RSS

Category: Sybase

What Every Database Administrator Should Know About Security

[The following is excerpted from "What Every Database Administrator Should Know About Security," a new report posted this week on Dark Reading's Database Security Tech Center.] To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly. Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is…

Click for complete article >>

Sybase – Disclosed But Unpatched VulnerabilitiesTeam Shatter Exclusive

Posted October 25, 2012 by Josh Shaul in Data Breach, Database Security, Sybase, Team Shatter Exclusive with 0 comments

Recently, Sybase released an urgent notice announcing patches for 12 vulnerabilities reported by TeamSHATTER. Here’s a link to the notice from Sybase: http://www.sybase.com/detail?id=1098877. This notice from Sybase was the first public disclosure of these critical issues. Following our disclosure policy, to date TeamSHATTER has not shared exploit details with anyone except the vendor (SAP Sybase). TeamSHATTER downloaded, installed, and tested the patches released by Sybase. We found that of the 12 issues Sybase disclosed, only 2 were fixed properly; the…

Click for complete article >>

How The Finance Vertical Helped Shape Database Security

Posted February 16, 2012 by Tim Whitman in Best Practices, Database Security, Finance and Banking, MySQL, Oracle, PCI, Sybase with 0 comments
Finance

Intrusion Detection Systems (IDS), Vulnerability Assessment and Logging platforms have been around for a long time, being some of the very first security tools available. However, it was the inability of these technologies to adequately address specific threats spawned new twists to these technologies. For example, IDS was ineffective at understanding SQL Queries and common application processes, so database activity monitoring was created to fill the gap. Vulnerability assessments were fine at assessing operating system and device settings, but lack…

Click for complete article >>

Native Auditing Support In Modern Relational Database Management SystemsTeam Shatter Exclusive

Native Auditing RDBMS

Traditionally, Relational Database Management Systems (RDBMS) ship with an auditing tool that allows database administrators to monitor the database from a security perspective. Information provided includes what events occur (logon/logoff), what database objects are being accessed, what data is queried, etc. The most common reason for using auditing is to determine when a database user executes some sort of SQL. The SQL statement is logged by the auditing subsystem in the form of a clear text log file, xml file,…

Click for complete article >>

SQL Injections In Stored ProceduresTeam Shatter Exclusive

SQL Injection

In this post I’ll discuss how SQL injection in stored procedures could be exploited in Microsoft SQL Server, Oracle, Sybase ASE databases. SQL injection is an attack that allows an unprivileged user to execute SQL code with elevated privileges due to a bug in the input sanitation used in dynamic SQL execution. There are two types of SQL injection: A user having no access to the database may inject and execute SQL via some application. A user having access to…

Click for complete article >>

Network Encryption in Modern Relational Database Management SystemsTeam Shatter Exclusive

Hacking for password

In this post I’ll continue on the topic of data encryption (see my previous post on Encrypting Data At Rest). Network communications between the client and the database server should always be secured. Historically relational database management system (RDBMS) network communication protocols are in clear text by default. This allows attackers sniffing on the wire to intercept sensitive data like logins/passwords, object names and even actual table data coming back from database server to client. That’s why it is important to secure network communications in addition to encrypting data at rest. Most modern RDBMS rely on PKI (public key infrastructure) to implement network encryption. SSL is protocol is the de-facto standard in Oracle, Microsoft SQL Server, and Sybase ASE for encrypting network communications. While SSL provides more capabilities than encryption (e.g. authentication) I will highlight only the encryption aspect. There are additional options for data encryption in transit:secure tunnels and IPSec, but I will focus on the encryption features provided in the database.

Click for complete article >>

Encrypting Data at RestTeam Shatter Exclusive

encryption

Data should be encrypted at rest and in motion. As discussed in previous posts, encrypting data at rest and in motion is one of TeamSHATTER’s Top 10 Database Vulnerabilities and Misconfigurations. In this post, I’ll discuss encrypting data files rather than securing database communications. There are several different approaches to encrypt data: There’s encryption in the application that feeds to the database where extra code is written to automatically encrypt selecting, inserting or updating of data. Secondly, there are file…

Click for complete article >>
Powered by