Top 10 Database Vulnerabilities and MisconfigurationsTeam Shatter Exclusive

TeamSHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to provide you with the most up-to-date vulnerabilities, risk and remediation information.

Each category has a post explaining the topic and providing you with best practices for remediating the following issues. Please leave us a comment if you have any questions about these vulnerabilities or run a search with the Threat Finder to learn more about your vulnerabilities.

  1. Default, Blank & Weak Username/Password
  2. SQL Injections in the DBMS
  3. Excessive User & Group Privilege
  4. Unnecessary Enabled Database Features
  5. Broken Configuration Management
  6. Buffer Overflows
  7. Privilege Escalation
  8. Denial of Service Attack DoS
  9. Unpatched Databases
  10. Unencrypted sensitive data – at rest and in motion



Comments

  1. posted on 06 July 2011

    Application owners are not willing to apply database patches unless it has been tested with their applications. This could take 6 months or even a year.

    What do we do in the mean time.

    Thank you.

    Adebayo

  2. Andrew C. Herlands, CISSP, Director of Security Strategy, Application Security, Inc.
    posted on 11 July 2011

    Adebayo,

    I agree with your assessment.

    For most organizations, applying a database patch can be a long and drawn-out process (if it ever happens at all). The reasons are as diverse as the companies affected:
    • Patches tend to break things, requiring a long and sometimes costly acceptance testing process.
    • Patching databases requires skilled DBAs, resources that are often scarce and already overburdened.
    • DBAs often don’t have a good understanding of the security implications that a patch will remediate.
    • Due to the high cost of re-writing and testing software to ensure it is compatible with the latest patches, application vendors will just not support more recent patch releases.

    As the RDBMS vendors list the exact vulnerabilities that each patch fixes, every unpatched database (and the data inside them) are now vulnerable to these published exploits, many of which are listed as high risk.

    In light of this reality, various compensating controls are available to address these issues, of which I’ll mention a few below:

    Vulnerability Assessment: Scan your databases with an automated assessment tool that has an updated knowledgebase of the latest patch and vulnerability information. This will give you a good idea of which databases contain known vulnerabilities, which ones are missing patches, and how to fix them if you can’t apply a patch.

    User Rights Review: Many of your database users have accumulated excessive privileges over time. Excessive privileges, in conjunction with known vulnerabilities, is one recipe for the Insider Threat.

    Database Activity Monitoring: One of the most effective compensating controls for unpatched vulnerabilities is real-time database activity monitoring (DAM). Real-time DAM, in conjunction with an up-to-date knowledgebase, provides many benefits, including real-time threat assessment and alerting, privileged user monitoring, and is a great way to prove your organization has effective controls around it’s sensitive data.

    Virtual Patching/Blocking: Some DAM solutions also offer the option to selectively block specific types of database user activity, at the database. This feature provides organizations with two attractive compensating controls; Block privileged users from performing unauthorized actions in the database (I.e. Accessing sensitive data); and blocking users that attempt to leverage a known (patched or unpatched) vulnerability.

    At the end of the day, keeping up with the latest patches will only address a small part of your overall database compliance and security issues. Databases contain an organizations most valuable information, and are constantly being probed for weaknesses by people who want your data. No single layer of security is impregnable and no amount of patching will ever completely fix all your vulnerabilities, which is why security experts encourage organizations to take a “defense-in-depth” security approach. Find and fix your vulnerabilities, eliminate excessive database privileges, alert/block unauthorized, malicious, or suspicious activity, monitor your authorized users, and regularly review analytic reports. You’ll soon be on your way to a process of continuous compliance, and will have added a solid set of security layers around your databases.

    Andrew C. Herlands, CISSP, Director of Security Strategy, Application Security, Inc.

  3. Mobile App Developer India
    posted on 21 November 2012

    When I reported on database management issues, DBAs told me they were well aware of the common security issues that can lead to a data breach. But, they often said the DBMSs containing sensitive data typically are surrounded by a number of different security systems, reducing the threat of an attack.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by