Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:04 AM
Adrian Lane
Adrian Lane
Quick Hits

10 Most Common Security Vulnerabilities In Enterprise Databases

Databases are among the most vulnerable systems in the enterprise. Here's where they are weak -- and what you can do about it

[The following is excerpted from "10 Most Common Security Vulnerabilities in Enterprise Databases," a new report published this week on Dark Reading's Database Security Tech Center.]

Databases contain the largest -- and most sensitive -- store of enterprise data, making them a prime target for attackers. But it's often the enterprise's internal staff -- database developers, administrators, and even users -- who create the vulnerabilities that attackers exploit to compromise that data.

In this report, we look at how and why database vulnerabilities are created -- whether it's during the creation of a new database, during customization of an off-the-shelf application, or in the process of patching or updating the data. We examine the most common causes of database security vulnerabilities and recommend ways to prevent them.

Here are some of most common areas of database security weaknesses, based on the issues we've seen in customer environments we've evaluated during the last decade.

1. Deployment Fail
The most common cause of database vulnerabilities is the lack of care with which they are deployed. Sure, databases are often functionally tested to make sure they provide core functions for calling applications. In fact, the majority of predeployment tests are designed to verify that a database is doing what it should do; very few are checking to ensure that it isn't doing something it should not do.

Every database should pass a long checklist of tests prior to deployment. That list covers just about every facet of the database, but most map directly to common exploit vectors leveraged by attackers. Every relational database platform (including Oracle, DB2, SQL Server, Sybase, Postgres, and MySQL) is insecure after a fresh installation,and it will remain that way until you fix it.

2. Broken Databases
The Slammer worm put the issue of vulnerabilities at the forefront of DBAs' consciousness in 2003, when it took down thousands of databases in a matter of minutes. This worm exploited a buffer-overflow vulnerability and allowed for an attacker to crash, or gain control over, any database it discovered.

Slammer was the first of many such vulnerabilities, and it was the catalyst that pushed vendors to start offering regular security patches. Vulnerabilities like command injection and buffer overflows don't make headlines like they used to; fewer issues are found, and vendors are fairly responsive with patches when they are.

But this doesn't mean that new exploits have gone away. Quite the contrary. New exploits are found regularly, and we see critical security patches released several times a year. However, unbelievably, many companies don't install security patches, leaving their database systems vulnerable to attack and often subject to complete compromise. The reasons firms don't patch vary, but what we usually hear is that they lack time and resources to test patches prior to deployment, and thereby verify function and stability.

It's true that it takes time to test patches, but most patches are released on a regular schedule -- often every three months. A partial regression test to verify functions simply doesn't take that long. What's more, test tools are designed to automate testing processes like this for you, thus ensuring that you don't destabilize your applications.

Our recommendation here is simple and non-negotiable if you want to keep your database systems secure: Patch your databases.

3. Leaked Data
Some DBAs forget about network security. The common mindset is that the databases are in the "back office," a network secured from the Internet, so data communications to and from databases don't have to be encrypted. What these IT pros are forgetting -- or ignoring -- is the networking interface of their database. But make no mistake: It's trivial for an attacker to capture network traffic and parse interesting data from multiple user connections to the database -- in essence, seeing all data moving in and out.

In all cases, you should enable Transport Layer Security. Secure Sockets Layer has minimal impact on network performance and makes it very difficult for someone to collect data from the wire. Most relational platforms provide SSL- or TLS-encrypted communications as part of the basic database package, enabled through a simple configuration setting change.

For platforms that don't include encrypted network communications features, you will have to add a third-party option. Many good TLS options are available from the open source community.

To read about the other seven most common vulnerabilities in enterprise databases -- and what you can do about them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/13/2015 | 11:42:33 AM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Apprentice
6/24/2013 | 1:14:47 PM
re: 10 Most Common Security Vulnerabilities In Enterprise Databases
Good Morning. The Download link is not working.

Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.