Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/23/2013
09:04 AM
Adrian Lane
Adrian Lane
Quick Hits
50%
50%

10 Most Common Security Vulnerabilities In Enterprise Databases

Databases are among the most vulnerable systems in the enterprise. Here's where they are weak -- and what you can do about it

[The following is excerpted from "10 Most Common Security Vulnerabilities in Enterprise Databases," a new report published this week on Dark Reading's Database Security Tech Center.]

Databases contain the largest -- and most sensitive -- store of enterprise data, making them a prime target for attackers. But it's often the enterprise's internal staff -- database developers, administrators, and even users -- who create the vulnerabilities that attackers exploit to compromise that data.

In this report, we look at how and why database vulnerabilities are created -- whether it's during the creation of a new database, during customization of an off-the-shelf application, or in the process of patching or updating the data. We examine the most common causes of database security vulnerabilities and recommend ways to prevent them.

Here are some of most common areas of database security weaknesses, based on the issues we've seen in customer environments we've evaluated during the last decade.

1. Deployment Fail
The most common cause of database vulnerabilities is the lack of care with which they are deployed. Sure, databases are often functionally tested to make sure they provide core functions for calling applications. In fact, the majority of predeployment tests are designed to verify that a database is doing what it should do; very few are checking to ensure that it isn't doing something it should not do.

Every database should pass a long checklist of tests prior to deployment. That list covers just about every facet of the database, but most map directly to common exploit vectors leveraged by attackers. Every relational database platform (including Oracle, DB2, SQL Server, Sybase, Postgres, and MySQL) is insecure after a fresh installation,and it will remain that way until you fix it.

2. Broken Databases
The Slammer worm put the issue of vulnerabilities at the forefront of DBAs' consciousness in 2003, when it took down thousands of databases in a matter of minutes. This worm exploited a buffer-overflow vulnerability and allowed for an attacker to crash, or gain control over, any database it discovered.

Slammer was the first of many such vulnerabilities, and it was the catalyst that pushed vendors to start offering regular security patches. Vulnerabilities like command injection and buffer overflows don't make headlines like they used to; fewer issues are found, and vendors are fairly responsive with patches when they are.

But this doesn't mean that new exploits have gone away. Quite the contrary. New exploits are found regularly, and we see critical security patches released several times a year. However, unbelievably, many companies don't install security patches, leaving their database systems vulnerable to attack and often subject to complete compromise. The reasons firms don't patch vary, but what we usually hear is that they lack time and resources to test patches prior to deployment, and thereby verify function and stability.

It's true that it takes time to test patches, but most patches are released on a regular schedule -- often every three months. A partial regression test to verify functions simply doesn't take that long. What's more, test tools are designed to automate testing processes like this for you, thus ensuring that you don't destabilize your applications.

Our recommendation here is simple and non-negotiable if you want to keep your database systems secure: Patch your databases.

3. Leaked Data
Some DBAs forget about network security. The common mindset is that the databases are in the "back office," a network secured from the Internet, so data communications to and from databases don't have to be encrypted. What these IT pros are forgetting -- or ignoring -- is the networking interface of their database. But make no mistake: It's trivial for an attacker to capture network traffic and parse interesting data from multiple user connections to the database -- in essence, seeing all data moving in and out.

In all cases, you should enable Transport Layer Security. Secure Sockets Layer has minimal impact on network performance and makes it very difficult for someone to collect data from the wire. Most relational platforms provide SSL- or TLS-encrypted communications as part of the basic database package, enabled through a simple configuration setting change.

For platforms that don't include encrypted network communications features, you will have to add a third-party option. Many good TLS options are available from the open source community.

To read about the other seven most common vulnerabilities in enterprise databases -- and what you can do about them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
a6kqcv
50%
50%
a6kqcv,
User Rank: Apprentice
2/13/2015 | 11:42:33 AM
Pending Review
This comment is waiting for review by our moderators.
rossw7
50%
50%
rossw7,
User Rank: Apprentice
6/24/2013 | 1:14:47 PM
re: 10 Most Common Security Vulnerabilities In Enterprise Databases
Good Morning. The Download link is not working.

Thanks,
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...