:33 AM
Pending Review
This comment is waiting for review by our moderators.
rossw7
50%
50%
rossw7,
User Rank: Apprentice
6/24/2013 | 1:14:47 PM
re: 10 Most Common Security Vulnerabilities In Enterprise Databases
Good Morning. The Download link is not working.

Thanks,
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.