All organizations use databases to some extent, whether to handle simple, low-volume data sets, such as a secretary’s address book, or large Big Data repositories for strategic information analysis.
The common denominator of all these databases is that they need to be protected from the many risks they face, the main ones being loss, alteration, and theft of information. Other risks, not as critical but also dangerous, include performance degradation and breach of confidentiality or privacy agreements.
The security mechanisms used to protect an organization’s networks can repel some attempted attacks on databases. Still, some risks are unique to database systems (DBMS) and require specific security measures, techniques, and tools.
Threats Affecting Databases
The following is a list of the most common threats affecting databases today that must be mitigated by hardening database servers and adding a few procedures to common security and auditing techniques.
Inadequate Permissions Management
More often than we would like to admit, database servers are installed in organizations with their default security settings, and these settings are never changed. This causes databases to be exposed to attackers who know the default permissions and know how to exploit them.
There is also the case of abuse of legitimate permissions: users who use their database privileges to make unauthorized use of it—for example, divulging confidential information.
The existence of inactive accounts also poses a security risk that is often overlooked since malicious individuals may know of the existence of these accounts and take advantage of them to access databases without authorization.
Database Injection Attacks
The main form of database injection attacks is SQL injection attacks, which attack relational database servers (RDBMS) that use SQL language. NoSQL databases, such as MongoDB, RavenDB, or Couchbase, are immune to SQL injection attacks but are susceptible to NoSQL injection attacks. NoSQL injection attacks are less common but equally dangerous.
Both SQL injection and NoSQL injection attacks operate by bypassing the data entry controls of web applications to get commands through to the database engine to expose its data and structures. In extreme cases, a successful injection attack can give the attacker unrestricted access to the heart of a database.
Exploitable Database Vulnerabilities
It is common for corporate IT departments not to patch their DBMS core software regularly. So, even if a vulnerability is discovered and the vendor releases a patch to eliminate it, it can take months before companies patch their systems. The result is that vulnerabilities are exposed for long periods, which can be exploited by cybercriminals.
The main reasons why DBMSs are not patched include difficulties in finding a window of time to bring the server down and perform maintenance; complex and time-consuming requirements for testing patches; vagueness as to who is responsible for maintaining the DBMS; excessive workload of system administrators, among others.
Existence of Hidden Database Servers
The non-compliance with software installation policies in an organization (or the lack of such policies) causes users to install database servers at their own discretion to solve particular needs. The result is that servers appear on the organization’s network, which security administrators are unaware of. These servers expose confidential data to the organization or expose vulnerabilities that can be exploited by attackers.
Although database servers are protected behind a layer of security, backups of these databases may be accessible to unprivileged users. In such a situation, there is a risk that unauthorized users may make copies of the backups and mount them on their own servers to extract the sensitive information they contain.
Techniques and Strategies to Protect Databases
To provide adequate protection for an organization’s databases, a defensive matrix of best practices is needed, combined with regular internal controls. The best practices matrix includes the following items:
- Manage user access rights and eliminate excessive privileges and inactive users.
- Train employees on risk mitigation techniques, including recognizing common cyber threats such as spear-phishing attacks, best practices around the Internet and email usage, and password management.
- Assess any database vulnerabilities, identify compromised endpoints and classify sensitive data.
- Monitor all database access activity and usage patterns in real-time to detect data leaks, unauthorized SQL and Big Data transactions, and protocol/system attacks.
- Automate auditing with a database protection and auditing platform.
- Block malicious web requests.
- Archive external data, encrypt databases, and mask database fields to hide sensitive information.
Database Security Tools
The above techniques require a great deal of effort on the part of the organization’s IT department, and many times the IT staff cannot keep up with all of their tasks, so the tasks that need to be done to keep databases secure are left undone. Fortunately, a few tools make these tasks easier so that the dangers that threaten databases do not affect them.
Scuba Database Vulnerability Scanner
Scuba is a free, easy-to-use tool that provides visibility into hidden security risks in an organization’s databases. It offers more than 2,300 assessment tests for Oracle, Microsoft SQL, Sybase, IBM DB2, and MySQL databases, which detect all kinds of vulnerabilities and configuration errors.
With its clear and concise reports, Scuba reveals which databases are at risk and what risks are lurking in each of them. It also provides recommendations on how to mitigate the identified risks.
Scuba scans can be performed from any Windows, Mac, or Linux client. A typical scan with this tool takes between 2 and 3 minutes, depending on the size of the databases, the number of users and groups, and the speed of the network connection. There are no installation prerequisites other than having the operating system up to date.
Although Scuba is a free standalone tool, Imperva includes it in its range of specific products for data security, offering data protection and security in the cloud, data privacy, and user behavior analysis.
dbWatch Control Center
dbWatch is a complete database monitoring and management solution supporting Microsoft SQL Server, Oracle, PostgreSQL, Sybase, MySQL, and Azure SQL. It is designed to perform proactive monitoring and automate as much routine maintenance as possible in large-scale on-premises, hybrid, or cloud database environments.
dbWatch is highly customizable and covers the DBA workflow from monitoring to administration, analysis, and reporting. Users of the tool highlight its ability to easily discover servers, including virtual ones. This is an excellent advantage for IT asset management and tracking, facilitating cost determination and risk assessment.
While offering great functionality, dbWatch’s learning curve is steep, so expect that, after purchasing the tool, installation procedures and training will take some time before the tool is up and running at 100%. A free, limited-time evaluation version is available for download.
AppDetectivePRO is a database and Big Data scanner that can immediately discover configuration errors, identification/access control issues, missing patches, or any toxic combination of configurations that could cause data leakage, unauthorized modification of information, or denial of service (DoS) attacks.
Through its simple configuration and user-friendly interface, AppDetectivePRO can immediately discover, assess and report on the security, risks, and security posture of any database or Big Data repository within an organization’s infrastructure – whether on-premise or in the cloud – in a matter of minutes.
AppDetectivePRO can be used as an add-on to scanners for host or network operating systems and static or dynamic applications. Its range of options offers more than 50 out-of-the-box compliance and configuration policies without requiring the maintenance of SQL scripts for data collection.
DbDefence is a security tool for databases residing on Microsoft SQL Server. It is characterized by being easy to use, accessible and effective for encrypting complete databases and protecting their schemas, completely preventing access to databases, even for users with the highest privileges.
Encryption works server-side, allowing an authorized admin to encrypt and decrypt databases securely, without the need to change the applications that access them. The tool works with any SQL Server version after 2005.
DbDefence works at the SQL file and object level, which differentiates it from other SQL Server encryption software. It can distinguish which objects have been attempted to be accessed and which objects have been denied or allowed access.
To include DbDefence as part of a solution, it is not necessary to purchase licenses for each client application. A single redistribution license is sufficient to install it on any number of clients.
OScanner is an Oracle database analysis and evaluation tool developed in Java. It has a plugin-based architecture, which currently has plugins for the following functions:
- Sid enumeration
- Password testing (common and dictionary)
- Oracle version enumeration
- Enumeration of user account roles, privileges, and hashes
- Enumeration of audit information
- Enumeration of password policies
- Enumeration of database links
The results are presented in a graphical Java tree. It also provides a succinct XML report format and a built-in XML viewer for viewing the report. Installing the tool only requires a java runtime environment and the OScanner installation (zip) file.
OScanner operates similarly to Oracle Auditing Tool’s password guessing function (OAT opwg), using the accounts .default file to obtain the default username/password pairs. It differs from the Oracle tool in that it also attempts to guess accounts with the same username and password.
dbForge Security Manager
Security Manager is part of the suite dbForge Studio for MySQL, adding to it a powerful tool for managing security in MySQL databases. With extended functionality and a practical and friendly user interface, it aims to facilitate routine security administration tasks, such as managing MySQL user accounts and privileges.
The use of a Security Manager improves the productivity of IT personnel. It also provides other benefits, such as replacing complex command-line operations with simpler visual management of MySQL user accounts and their privileges. The tool also helps increase database security, thanks to simplified management procedures that minimize errors and reduce the time required from administration staff.
With the five tabs of the security manager window, you can create user accounts in just a few clicks, granting each one both global and object privileges. Once the accounts are created, you can review their settings at a glance to make sure you made no mistakes.
You can download a completely free version of dbForge Studio for MySQL, which offers basic functionality. Then there are the Standard, Professional, and Enterprise versions, with prices ranging up to about $400.
Final Words: Truly Secure Databases
It is common for organizations to believe that their data is secure only because they have backups and firewalls. But there are many other aspects of database security that fall beyond those security measures. While selecting a database server, the organization must consider the aspects listed above, all of which imply giving database servers the importance they have in the strategic management of an organization’s critical data.