Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/30/2010
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

The Essentials Of Database Assessment

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.New vulnerabilities require new patches, database configuration change over time, and new users come and go. So while these tasks are essential to database security, they are also annoying and repetitive. Collecting user authorization settings from a number of databases and putting them into a meaningful report can be hard enough: pouring through the information can make make you want to change professions.

The same can be said for looking at configuration settings over and over, or resetting privileged accounts back to a secure baseline. But this is what database assessment is all about: ensuring the basic security measures are in place and effective. And it's the automation of these tasks that makes database assessment tools so useful. This post focuses on the operational tasks -- my next post will cover what you need to look for in assessment tools that support these functions.

It's the database privileges, misconfigurations, and vulnerabilities that are most commonly exploited by attackers. The three main defenses to verify database security are: assessing configuration, assessing user configuration, and patching the database.

* User Permissions and Roles: This includes default passwords, public roles of database features, databases owned by local administrator account, normal users with any administrative add/modify functions. Smaller firms may tolerate a DBA that has all privileges, but mid-sized to large firms do not. And just because you got these setting right last quarter does not mean that they stayed that way. Finally, you want to review both permissions assigned to each user, as well as user participation in each group. * Database Configuration: Every database platform is different, and every one will have specific options that require unique attention. But there are a handful of common settings that you need to pay careful attention to, such as any external code access, network SSL/TLS setup, and keeping functions or modules installed that you don't use. Review the database vendor best practices, because there are usually some handy tips there.

* Database Patching: Security issues are so common that your vendor will likely produces a security patch once a quarter. Sign up to get patch notifications so that you get pre-announcements and release details when the patches are ready. You should get into a routine to determine if the patch is relevant to you, and if so, have a test environment so you can quickly verify that the patch or workaround does not kill some critical application or function. Most zero-day attacks, such as SQL injection and buffer overflows, don't have specific workarounds so you need to patch quickly. Task injection and authentication escalation may have temporary workarounds, so look for those.

This is really the bare minimum you need to look at -- I am not getting into advanced settings, blocking, or automated patching. But you need to get the basics right. In my next post I'll talk about tools.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...