Industry View
Database Crime Scene Prevention
Imperva's Amichai Shulman looks at database attack and defense.
By Amichai Shulman, CTO, Imperva
Moreover, almost all the capabilities required for database attacks can be found in the tools of typical office software such as Microsoft Excel. Other types of attacks (such as network protocol related attacks) can be constructed using a simple text editor such as Notepad, WordPad or a Telnet client. Finally, in many organizations users have remote access to the internal network through their home computers where no software installation restrictions exist.
2. Initial Access
There are two elements required for making initial contact with the database server. The attacker needs network access to the database server machine and a set of valid access credentials (i.e. username and password). Network access to the database server is usually an easy task considering the lax internal network security found in most enterprises. Even when some internal access restrictions exist within the network, many workstations are allowed to communicate with the database server due to thick-client applications that are provided to users. These applications contain all the application logic on the client side and communicate directly with the database server rather than through an intermediary application server.
Some types of infrastructure attacks prey on database vendor-specific vulnerabilities that require no more than this initial access in order to take down a server or execute arbitrary code. However, for most attacks an attacker must provide a valid set of access credentials. These credentials can be obtained through various methods, assuming that the perpetrator was not given them rightfully. The following are some of the methods perpetrator's use to obtain access credentials.
Brute Force and Exhaustive Search
This method involves guessing a large number of possible user/password combinations until one combination is successful. While in theory this method is futile and infeasible due to the large size of the search space, in practice there are techniques that can be employed to reduce the number of guesses required to find a valid combination.
There are many techniques (usually related to minor vulnerabilities in the database server) that allow an attacker to find valid account names and then search for the corresponding passwords. Finding user accounts can be easy, especially when they are assigned in a systematic way within the organization, e.g. john.smith or JohnDoe.
There are numerous optimizations that can be applied to the "guessing" of passwords. These optimizations rely on what are known as "password rules," which are a compilation of social observations related to the way that people choose passwords. For instance, the account "John" might have passwords JohnJohn, nohj, John1234 and so on. In a large user base, password rules greatly reduce the number of guesses necessary for an account/password match.
database security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
