Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/30/2010
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

The Essentials Of Database Assessment

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.New vulnerabilities require new patches, database configuration change over time, and new users come and go. So while these tasks are essential to database security, they are also annoying and repetitive. Collecting user authorization settings from a number of databases and putting them into a meaningful report can be hard enough: pouring through the information can make make you want to change professions.

The same can be said for looking at configuration settings over and over, or resetting privileged accounts back to a secure baseline. But this is what database assessment is all about: ensuring the basic security measures are in place and effective. And it's the automation of these tasks that makes database assessment tools so useful. This post focuses on the operational tasks -- my next post will cover what you need to look for in assessment tools that support these functions.

It's the database privileges, misconfigurations, and vulnerabilities that are most commonly exploited by attackers. The three main defenses to verify database security are: assessing configuration, assessing user configuration, and patching the database.

* User Permissions and Roles: This includes default passwords, public roles of database features, databases owned by local administrator account, normal users with any administrative add/modify functions. Smaller firms may tolerate a DBA that has all privileges, but mid-sized to large firms do not. And just because you got these setting right last quarter does not mean that they stayed that way. Finally, you want to review both permissions assigned to each user, as well as user participation in each group. * Database Configuration: Every database platform is different, and every one will have specific options that require unique attention. But there are a handful of common settings that you need to pay careful attention to, such as any external code access, network SSL/TLS setup, and keeping functions or modules installed that you don't use. Review the database vendor best practices, because there are usually some handy tips there.

* Database Patching: Security issues are so common that your vendor will likely produces a security patch once a quarter. Sign up to get patch notifications so that you get pre-announcements and release details when the patches are ready. You should get into a routine to determine if the patch is relevant to you, and if so, have a test environment so you can quickly verify that the patch or workaround does not kill some critical application or function. Most zero-day attacks, such as SQL injection and buffer overflows, don't have specific workarounds so you need to patch quickly. Task injection and authentication escalation may have temporary workarounds, so look for those.

This is really the bare minimum you need to look at -- I am not getting into advanced settings, blocking, or automated patching. But you need to get the basics right. In my next post I'll talk about tools.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.