Database Security

Database Security

Jordan CoderreCMPT320_01

Why Database Security?

Databases are an essential part of almost every modern website.Their importance in modern web design combined with the potential for holding sensitive information make them commonly target systems.“What issues are facing databases today and what are some general guidelines one should follow to prevent the exploitation of vulnerabilities and maintain a healthy system?”

Database System Architectures

To understand what must be secured we need to look at how networks with databases are commonly built.There are three common architectures:

Single machine database systemClient/Server (two-tier)Three-tier architecture

Two-Tier Architecture

Two-tier architectures are usually based upon clients directly communicating with the DBMS directly through a network connection.The DBMS processes queries, interacts with the database and returns information to the client.Two-tier architectures include interaction via a web server.

Three-Tier ArchitectureThree-tier architectures contain an application server (middleware).The middleware houses the business logic and is responsible for doing the calculations that return the client’s view of the data.Three-tier architectures are more scalable and found in networks with a larger demand on the DBMS.

Mission & Breakdown

I looked to follow the core principals of information security in the CIA triad.We will cover:

Physical security of database componentsClient workstation securityDatabase software configuration & updatesAccount privilegesDatabase firewalls

Physical Security of Database System Components

Disallowing physical access to essential systemsAlarm systemSecurity of server room

Protection from environmental hazardsImplementing a backup system

Encrypt!Battery backup to ensure proper shutdown

Uninterruptible power supply (UPS)Foundation of room housing the serversProper climate & environment

Client Workstation Security

Anti-virus application Frequently updated definitions

Automatic OS & application updatesImplement central deployment system such as Secunia & SUS

Automatic logout after set interval of inactivityUser education on proper computer usageCommunication encryption (SSL/TLS)

Protection from eavesdropping & packet manipulationDigital signatures for authenticity

Database Software Updates & Configuration

Exploits are constantly being found and released to the public.Maintaining up to date software on the DBMS (and possibly web server) is crucial.Sony Online Entertainment’s customer record database was compromised in 2011 due to an unpatched version of Apache.

Database Software Updates & Configuration

Default settings must be changed to suit the needs of the DBMS. (RTFM!)For example, Oracle databases have preconfigured security settings that can be enabled through the included ‘Database Configuration Assistant’.

Protects ‘SYS’ tables

Enables monitoring of specified DB components

Login protection measures

Allows OS to set roles

Setting Privileges

Privileges are the right to execute a specified type of SQL statement or access another user’s objects.A MySQL database allows you to designate a specific user’s access to commands like insert, drop, delete & more.

Setting Privileges

Example of a SQL command granting privileges to all columns in a given table:

GRANT SELECT, INSERT ON mydb.mytbl TO 'someuser'@'somehost';

Privileges are more often assigned to roles than specific users.The SIFMA report on database vulnerabilities lists excessive user & group privileges as the 3rd biggest threat against databases.

Database Firewalls

Database firewalls can be used to monitor queries, prevent SQL injections and prevent inferences.Can be configured to ‘cleanse’ queries (substituting queries matching a criteria with a pre-set statement)Can be used to track user behavior and use this to prevent insider attacks.

In a U.S. Secret Service/CERT/Microsoft E-Crime report, insider attacks constitute 34% of all surveyed attacks, with outsiders contributing 37% and the last 27% originating from unknown sources.

Database Firewalls

Database firewalls can utilize a blacklist or whitelist approach.Offers an extra layer of protection on top of measures implemented into the coding of the application.

Vulnerabilities

Considering these protective measures I’ve discussed, what are some common vulnerabilities that are affecting databases?OWASP and SIFMA provide a good list of common exploits, but I will only cover two:

Default user accounts & weak passwordsSQL injection

Default User Accounts & Weak Passwords

SIFMA cites weak passwords & failure to change or remove default accounts the biggest threat to databases.Minimum password length & complexity policies should be set in place.

Needs to avoid brute forcing & rainbow table attacks

Files or tables containing any login information for the network should be encrypted.

Default User Accounts & Weak Passwords

Some DBMS may have factory accounts disabled by default but some do not.Earlier versions of Oracle database had accounts like ‘HR’, ‘OE’ and ‘SCOTT’ with considerable privileges used for testing purposes.Check for default accounts regardless of whether or not you believe they are already disabled

Oracle databases allow you to log into SQL*Plus using the SYSDBA privilege. You can then query ‘DBA_USERS_WITH_DEFPWD’ to see which accounts have the default password.MariaDB allows you to invoke ‘mysql_secure_connection’ from a shell prompt and will prompt you through several actions to secure your default accounts.

SQL Injections

Injections are considered the biggest security threat according to OWASP’s Top 10 from 2013 and the 2nd biggest from SIFMA’s report.The first discussions of SQL injections arose in 1998 and yet they still remain a major vulnerability.In 2005 a SQL injection attack on MasterCard leaked 40 million credit card details.

SQL Injections

The vulnerability lies in how the application interacting with the DBMS is coded.In the situation where a store uses the following URL to view products less than $100:

http://www.victim.com/products.php?val=100You could modify the end of the URL to view all products:

http://www.victim.com/products.php?val=100’ OR ‘1’=‘1

SQL Injection Prevention

There are several ways you can prevent this aside from the utilization of a database firewall.

Parameterized StatementsInput ValidationCanonicalization

Parameterized statements work by forcing a query to interact with prepared statements before sending the query to the database.

$con = new mysql(“localhost”, “username”, “password”, “db”);$sql = “SELECT * FROM users WHERE username=? AND password=?”;$cmd = $con->prepare($sql);$cmd->bind_param(“ss”, $username, $password);

// Adds parameters to SQL query and binds parameters as strings$cmd->execute();

// Takes the newly prepared statement and executes it on the database.

SQL Injection Prevention

Input ValidationTesting of the input received by an application for compliance against a standard defined within the application.Can be approached by cleansing input with regular expressions.Common method of validating a U.S. zip code:

^\d{5} (-\d{4})?$

CanonicalizationEnsuring certain characters are not allowed to be inputted and that the user cannot use different encodings to sneak in the disallowed characters.%27 is the URL-encoded representation of a single-quote character.