Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/30/2010
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

The Essentials Of Database Assessment

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.New vulnerabilities require new patches, database configuration change over time, and new users come and go. So while these tasks are essential to database security, they are also annoying and repetitive. Collecting user authorization settings from a number of databases and putting them into a meaningful report can be hard enough: pouring through the information can make make you want to change professions.

The same can be said for looking at configuration settings over and over, or resetting privileged accounts back to a secure baseline. But this is what database assessment is all about: ensuring the basic security measures are in place and effective. And it's the automation of these tasks that makes database assessment tools so useful. This post focuses on the operational tasks -- my next post will cover what you need to look for in assessment tools that support these functions.

It's the database privileges, misconfigurations, and vulnerabilities that are most commonly exploited by attackers. The three main defenses to verify database security are: assessing configuration, assessing user configuration, and patching the database.

* User Permissions and Roles: This includes default passwords, public roles of database features, databases owned by local administrator account, normal users with any administrative add/modify functions. Smaller firms may tolerate a DBA that has all privileges, but mid-sized to large firms do not. And just because you got these setting right last quarter does not mean that they stayed that way. Finally, you want to review both permissions assigned to each user, as well as user participation in each group. * Database Configuration: Every database platform is different, and every one will have specific options that require unique attention. But there are a handful of common settings that you need to pay careful attention to, such as any external code access, network SSL/TLS setup, and keeping functions or modules installed that you don't use. Review the database vendor best practices, because there are usually some handy tips there.

* Database Patching: Security issues are so common that your vendor will likely produces a security patch once a quarter. Sign up to get patch notifications so that you get pre-announcements and release details when the patches are ready. You should get into a routine to determine if the patch is relevant to you, and if so, have a test environment so you can quickly verify that the patch or workaround does not kill some critical application or function. Most zero-day attacks, such as SQL injection and buffer overflows, don't have specific workarounds so you need to patch quickly. Task injection and authentication escalation may have temporary workarounds, so look for those.

This is really the bare minimum you need to look at -- I am not getting into advanced settings, blocking, or automated patching. But you need to get the basics right. In my next post I'll talk about tools.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...