Databa Security
“Why do I need to cure my databa rver? No one can access it —it’s in a DMZ protected by the firewall!” This is often the respon when it is recommended that such devices are included within a curity health check. In fact, databa curity is paramount in defending an organizations information, as it may be indirectly expod to a wider audience than realized.
九重城This is the first of two articles that will examine databa curity. In this article we will discuss general databa curity concepts and common problems. In the next article we will focus on specific Microsoft SQL and Oracle curity concerns.
Databa curity has become a hot topic in recent times. With more and more people becoming increasingly concerned with computer curity, we are finding that firewalls and Web rvers are being cured more than ever(though this does not mean that there are not still a large number of incure networks out there). As such, the focus is expanding to consider technologies such as databas with a more critical eye.
友光夏华◆Common n curity
脑血管支架
Before we discuss the issues relating to databa curity it is prudent to high- light the necessity to cure the underlying operating system and supporting technologies. It is not worth spending a lot of effort curing a databa if a vanilla operating system is failing to provide a cure basis for the hardening of the data- ba. There are a large number of excellent documents in the public domain detailing measures that should be employed when installing various operating systems.
民国时期服装
One common problem that is often encountered is the existence of a databa on the same rver as a web rver hosting an Internet (or Intranet) facing application. Whilst this may save the cost of purchasing a parate rver, it does riously affect the curity of the solution. Where this is identified, it is often the ca that the databa is openly connected to the Internet. One recent example I can recall is an Apache Web rver rving an organizations Internet offering, with an Oracle databa available on the Internet on port 1521. When investigating this issue further it was discovered that access to the Oracle rver was not protected (including lack of passwords), which allowed the rver to be stopped. The databa was not required from an Internet facing perspective, but the u of default ttings and careless curity measures rendered the rver vulnerable.
The points mentioned above are not strictly databa issues, and could be classified as architectural
and firewall protection issues also, but ultimately it is the databa that is compromid. Security considerations have to be made from all parts of a public facing net- work. You cannot rely on someone or something el within your organization protecting your databa fr om exposur e.
◆ Attack tools are now available for exploiting weakness in SQL and Oracle
I came across one interesting aspect of databa curity recently while carrying out a curity review for a client. We were performing a test against an intranet application, which ud a databa back end (SQL) to store client details. The curity review was proceeding well, with access controls being bad on Windows authentication. Only authenticated Windows urs were able to e data belonging to them. The application itlf emed to be handling input requests, rejecting all attempts to access the data- ba directly.We then happened to come across a backup of the application in the office in which we were working. This media contained a backup of the SQL databa, which we restored onto our laptop. All curity controls which were in place originally were not restored with the databa and we were able to brow the complete databa, with no restrictions in place to protect the nsitive data. This may em like a contrived way of compromising the curity of the system, but does highlight an important point. It is often not the direct approach that is taken to attack a target, and ultimately the endpoint is the same; system com
promi. A backup copy of the databa may be stored on the rver, and thus facilitates access to the data indirectly.
There is a simple solution to the problem identified above. SQL 2000 can be configured to u password protection for backups. If the backup is created with password protection, this password must be ud when restoring the password. This is an effective and uncomplicated method of stopping simple capture of backup data. It does however mean that the password must be remembered!
猫咪图片壁纸南京江宁区◆Curr ent tr ends
杀手锏乐队
There are a number of current trends in IT curity, with a number of the being linked to databa curity.
The focus on databa curity is now attracting the attention of the attackers. Attack tools are now available for exploiting weakness in SQL and Oracle. The emergence of the tools has raid the stakes and we have en focud attacks against specific data- ba ports on rvers expod to the Internet.
One common theme running through the curity industry is the focus on application curity, and in particular bespoke Web applications. With he functionality of Web applications becoming more and more complex, it brings the potential for more curity weakness in bespoke application code. In order to fulfill the functionality of applications, the backend data stores are commonly being ud to format the content of Web pages. This requires more complex coding at the application end. With developers using different styles in code development, some of which are not as curity conscious as other, this can be the source of exploitable errors.
SQL injection is one such hot topic within the IT curity industry at the moment. Discussions are now commonplace among technical curity forums, with more and more ways and means of exploiting databas coming to light all the time. SQL injection is a misleading term, as the concept applies to other databas, including Oracle, DB2 and Syba.
◆ What is SQL Injection?
SQL Injection is simply the method of communication with a databa using code or commands nt via a method or application not intended by the developer. The most common form of this is found in Web applications. Any ur input that is handled by the application is a common source of attack. One simple example of mishandling of ur input is highlighted in Figure 1.
Many of you will have en this common error message when accessing web sites, and often indicates that the ur input has not been correctly handled. On getting this type of error, an attacker will focus in with more specific input strings.
Specific curity-related coding techniques should be added to coding standard in u within your organization. The damage done by this type of vulnerability can be far reaching, though this depends on the level of privileges the application has in relation to the databa.If the application is accessing data with full administrator type privileges, then maliciously run commands will also pick up this level of access, and system compromi is inevitable. Again this issue is analogous to operating system curity principles, where programs should only be run with the minimum of permissions that is required. If normal ur access is acceptable, then apply this restriction.
Again the problem of SQL curity is not totally a databa issue. Specific databa command or requests should not be allowed to pass through the
application layer. This can be prevented by employing a “cure coding” approach.
Again this is veering off-topic, but it is worth detailing a few basic steps that should be employed.
The first step in curing any application should be the validation and control of ur input. Strict typing should be ud where possible to control specific data (e.g. if numeric data is expected), and where string bad data is required, specific non alphanumeric characters should be prohibited where possible. Where this cannot be performed, consideration should be made to try and substitute characters (for example the u of single quotes, which are commonly ud in SQL commands).
Specific curity-related coding techniques should be added to coding standard in u within your organization. If all developers are using the same baline standards, with specific curity measures, this will reduce the risk of SQL injection compromis.
Another simple method that can be employed is to remove all procedures within the databa that are not required. This restricts the extent that unwanted or superfluous aspects of the databa could be maliciously ud. This is analogous to removing unwanted rvices on an operating system, which is common curity practice.
◆ Overall
In conclusion, most of the points I have made above are common n curity concepts, and are not specific to databas. However all of the points DO apply to databas and if the basic cu
rity measures are employed, the curity of your databa will be greatly improved.
The next article on databa curity will focus on specific SQL and Oracle curity problems, with detailed examples and advice for DBAs and developers.
There are a lot of similarities between databa curity and general IT curity, with generic simple curity steps and measures that can be (and should be) easily implemented to dramatically improve curity. While the may em like common n, it is surprising how many times we have en that common curity measures are not implemented and so cau
a curity exposure.
◆Ur account and password curity
One of the basic first principals in IT curity is “make su re you have a good password”. Within this statement I have assumed that a password is t in the first place, though this is often not the ca.
I touched on common n curity in my last article, but I think it is important to highlight this again. As with operating systems, the focus of attention within databa account curity is aimed at administration
accounts. Within SQL this will be the SA account and within Oracle it may be the SYSDBA or ORACLE account.
It is very common for SQL SA accounts to have a password of ‘SA’ or even wor a blank password, which is just as common. This password laziness breaks the most basic curity principals, and should be stamped down on. Urs would not be allowed to have a blank password on their own domain account, so why should valuable system resources such as databas be allowed to be left unprotected. For instance, a blank ‘SA’password will enable any ur with client software (i.e. Microsoft query analyr or enterpri manager to ‘manage’ the SQL rver and databas).
With databas being ud as the back end to Web applications, the lack of password control can result in a total compromi of nsitive information. With system level access to the databa it is possible not only to execute queries into the databa, create/modify/delete tables etc, but also to execute what are known as Stored Procedures.
>简短的祝福语
