Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/4/2012
12:41 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Security On The Cheap

A look at some free tools to help tackle database security

Every month I speak with a Fortune 500 firm about database security challenges. I love these conversations because simultaneously dealing with multiple security, regulatory, and performance requirements across multiple user groups is challenging to impossible.

But that's a very small part of the database security world, and every week I talk with someone about how to meet basic security requirements when there is no time and no money. The big shops have huge challenges, but they have personnel and budget. For small IT shops, resources are always scarce. Most DBAs wear three (or more) hats: administrator, architect, security expert. There's always too much to do, and it's the perfect environment where tools and automation help DBAs get their job done.

The problem is small companies also lack the budget to buy many of the expensive commercial tools to automate operations, assessments, monitoring, and auditing. Worse, there is not a lot of open-source development for database security tools.

So I thought it would be appropriate to mention some of the free resources that are available to help you get your job done. And what's cool about this is, besides the fact that they are free, some free tools provide capabilities that are not otherwise available.

A few weeks ago, I mentioned the v3rity tool for Oracle database forensics. It helps you construct an audit trail from the Oracle database. Yes, you can do that with Oracle natively, but this tool is a bit different in that you get multiple data sources for a more complete view, and it's a very forensics-focused perspective. Manually combing through audit logs or -- worse -- transaction logs is a nightmare. This is a handy tool for forensic analysis, answering the question, "What the heck just happened?"

McAfee recently announced a free plug-in for creating an audit trail for the MySQL database. If you've use MySQL, you know that there is about zero auditing capabilities, a problem exacerbated by the plug-and-play storage model. Rather than gathering audit logs from the database engine, it's monitoring user activity. This is database activity monitoring on a platform that is underserved by the database security vendors. There are lots of small shops using MySQL as core production database servers, and this is a handy way to monitor databases activity regardless of deployment model (in house, virtual server, cloud). And you can set policies to alert on specific events,

GreenSQL provides a free monitoring solution for MySQL, Postgres, and MS SQL Server. The product deploys in-line as a proxy server, so you need to route traffic through the software before it hits the database. It can both monitor user activity as well as block SQL requests deemed malicious.

I ran across a free SQL Injection Tool last week as well.

If you're a DBA, then you know that if the database gets hacked, you will get the blame -- despite the fact that the application developers failed to scrub input variables or used stored procedures. Or that the platform providers miss vulnerabilities all the time. I do recommend using these tools prior to production database and application deployment to detect application vulnerabilities. It's free tools like these that many of the hackers leverage, so you might as well test it before an unreliable third party does.

Nessus offers a free version of its vulnerability scanning tool. It examines configuration settings and patch levels, but omits the audit file capability, which is faster than logging into a bunch of machines and manually checking configuration and patch settings. Technically, the free version is only for home, noncommercial use, so you're not supposed to use it at work. It is limited to 16 IPs, but I don't know many people who run 16 systems at home, so you do the math. Some construe this to mean "no free version," but as I usually mimic my home and test configurations from my production databases, scan results were consistent.

For many years, Imperva has offered Scuba, a free database vulnerability assessment tool. It's cross-platform and examines patch levels, configuration settings, and administrative account settings. It even has reporting capabilities so you can integrate the results with other services.

If you're willing to put a little more time in to do some script development, then I've always found the local user groups a great source for ideas and sample scripts for database security. Some of the best user rights discovery and management scripts I've ever used came from regional Oracle database users groups. I've attended events over the years for Postgres, MS SQL Server, and DB2, and always came away with a new script for security. Finally, with a little patience and a search engine, there are lots of scripts published that help with sensitive data discovery.

One final note on the tools since were are referencing commercial vendors that offer free versions or trials: The products usually provide limited functionality or number of databases supported. These products are not "enterprise" quality despite marketing efforts to the contrary, but the enterprise audience is not the focus here.

And a further downside is possible phone solicitation from sales teams congratulating you on a successful download and inquiry as to when you will upgrade to the commercial version of the product. That said, it's a small price to pay for helpful security automation tools. I'm sure I've missed a few others out there, so feel free to list some that you use in the comments section below.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.

Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3697
PUBLISHED: 2020-01-24
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of gnump3d in openSUSE Leap 15.1 allows local attackers to escalate from user gnump3d to root. This issue affects: openSUSE Leap 15.1 gnump3d version 3.0-lp151.2.1 and prior versions.
CVE-2019-3694
PUBLISHED: 2020-01-24
A Symbolic Link (Symlink) Following vulnerability in the packaging of munin in openSUSE Factory, Leap 15.1 allows local attackers to escalate from user munin to root. This issue affects: openSUSE Factory munin version 2.0.49-4.2 and prior versions. openSUSE Leap 15.1 munin version 2.0.40-lp151.1.1 a...
CVE-2019-3693
PUBLISHED: 2020-01-24
A symlink following vulnerability in the packaging of mailman in SUSE SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. Th...
CVE-2019-3687
PUBLISHED: 2020-01-24
The permission package in SUSE SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 t...
CVE-2019-3692
PUBLISHED: 2020-01-24
The packaging of inn on SUSE SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn versi...