1. Excessive privileges.
When users (or applications) are granted database privileges that exceed the
requirements of their job function, these privileges may be used to gain access
to confidential information. For example, a university administrator whose job
requires read-only access to student records may take advantage of excessive
update privileges to change grades.
The solution to this problem (besides good hiring policies) is
query-level access control. Query-level access control restricts privileges to
minimum-required operations and data. Most native database security platforms
offer some of these capabilities (triggers, RLS, and so on), but the manual design
of these tools make them impractical in all but the most limited deployments.
2. Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes.
For example, a user with privileges to view individual patient records via a
custom healthcare application client may abuse that privilege to retrieve all
patient records via a MS-Excel client.
The solution is access control policies that apply not only to
what data is accessible, but how data is accessed. By enforcing policies for
time of day, location, and application client and volume of data retrieved, it
is possible to identify users who are abusing access privileges.
3. Unauthorized privilege
elevation
Attackers
may take advantage of vulnerabilities in database management software to
convert low-level access privileges to high-level access privileges. For
example, an attacker might take advantage of a database buffer overflow
vulnerability to gain administrative privileges.
Privilege elevation exploits can be defeated with a combination
of query-level access control and traditional intrusion prevention systems
(IPS). Query-level access control can detect a user who suddenly uses an
unusual SQL operation, while an IPS can identify a specific documented threat
within the operation.
4. Platform vulnerabilities
Vulnerabilities
in underlying operating systems may lead to unauthorized data access and
corruption. For example, the Blaster worm took advantage of a Windows 2000
vulnerability to take down target servers.
IPS tools are a good way to identify and/or block attacks
designed to exploit known database platform vulnerabilities.
5. SQL injection
SQL
injection attacks involve a user who takes advantage of vulnerabilities in
front-end web applications and stored procedures to send unauthorized database
queries, often with elevated privileges. Using SQL injection, attackers could
even gain unrestricted access to an entire database.
Query-level access control detects unauthorized queries injected
via web applications and/or stored procedures.
6. Weak audit
Weak audit policy and technology represent risks in terms of compliance,
deterrence, detection, forensics and recovery.
Unfortunately, native database management system (DBMS) audit
capabilities result in unacceptable performance degradation and are vulnerable
to privilege-related attacks -- i.e. developers or database administrators
(DBAs) can turn off auditing.
Most DBMS audit solutions also lack necessary granularity. For
example, DBMS products rarely log what application was used to access the
database, the source IP addresses and failed queries.
Network-based audit appliances are a good solution. Such
appliances should have no impact on database performance, operate independently
of all users and offer granular data collection.
7. Denial of service
Denial of service (DoS) may be invoked through many techniques. Common DoS
techniques include buffer overflows, data corruption, network flooding and
resource consumption. The latter is unique to the database environment and
frequently overlooked.
DoS prevention should occur at multiple layers including the
network, applications and databases.
Database-related recommendations include deploying an IPS and
connection rate controls. By rapidly opening a large number of connections,
connection rate controls can prevent individual users from consuming database
server resources.
8. Database protocol
vulnerabilities
Vulnerabilities
in database protocols may allow unauthorized data access, corruption or
availability. For example, the SQL Slammer worm took advantage of a Microsoft
SQL Server protocol vulnerability to execute attack code on target database
servers.
Protocol attacks can be defeated by parsing and validating SQL
communications to make sure they are not malformed.
9. Weak authentication
Weak
authentication schemes allow attackers to assume the identity of legitimate
database users. Specific attack strategies include brute force attacks, social
engineering, and so on.
Implementation of passwords or two-factor authentication is a
must. For scalability and ease-of-use, authentication mechanisms should be
integrated with enterprise directory/user management infrastructures.
10. Exposure of backup data
Some
recent high profile attacks have involved theft of database backup tapes and
hard disks.
All backups should be encrypted. In fact, some vendors have
suggested that future DBMS products may not support the creation of unencrypted
backups. Encryption of online production database information is a poor
substitute for granular privilege controls.
Conclusion
Although databases and their contents are vulnerable to a host of internal and
external threats, it is possible to reduce the attack vectors to near zero. By
addressing these threats you will meet the requirements of the most regulated
industries in the world.
