I recently attended the MIS Training Institute’s Infosec Conference held in Orlando, Florida and sat in on a presentation by Josh Shaul, Chief Technology Officer with Application Security Inc. The topic of the presentation was the top 10 most common database vulnerabilities and misconfigurations. I felt that the information was not only relevant to providing assurance of database systems security when auditing, but also provided a glimpse of some of the most common and sophisticated attack methods used to invade enterprise databases, and I wanted to pass along a few of the more important points.
The first topic brought up for discussion was the use of default and weak passwords. What seemed like a no-brainer to me (who in the world would secure their systems admin or super user account password from the default?) included some additional insight for systems administrators. Database administrator account passwords should always be modified from the default “out of the box” account (i.e., User: SA, Password: null). Keeping the default is never appropriate and poses a huge risk. Keep in mind that not only do database management systems have their own default accounts, applications install them as well. The use of weak passwords was also discussed. Names, places, dictionary words make for weak passwords. Rainbow tables make any password under 7 or 8 characters long vulnerable. Database login activity is seldom monitored, so in many cases, attackers can potentially guess at passwords for long periods of time without any notice. Simply Google search “MS SQL password cracker” for an idea of the password cracker applications available out there (quite an eye opener)!
IT security professionals must also be aware of the threat posed by SQL injection in the database management system (DBMS). SQL Injections exploit database vulnerabilities by passing SQL commands as a parameter of a function or stored procedure, executing malicious SQL commands in the context of the component that provides the called function, and allowing specific functions in the DBMS to become vulnerable to SQL injection. Commonly, the SQL injection results in privilege escalation within the database, providing the attacker with unfettered access to all data within the database. Since the vulnerabilities for this type of attack are in the DBMS itself, vendor supplied patches need to be applied to remediate. In many cases, it takes 6 months or more to patch the database, providing attackers with plenty of time to exploit this type of vulnerability.
Excessive user and group privileges can also wreak havoc on the DBMS. Users can gain unauthorized access by way of a role that is granted by a different role that is granted by another role, and so on and so forth. This excessive cycle of user access makes the theory of least privilege difficult in practice. It’s also important to restrict the use of unnecessarily enabled features within the DBMS. The main theory of defense here is to always minimize the attack surface of the database. When the surface is not minimized it only allows attackers to have more to use against you.
While I have only touched on a few of the more popular database attacks, Mr. Shaul provided an outlook from the perspective of the would be attacker that made me realize one very important truth. No organization is immune to complex malicious attacks. And ultimately, 99% of the time the purpose of those attacks is to gain unauthorized access to the raw data housed within the database system. While most organizations view their information security framework from the outside in, focusing on securing their systems at the edge (robust firewall rulesets, etc.), it is imperative to also focus security efforts around the database as well.