Are Your Databases Secure? Think Again.
Targeting enterprise databases is a common attack tactic, yet many companies neglect database security.
The rapid growth of unstructured data gets a lot of attention. Yet structured data is experiencing its own huge expansion. This increase in structured data is opening security doors that aren’t receiving enough attention in many organisations.
Database security often gets overlooked yet databases are increasingly being targeted by attackers.
Organisations pump millions into security systems yet leaving their databases largely uninspected. A recent survey found that organisations allocate the bulk of their budget (40 percent) to network security and only 19 percent to database security.
The dominant philosophy has been to create an impenetrable perimeter security defence using such things as firewalls and intrusion detection systems (IDS). If you believe that nothing can get through your perimeter it probably seems like a waste of money, time, and effort to invest in database security.
That mindset is changing, though, as more people realise that a perimeter-only security strategy has failed. Attackers can circumvent perimeter security devices relatively easily and prey on gullible personnel to let them inside.
The top database vulnerability by far is SQL injection. For eight years SQL injection appeared at the top of a list of top security threats.
Such attacks occur when untrusted data is transmitted as part of a command or query, which tricks the system into executing unintended commands or accessing data without proper authorisation. For instance, forms used on websites can be fed specially crafted code instead of normal plaintext answers (like name and address), which will cause the website to run a database query directly rather than just input the information.
10 Tips to Defend Against SQL Injection
Mounting a viable defence against SQL injection requires a comprehensive defence-in-depth strategy.
This encompasses many facets:
Deploy continuous monitoring. Continuously monitor and analyse all SQL statements generated by database-connected applications to identify vulnerabilities and rogue SQL statements.
Baseline database infrastructure. Create a map of all application-to-database connectivity. Unpatched and insecure applications may have been inadvertently connected to production databases offering attackers an easy opportunity.
Enforce coding best practices. Don’t concatenate dynamic SQL from external input, and use parameterised SQL in those cases when you must handle external input.
Disable unnecessary database capabilities. This prevents an attacker from using these capabilities, with particular attention paid to capabilities that escalate privileges and those that spawn command shells.
Enforce least privileges. Restrict application privileges to the minimum.
Apply patches. SQL injection vulnerabilities are regularly being identified in commercial software, so patch as soon as possible.
Conduct penetration testing. Consider regular penetration testing of database-connected applications to identify vulnerabilities that may have crept in.
Deploy perimeter security. Firewalls and IDS are a first line of SQL injection defence. Keep signature files up to date.
Suppress error messages. Attackers can discover a great deal about your architecture and operational environment through error messages. Verbose error messages should be kept local. If external messages are necessary, keep them generic.
Enforce password policies. Enforce the use of strong passwords and change the passwords of application accounts into the database on a regular basis.
The issue will remain a critical one, with the continued importance of the database.
The amount of data collected and stored in databases continues to grow at exponential rates, and with it the need for better database security to protect from the inadvertent or unauthorised exposure of confidential or sensitive information.
Please contact me to discuss further:-
• Penetration Testing – identify and address vulnerabilities:-
1. Initial Scoping
2. Passive Information Gathering
3. Active Information Gathering
4. Assessment
5. White Box Testing/Black Box Testing
6. Reporting
7. Presentation
• External Vulnerability Scanning
• Internal Vulnerability Scanning
• Network Intrusion Detection – monitor network traffic, identify and analyse threats
• Log Management/File Integrity – simplify and accelerate network threat discovery
• Wireless Intrusion Detection – instant analysis of wireless LAN environments
• Web Application Scanning
• PCI DSS Services – payment card industry data security standard
• Web Application Assessments – safely test the security of web apps
• Network Security Review
• Firewall Rule Review – secure firewall configs to avoid security breaches
• Managed Intrusion Detection
cfox@invictait.com - 0787 969 5766/0207 193 9029