Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted March 3, 2014

Trustwave Taking Aim at Database Security

By Sean Michael Kerner

Databases are among the most often attacked pieces of enterprise computing technology as they are the places where the information that attackers want tends to be kept. It's a situation that Josh Shaul, director of product management at Trustwave, is well aware of, which is why he spoke at length in a session at last week's RSA security conference on how to defend databases.

In an interview with eWEEK, Shaul noted that the classes of attacks used against databases are not new, though there are some new attack vectors that have emerged.

"We're still seeing SQL injection and cross-site scripting, as well as all sorts of URL manipulation types of attacks," Shaul said.

SQL injection has long been identified as a leading form of attack against databases. In a SQL injection attack, an invalid SQL statement is made, which enables an attacker to obtain data.

"The attack methods aren't changing, and that's not much of a surprise," Shaul said. "Why invent a new way of breaking into databases when the old ways still work really well?"

Shaul noted that while the old vulnerability classes still work, they don't work everywhere, and some of the major e-commerce platforms have taken steps to effectively mitigate the risk.

In terms of the specific attack vectors that modern database hackers employ, there has been a small shift in recent years. A SQL injection attack involves attackers abusing certain database function calls and procedures, according to Shaul. When software developers fix flaws in database procedures that are known to be at risk, attackers find new flaws in other procedures.

"It's still SQL injection, but the actual parameters that the attackers are injecting SQL into has changed over the years," he said. "The attack surface area is so large that we are still able to find new legacy classes of vulnerabilities in code."

Input validation is often cited by security professionals as being the key to limiting the risk of SQL injection attacks. That said, software code isn't always under an organization's control, according to Shaul.

"It [SQL injection] is embedded in some of the vendor products," he said. "Vendors are releasing software that is not properly secured."

Recommendations

To limit the risk of database insecurity, Shaul recommends that organizations conduct a risk assessment. That assessment should include an enumeration of what databases are running inside the organization and which databases include sensitive data.

"Organizations that I have worked with have always been surprised to find databases on their networks that they weren't tracking for whatever reason," he said. "You can't protect what you don't know about."

In terms of the actual databases, Shaul recommends making sure all the databases in use have been updated with the latest vendor patches and that there are strong passwords in place for users and administrators. He also recommends that organizations make sure that database security features are actually turned on.

"Security features have this funny way of working—if you turn them off, they don't do anything," Shaul said. "Most database security features are turned off by default, so folks have to turn them on to actually get value out of them."

Organizations should also look at access controls for the database and make sure that a policy of least privilege is in place. With a least privilege policy, only the minimum amount of access control is granted to users to perform required tasks.

There is also a need to secure the Web application layer, which is typically the infrastructure tier behind which a database is located. Shaul recommends the use of secure coding practices for Web applications as well as the use of a Web Application Firewall (WAF).

"Organizations should protect the front-end access to the database," Shaul said.

There is also a need for continuous database monitoring to constantly check access and to make sure no known exploits are occurring and that there is no obvious abuse of the database.

The last step that Shaul recommends is that all organizations have an incident response plan. "So if the monitoring of the database shows an attack in progress, the organization will know what to do to stop the attack," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Originally published on eWeek.

Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM


















Thanks for your registration, follow us on our social networks to keep up-to-date