Industry View
Database Crime Scene Prevention
Imperva's Amichai Shulman looks at database attack and defense.
By Amichai Shulman, CTO, Imperva
Default Accounts and Passwords
Many database servers and applications deployed over them come bundled with default accounts configured with default passwords. Unless all of the defaults are changed by the administrator upon installation, these accounts provide an easy access point for uninvited guests. Also, poor installation and configuration may allow anonymous database access to users. Even if access privileges granted to anonymous users are minimal, this is a crack an attacker may use to gain access.
Thick-Client Applications
A thick-client application that is installed on a workstation communicates directly with the database server. In order for the application to communicate with the database server it must have a set of valid credentials. The credentials are either supplied by the end-user when running the software or more commonly embedded within the application code or in a local configuration file. In either case, an attacker with a text editor can easily get hold of this set of credentials.
Social Engineering
This term is used to describe a set of techniques, including eMail messages and phone calls, where a would-be attacker tricks an individual into disclosing a personal set of credentials. Perpetrators employing social engineering techniques have been known to trick administrators into providing them with a freshly assigned set of credentials. (Editor's note - see Social Engineering: Eight Common Tactics.)
3. Privilege Abuse
A large number of database attacks are carried out using this step. When an attacker makes an initial connection to the database server, they are granted a set of access privileges. Depending on the nature of these credentials, they is may allow access to enough sensitive information or functionality. If the set of credentials was taken from a thick-client application, the perpetrator could bypass the access restrictions imposed by the application code and not be subject to database access control mechanisms.
In actuality, there are many control mechanisms that do not exist on the server. One example is the lack of restriction on the amount of records that can be retrieved using a single database query. Another is a lack of limits on the criteria that can be used for extracting records.
Typical attack scenarios involve the use of the tools within common Office software, e.g. Microsoft Excel. These tools can be used to retrieve large amounts of information from the database which can be stored locally on the workstation and then exported to a detachable medium.
Other crime scenes involve the use of native database client software to make unauthorized (or uncontrolled) changes to the information stored on the database.
database security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
