Industry View
Database Crime Scene Prevention
Imperva's Amichai Shulman looks at database attack and defense.
By Amichai Shulman, CTO, Imperva
5. Covering the Tracks
The smart thief knows how to strike and leave undetected. This also applies to database criminals, who have several ways to cover their tracks. In many instances, the perpetrator doesn't even have to worry, since internal audit mechanisms are rarely activated due to performance and disk space concerns. In many of the attack methods discussed, the thief's actions would not trigger an alert. Servers with audit trail functionality activated are typically set to track unusual conditions that are the result of unsuccessful executions. However, most of the techniques previously discussed do not invoke these conditions but rather yield successful execution of the SQL statements.
Let's assume though that we do have a properly configured audit mechanism on our database server. The first step a perpetrator would take upon completion of a successful privilege elevation attack would be to turn off logging. In most deployments, a criminal with administrative privileges can also tamper with the existing audit trail, erasing any trace of the attack steps that preceded the privilege elevation.
Some types of attacks leave no trace in the internal database audit trail. For example, most of the database communication protocol attacks display this behavior. Other types of attacks can be launched after abusing vulnerabilities in the internal auditing mechanism. In this example (http://www.imperva.com/resources/adc/adc_advisories_ms_sql.html) an attacker was able to connect to a MS SQL Server database without his account name being registered by the audit mechanism.
In summary, as long as the audit trail is based on internal database mechanisms it is rather straightforward for an attacker to remove any trace of his covert activities and identity.
How to Stop an Attack One Step at a Time
Now that we understand the steps a perpetrator would take to make your database the scene of a crime, let's take a look at the steps that can be taken toward crime prevention. For each of the five steps, there are mitigation techniques that would interfere with a would-be perpetrator's attacks. While no single mitigation technique is in itself fool-proof, it is important to employ a range of mitigation techniques in what is known as a "layered security" approach. By following these recommendations, your database environment will become much more secure.
Because it is neither practical nor cost effective to limit the accessibility of tools, we will skip Step 1 -- Tools of the Trade.
2. Stop Initial Access
The following steps can be taken to protect your database and prevent a perpetrator's initial contact.
database security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
