Anatomy of a Database Security AssessmentOct 22, 2014 / Posted By:Robert Buda
Data security is not a “set it and forget it” condition—it’s highly dynamic, changing as your environment evolves, new threats appear and new vulnerabilities are introduced. And as the recent rash of high-profile breaches in retail databases illustrate, securing your databases is at least as important as securing other parts of your infrastructure.
The end of the year is often a time when we get things organized and throw out what we don’t need. It’s also a great time to schedule a database security assessment and rid your organization of some data security vulnerabilities you definitely don’t need, like obsolete user and test accounts and inappropriate access privileges.
A database security assessment with Buda Consulting will identify and report on the full spectrum of vulnerabilities in your environment, including misconfiguration, non-applied security patches and “open door” passwords. It will also tell you exactly which vulnerabilities are most critical to mitigate.
We start with a discovery scan, which searches your entire network using automated tools and inventories all the database signatures it finds. This is the best way to locate “rogue” databases that users spin up on their own, which may contain confidential data and often don’t follow security policy.
Next we perform a password scan, which is a form of penetration test. We try to connect to all your databases by throwing easily guessed passwords (e.g., “user” and “123456”) at them. Do you have standard system accounts on older databases that aren’t locked and have default passwords that haven’t been changed? This scan will find them.
It’s amazing how much sensitive enterprise data is just waiting to be exposed in this way. For example, we discovered awhile back that one of our clients was using the default username and password for a very privileged account. I warned them that this was a critical vulnerability, but they failed to fix it and shortly thereafter were hacked big-time. It took them several weeks and an embarrassing amount of money to restore their systems and data.
The third part of the assessment is a comprehensive vulnerability scan. Our automated toolset will quickly uncover missing patches, configuration problems, and problematic settings or practices that can leave you vulnerable to escalation of privilege attacks, Denial of Service (DoS) and other forms of cybercrime.
Perhaps the most important part of the assessment is what we do with the thousands of vulnerabilities that our tools will almost certainly generate. We sit down with your DBAs and boil that list down to the critical vulnerabilities in your environment, which you should address immediately. We also check off the problems for which you have mitigating controls already in place.
Along with all that vulnerability scanning comes a “user rights review.” This is a check for user access that is authenticated at the database level (as opposed to the application level). This is a great way to root out “developer” or “test” accounts that are no longer needed but haven’t been disabled, leaving a hole for attackers to burrow into your data stores. It also exposes “least privilege” vulnerabilities that otherwise get lost in the details. This review identifies what database accounts have access to sensitive data, and how they received that access. Was access granted directly to that username, and by whom? Or is it conferred to a role assigned to that user?
Since applications commonly authenticate users at the application level instead of the database level, it is important to perform similar user access rights reviews within the applications as well. This kind of review varies greatly depending on the way authentication is handled and how the access privilege information is stored in the database. We can work with you and your application vendor to develop a user rights review for your application.
In-house DBAs often don’t have the objectivity (or the time) necessary to perform a database security assessment. Plus it takes skill and experience to run the tools and whittle down the vulnerabilities to specify what must be fixed, what it would be nice to fix, and what can be addressed indirectly through mitigating controls. Otherwise you just have a bewildering list of vulnerabilities that, in and of itself, is of little value in improving your security posture.
Download Buda Consulting Database Security Assessment for a full description of our Security Assessment using Trustwave AppDetective Pro.