he security focus in your organization is probably misplaced, according to two database security experts at the recent RSA Conference in San Francisco. Aaron Newman, Chief Technology Officer at Application Security, Inc.
, said, "We believe people are spending a lot of money to protect the entire enterprisea big company can spend $5 millionand spending very little to protect the database, and that's where the most critical assets are." In his business, he's found that organizations often allot more resources to protecting their workstations than their databases, which he sees as a glaring misappropriation. "If your workstation gets hacked, that's bad. But if your database gets hacked, you're out of business. People spending 1 percent of their budget on database security should be spending 30 percent."
Michael Figueroa, a lead security engineer in the American Management Systems (AMS) Enterprise Security Group, agrees. We've forgotten that data is the core asset of enterprise applications, he said. We need to look at protecting data first.
Even when IT professionals secure their databases, according to Figueroa they pay little attention to the data inside. In his view, protecting the database while ignoring the data is like fortifying an airplane but letting its passengers freeze, and the main threat to data is the applications they support. A compromised application can bypass firewalls and other perimeter security and access the database through its app server connection. "If [an application] gets compromised, then the attacker has an open path to the database if he knows how to exploit that path, because the database is free to whatever that application wants to do," said Figueroa.
To focus enterprise security where both men believe it should be, each gave a database security presentation at the conference. Newman's "Protecting Your Database" presentation was a strong case for hardening your database. It demonstrated common, easily launched hacker exploits of database systems, including Microsoft SQL Server and Oracle 9i. Figueroa's "Application Database Security" presented the concept of a database firewall, a logical layer of abstraction between the application server and the database.
Database Attacks: What You Don't Know Can Hurt You
Newman demonstrated just how easily hackers can infiltrate databases. Using VMWare software to show how code that is readily available on the Internet can be utilized to gain access to Microsoft SQL Server, Oracle 9i, and Sybase Adaptive Server Enterprise database systems, Newman within minutes injected code into all three products (see Table 1). He retrieved sensitive data and gained a reverse shell with just a few keystrokes.
Newman acknowledged that Microsoft and Oracle are good at fixing what's wrongpatching vulnerabilities as soon as they become aware of thembut they are not particularly good at monitoring and detecting these security holes prior to breaches. For example, Microsoft found 25 buffer overflow vulnerabilities in SQL Server 2000 and fixed most of them in Service Pack 3 (SP3), but while they were unchecked and for those SQL Server 2000 databases that have yet to install the updated SP, buffer overflows offer hackers easy access to the database.
The buffer overflows contained in the Oracle listener service, the proxy between the client and the database, leave it vulnerable to a known exploit that allows attackers to write arbitrary files to the network.
Vendors don't bear all the responsibility, however. Newman believes it's incumbent upon database administrators (DBAs) to remain diligent in installing the latest patches. But even when patches are installed, that doesn't protect the data from those inside the firewall. Developers need to lock down the privileges of local users who have access to the databases as well.
Newman believes education is as important to database security as any technological solution. "I think most developers don't even realize there are problems with coding a certain way. So a lot of it is education," he said. His presentation was an effort to get the word out and inform developers and DBAs of the holes they may inadvertently leave open to attackmany of which have readily available remedies. "I don't think most DBAs are even aware that there was a patch for Oracle [released during the week of April 7] or that there was a patch for Microsoft SQL Server. [It was] six months between when the [SQL Slammer] patch was released and when the SQL Slammer worm hit."