Database Attacks, How to protect the corporate assets by howardtheduck

VIEWS: 126 PAGES: 56

									Database Attacks,

How to protect the corporate assets

Presented by: James Bleecker

      Introduction
          Landscape
          Database Vulnerabilities Are The New Front-Lines
      Attacking Where the Data Resides
          Planning an Attack
          Attacking Database Vulnerabilities
      How Do You Protect Your Database?
      What is Application Security direction/Vision?

Old Data Processing Environment
         CICS Controller   Winchester IMS Array

          BIG IRON


          Glass House

New Data Processing Requirement

                                             Increasingly Focused Attacks
  Demand for Pervasive Access
                                              Directly on applications (75%!)
   By anyone
                                              Including insiders (80+%!)
   To any application
                                              As perimeter crumbles
   Increasingly direct

   Compliance Requirements
    Info ultimately in Db apps:              Compliance must be:
       Privacy / confidentiality                Repeatable
       Integrity                                Demonstrable

Typical Network Landscape

Database Vulnerabilities

        A decade ago, databases were
             Physically secure
             Housed in central data centers – not distributed
             External access mediated
             Security issues rarely reported
        Now, databases are externally accessible
           Suppliers directly connected
           Customers directly connected
           Customers and partners directly sharing data

Database Vulnerability Exploitation

   A decade ago, attacks were
       Broad based
       Launched by disaffected “Hackers”
       Intended to disrupt, gain respect / notoriety in the community
   Now, attacks are
       Targeted against specific resources
       Launched by sophisticated professionals
       Intended to bring monetary gain to the attacker
   Data is a valuable resource in your company
       Value increases with greater integration and aggregation
       But so does the threat of data theft, modification, or destruction

Databases Are Under Attack

  106 Incidents in 2005
  Flurry of new data breaches disclosed: More
   than 190 such incidents have been reported
   since February 2005, Jaikumar Vijayan and Todd
   Weiss; June 19, 2006 (Computerworld)

 We’re not Winning!
Recent Incidents

                   Company/Organization                        # of Affected            Date of Initial
                                                                Customers                Disclosure

  Department of Energy’s nuclear weapons                                    1500          22-May-06
  Georgetown University                                                   41,000          5-Mar-06
  Misc retail debit card compromise (OfficeMax?)                         200,000          9-Feb-06
  Dept of Agriculture                                                    350,000          15-Feb-06
  Card Systems                                                        40,000,000          17-Jun-05
  Citigroup                                                            3,900,000          6-Jun-05
  DSW Shoe Warehouse                                                   1,400,000          8-Mar-05
  Bank of America                                                      1,200,000          25-Feb-05
  LexisNexis                                                             310,000          9-Mar-05
  Ameritrade                                                             200,000          19-Apr-05
  ChoicePoint                                                            145,000          15-Feb-05

  Etc, etc, etc.

                   # of customers affected                                         ~50,000,000+
         Source: Privacy Rights Clearinghouse,
Top 5 Issues in Enterprise Security

        Attackers have gone pro
            Want personal data they can sell – Personal data like credit card and
             social security numbers are relatively easy to monetize
        Attacks are moving to the source
            Why pull a single credit card via compromising the network? It's
             relatively hard with a meager pay off. Instead, take over the corporate
             database and get them ALL
        The perimeter provides little defense
            Insiders don't go through the firewall thus perimeters provide no
             protection from this growing source of risk
        Inside the perimeter, enterprises have little-to-no protection
            Beyond anti-virus, enterprises are only just now getting started to build a
             layered defense. For example, how does a largely signature-based
             security solution protect you from an insider that doesn't need to run a
             vulnerability against a system to get access? They've got plenty of
             privileges already ;-)
        Everyone is watching
            Everyone is very-much clued in to the increased threats against
             personal data. Any mistakes are likely to be very public

How Do You Secure Apps?

        Key Components of Enterprise Applications

    Vulnerabilities exist within each of these components

Database Vulnerabilities:

 Default & Weak Passwords

 Denial of Services (DoS) & Buffer

 Misconfigurations & Resource
  Management Issues

Database Vulnerabilities:
Default & Weak Passwords

        Databases have their own user accounts and
                 Oracle   Microsoft   Sybase   IBM DB2   MySQL

Default & Weak
                     

Database Vulnerabilities
Default Passwords

 Oracle Defaults (Over 200 of them)
     -   User Account: internal / Password: oracle
     -   User Account: system / Password: manager
     -   User Account: sys / Password: change_on_install
     -   User Account: dbsnmp / Password: dbsnmp
 IBM DB2 Defaults
     - User Account: db2admin / Password: db2admin
     - User Account: db2as / Password: ibmdb2
     - User Account: dlfm / Password: ibmdb2

Database Vulnerabilities
Default Passwords

 MySQL Defaults
     - User Account: root / Password: null
     - User Account: admin / Password: admin
     - User Account: myusername / Password: mypassword
 Sybase Defaults
     - User Account: SA / Password: null
 Microsoft SQL Server Defaults
     - User Account: SA / Password: null

Database Vulnerabilities
Weak Passwords

 It is important that you have all of the proper
  safeguards against password crackers because:

     - Most databases do not have Account Lockout
     - Database Login activity is seldom monitored
     - Scripts and Tools for exploiting weak
       identification control mechanisms and default
       passwords are widely available

 Database Vulnerabilities:
 Denial of Services (DoS) & Buffer Overflows

          Databases have their own DoS’s & Buffer
                     Oracle   Microsoft   Sybase   IBM DB2   MySQL

 Default & Weak
                         
Denial of Services
& Buffer Overflows
                         
Denial of Services
Databases Have Their Own Class of DoS Attacks

Category of attacks that could result in the database
  crashing or failing to respond to connect requests
  or SQL Queries.

Significant Database Denial of Services:
   Oracle8i: NSPTCN data offset DoS
   Oracle9i: SNMP DoS
   Microsoft SQL Server: Resolution Service DoS
   IBM DB2: Date/Varchar DoS

Buffer Overflows
Databases Have Their Own Buffer Overflows

 Category of vulnerabilities that could result in an
   unauthorized user causing the application to
   perform an action the application was not intended
   to perform.
 Most dangerous are those that allow arbitrary
   commands to be executed by authenticated users.
       - No matter how strongly you’ve set passwords and other
         authentication features.
    Significant Database Buffer Overflows:
       - Oracle9i: TZ_OFFSET buffer overflow
       - Microsoft: pwdencrypt buffer overflow / Resolution Stack
       - Sybase: xp_freedll buffer overflow

   Database Vulnerabilities
   Misconfigurations & Resource Privilege
   Management Issues

           Misconfigurations can make a database
                      Oracle   Microsoft   Sybase   IBM DB2   MySQL

  Default & Weak
                          
Denial of Services
& Buffer Overflows
                          
                          
Misconfigurations &
Resource Privilege

Misconfigurations & Resource Privileges
Misconfigurations Can Make a Database Vulnerable

    • External Procedure Service
    • Default HTTP Applications
    • Privilege to Execute UTL_FILE
 Microsoft SQL Server
    • Standard SQL Server Authentication Allowed
    • Permissions granted on xp_cmdshell and xp_regread
    • Permission granted on xp_cmdshell
    • CREATE_NOT_FENCED privilege granted
          • This privilege allows logins to create stored procedures
    • Permissions on User Table (mysql.user)
Database Vulnerabilities Wrap-up

                       Oracle   Microsoft   Sybase   IBM DB2   MySQL

   Default & Weak
                           
  Denial of Services
  & Buffer Overflows
                           
                           
 Misconfigurations &
 Resource Privilege

Planning an Attack

       Create a Map
          What does the network look like?
       Reconnoiter
          Collect information about the layout of the target
          What looks intere$ting?
       Probe, Progress, Plot
          What can we do?
          Build the springboard for further activity
          Plan the strike
       Retreat and Re-attack

How are search engines used for attacks?

 First thing an attacker needs is information
    Where to attack
    What a site is vulnerable to
 Search engine is a large repository of information
    Every web page in your application
    Every domain on the Internet
 Search engines provide an attacker:
    Ability to search for attack points on the Internet
    Ability to search for an attack point in a specific website
    Ability to look for specific URLs or files

Example – looking for iSQL*Plus

 Oracle HTTP Servers
   Provides a way to run queries on database using an HTTP
   Accessed using the URL /isqlplus
   By default runs on any Oracle HTTP server installed with:
      Oracle Applications Server
      Oracle Database Server
 Search can be performed on Google or Yahoo
   looking for Oracle HTTP servers
   Using the “allinurl” advanced search feature

Using Google Advanced Search

Results of Google Advanced Search

Yahoo! Advanced Search Works Too…..

Connect with default username/password

Attacker can execute any query

Example – SQL Injection in demo applications

   Oracle HTTP Servers
       Provided default web applications
       /demo/sql/jdbc/JDBCQuery.jsp
       /demo/sql/tag/sample2.jsp
   Contains SQL Injection
       Google search value of “allinurl:JDBCQuery.jsp”

Vulnerable Oracle HTTP Servers

                                                     Oracle Example
  Oracle

X’ UNION SELECT password FROM dba_users WHERE username=‘SYSTEM

Password Hash Returned

      Customer address: EED9B65CCECDB2E9














Hackers Can Find Credit Cards

       Recent posting to security newsgroups
          To: Subject: New google's
           top query?
          Instructions on finding credit cards on the Internet
             Involves using Numrange searches in Google
             Can focus in on a single domain
             Can focus in on a single person
             “Numrange can be used to specify that results contain
              numbers in a range you set. You can conduct a numrange
              search by specifying two numbers, separated by two
              periods, with no spaces. Be sure to specify a unit of measure
              or some other indicator of what the number range
Google Advanced Search Page

How Do You Address These Vulnerabilities?

       Stay Patched
          Stay on top of all the security alerts and bulletins
       Defense in Depth
       Multiple Levels of Security
          Regularly perform audits and penetration tests on your
          Encryption of data-in-motion / data-at-rest / data-in-use
          Monitor database activity log files
          Implement application layer intrusion detection
             Especially if you can’t stay patched!

How Do You Address These Vulnerabilities?

       “I’m running auditing, vulnerability
        assessment, and IDS tools for the network/OS.
        Am I secure?”
          NO!!!!
       Databases are extremely complex beasts
       Databases store your most valuable assets
       Significantly more effort securing databases is
           “If your workstation gets hacked, that’s bad. But if your
           database gets hacked, you’re out of business.”

Best Practices Provided by Database Vendors
& Notable Third Parties

       Oracle
          Oracl9i Security Checklist
       SANS Institute (SysAdmin, Audit, Network,
          Oracle Database Checklist
       Microsoft
          10 Steps to Secure SQL Server
          SQLSecurity Checklist

Oracle9i Security Checklist
A Security Checklist for Oracle9i
    Install Only What is Required
    Lock and Expire Default User
    Change Default User
    Enable Data Dictionary
    Practice Principle of Least
    Enforce Access Controls
    Restrict Network Access
    Apply Security Patches and
10 Steps to Secure SQL Server 2000
AppDetective Compliance Capabilities

       1) Install the most recent service pack
       2) Assess your server’s security with Microsoft Baseline Security
       ((We’d suggest AppDetective!!))
       3) Use Windows Authentication Mode
       4) Isolate your server and back it up regularly
       5) Assign a strong password
       6) Limit privilege level of SQL Server Services
       7) Disable SQL Server ports on your firewall
       8) Use the most secure file system
       9) Delete or secure old setup files
       10) Audit connections to SQL Server

Database Security Resources

  SQL Server Security

  Oracle Security
  Database Security alerts
  Database Security Discussion Board

How Do You Secure Apps?

Apply the vulnerability management lifecycle...
    Establish “as is” position                                Determine risk and
    Identify vulnerabilities                                   prioritize based on
    Develop ideal                                              vulnerability data, threat
     baseline                                                   data, asset classification
                            Baseline/           Prioritize

                                                 Shield and
    Baseline                                     Mitigate
     compliance                                                High-priority vulnerabilities
    Vulnerabilities                 Maintain                  Establish controls
    Threat environment                                         and eliminate root causes

Proactive Hardening
Complete Database Vulnerability Assessment

    Database Discovery
    Penetration Testing
    Security Audit
    Reporting                  Baseline/
    Remediation: Fix Scripts
    Keep current: ASAP
     updates protect against
     latest threats              Monitor
                                             Shield and

Real-Time Monitor
Security Alerts + Focused, Granular Monitoring

Who, What and When

 Activity Monitoring & Alerting
     All User Activity and System
      Changes                                             Prioritize
     Complex Attacks and Threats
     Misuse and Malicious Behavior           Microsoft SQL Server
                                              Oracle
 Configurable Detection                      Sybase
                                              IBM DB2             and
     User Defined Alert Rules          Monitor
     User Defined Threat Signatures
 Regularly Updated
     ASAP Updates™

Security Industry Direction

     More focused and complex attacks

     Blended attacks

     Increased audit and tracking requirements

     Mixed Database vendors with less resources
                                          Oracle
                                          Microsoft SQL Server

AppSecInc Direction
     Product working closer to together
     Vulnerability scan feeding IDS monitoring
     Reporting across functions for compliance issues
     Security Change Audit tracking


                                                    Shield and

Contact Info

        Ben Brieger – Northwest Regional Manager
          650-796-4919
        James Bleecker – Senior Systems Engineer
          949-310-4639


To top