Docstoc

Database Attacks, How to protect the corporate assets

Document Sample
Database Attacks, How to protect the corporate assets Powered By Docstoc
					Database Attacks,

How to protect the corporate assets



Presented by: James Bleecker
Agenda

      Introduction
          Landscape
          Database Vulnerabilities Are The New Front-Lines
      Attacking Where the Data Resides
          Planning an Attack
          Attacking Database Vulnerabilities
      How Do You Protect Your Database?
      What is Application Security direction/Vision?




                                                              www.appsecinc.com
Old Data Processing Environment
         CICS Controller   Winchester IMS Array


          BIG IRON




                                                  Halon
          Hyperchannel



          Glass House



                                                    www.appsecinc.com
New Data Processing Requirement

                                             Increasingly Focused Attacks
  Demand for Pervasive Access
                                              Directly on applications (75%!)
   By anyone
                                              Including insiders (80+%!)
   To any application
                                              As perimeter crumbles
   Increasingly direct




                                    Stored
                                     Data
   Compliance Requirements
    Info ultimately in Db apps:              Compliance must be:
       Privacy / confidentiality                Repeatable
       Integrity                                Demonstrable

                                                                      www.appsecinc.com
Typical Network Landscape




                            www.appsecinc.com
Database Vulnerabilities

        A decade ago, databases were
             Physically secure
             Housed in central data centers – not distributed
             External access mediated
             Security issues rarely reported
        Now, databases are externally accessible
           Suppliers directly connected
           Customers directly connected
           Customers and partners directly sharing data




                                                                 www.appsecinc.com
Database Vulnerability Exploitation

   A decade ago, attacks were
       Broad based
       Launched by disaffected “Hackers”
       Intended to disrupt, gain respect / notoriety in the community
   Now, attacks are
       Targeted against specific resources
       Launched by sophisticated professionals
       Intended to bring monetary gain to the attacker
   Data is a valuable resource in your company
       Value increases with greater integration and aggregation
       But so does the threat of data theft, modification, or destruction




                                                                         www.appsecinc.com
Databases Are Under Attack

  106 Incidents in 2005
  Flurry of new data breaches disclosed: More
   than 190 such incidents have been reported
   since February 2005, Jaikumar Vijayan and Todd
   Weiss; June 19, 2006 (Computerworld)



 We’re not Winning!
                                                    www.appsecinc.com
Recent Incidents

                   Company/Organization                        # of Affected            Date of Initial
                                                                Customers                Disclosure



  Department of Energy’s nuclear weapons                                    1500          22-May-06
  Georgetown University                                                   41,000          5-Mar-06
  Misc retail debit card compromise (OfficeMax?)                         200,000          9-Feb-06
  Dept of Agriculture                                                    350,000          15-Feb-06
  Card Systems                                                        40,000,000          17-Jun-05
  Citigroup                                                            3,900,000          6-Jun-05
  DSW Shoe Warehouse                                                   1,400,000          8-Mar-05
  Bank of America                                                      1,200,000          25-Feb-05
  LexisNexis                                                             310,000          9-Mar-05
  Ameritrade                                                             200,000          19-Apr-05
  ChoicePoint                                                            145,000          15-Feb-05

  Etc, etc, etc.

                   # of customers affected                                         ~50,000,000+
         Source: Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm
                                                                                                          www.appsecinc.com
Top 5 Issues in Enterprise Security

        Attackers have gone pro
            Want personal data they can sell – Personal data like credit card and
             social security numbers are relatively easy to monetize
        Attacks are moving to the source
            Why pull a single credit card via compromising the network? It's
             relatively hard with a meager pay off. Instead, take over the corporate
             database and get them ALL
        The perimeter provides little defense
            Insiders don't go through the firewall thus perimeters provide no
             protection from this growing source of risk
        Inside the perimeter, enterprises have little-to-no protection
            Beyond anti-virus, enterprises are only just now getting started to build a
             layered defense. For example, how does a largely signature-based
             security solution protect you from an insider that doesn't need to run a
             vulnerability against a system to get access? They've got plenty of
             privileges already ;-)
        Everyone is watching
            Everyone is very-much clued in to the increased threats against
             personal data. Any mistakes are likely to be very public


                                                                              www.appsecinc.com
How Do You Secure Apps?

        Key Components of Enterprise Applications




    Vulnerabilities exist within each of these components

                                                    www.appsecinc.com
Database Vulnerabilities:


 Default & Weak Passwords

 Denial of Services (DoS) & Buffer
  Overflows

 Misconfigurations & Resource
  Privilege
  Management Issues

                                      www.appsecinc.com
Database Vulnerabilities:
Default & Weak Passwords

        Databases have their own user accounts and
         passwords
                 Oracle   Microsoft   Sybase   IBM DB2   MySQL
                            SQL
                           Server

Default & Weak
 Passwords
                     

                                                          www.appsecinc.com
Database Vulnerabilities
Default Passwords

 Oracle Defaults (Over 200 of them)
     -   User Account: internal / Password: oracle
     -   User Account: system / Password: manager
     -   User Account: sys / Password: change_on_install
     -   User Account: dbsnmp / Password: dbsnmp
 IBM DB2 Defaults
     - User Account: db2admin / Password: db2admin
     - User Account: db2as / Password: ibmdb2
     - User Account: dlfm / Password: ibmdb2




                                                           www.appsecinc.com
Database Vulnerabilities
Default Passwords

 MySQL Defaults
     - User Account: root / Password: null
     - User Account: admin / Password: admin
     - User Account: myusername / Password: mypassword
 Sybase Defaults
     - User Account: SA / Password: null
 Microsoft SQL Server Defaults
     - User Account: SA / Password: null




                                                         www.appsecinc.com
Database Vulnerabilities
Weak Passwords

 It is important that you have all of the proper
  safeguards against password crackers because:

     - Most databases do not have Account Lockout
     - Database Login activity is seldom monitored
     - Scripts and Tools for exploiting weak
       identification control mechanisms and default
       passwords are widely available




                                                  www.appsecinc.com
 Database Vulnerabilities:
 Denial of Services (DoS) & Buffer Overflows

          Databases have their own DoS’s & Buffer
           Overflows
                     Oracle   Microsoft   Sybase   IBM DB2   MySQL
                                SQL
                               Server

 Default & Weak
  Passwords
                         
Denial of Services
& Buffer Overflows
                         
                                                              www.appsecinc.com
Denial of Services
Databases Have Their Own Class of DoS Attacks

Category of attacks that could result in the database
  crashing or failing to respond to connect requests
  or SQL Queries.

Significant Database Denial of Services:
   Oracle8i: NSPTCN data offset DoS
   https://www.appsecinc.com/Policy/PolicyCheck31.html
   Oracle9i: SNMP DoS
   https://www.appsecinc.com/Policy/PolicyCheck45.html
   Microsoft SQL Server: Resolution Service DoS
   https://www.appsecinc.com/Policy/PolicyCheck2066.html
   IBM DB2: Date/Varchar DoS
   https://www.appsecinc.com/Policy/PolicyCheck3014.html




                                                           www.appsecinc.com
Buffer Overflows
Databases Have Their Own Buffer Overflows

 Category of vulnerabilities that could result in an
   unauthorized user causing the application to
   perform an action the application was not intended
   to perform.
 Most dangerous are those that allow arbitrary
   commands to be executed by authenticated users.
       - No matter how strongly you’ve set passwords and other
         authentication features.
    Significant Database Buffer Overflows:
       - Oracle9i: TZ_OFFSET buffer overflow
       - Microsoft: pwdencrypt buffer overflow / Resolution Stack
         Overflow
       - Sybase: xp_freedll buffer overflow


                                                                    www.appsecinc.com
   Database Vulnerabilities
   Misconfigurations & Resource Privilege
   Management Issues

           Misconfigurations can make a database
            vulnerable
                      Oracle   Microsoft   Sybase   IBM DB2   MySQL
                                 SQL
                                Server

  Default & Weak
   Passwords
                          
Denial of Services
& Buffer Overflows
                          
                          
Misconfigurations &
Resource Privilege
   Management




                                                               www.appsecinc.com
Misconfigurations & Resource Privileges
Misconfigurations Can Make a Database Vulnerable

 Oracle
    • External Procedure Service
    • Default HTTP Applications
    • Privilege to Execute UTL_FILE
 Microsoft SQL Server
    • Standard SQL Server Authentication Allowed
    • Permissions granted on xp_cmdshell and xp_regread
 Sybase
    • Permission granted on xp_cmdshell
 IBM DB2
    • CREATE_NOT_FENCED privilege granted
          • This privilege allows logins to create stored procedures
 MySQL
    • Permissions on User Table (mysql.user)
                                                                       www.appsecinc.com
Database Vulnerabilities Wrap-up


                       Oracle   Microsoft   Sybase   IBM DB2   MySQL
                                  SQL
                                 Server

   Default & Weak
    Passwords
                           
  Denial of Services
  & Buffer Overflows
                           
                           
 Misconfigurations &
 Resource Privilege
    Management




                                                                 www.appsecinc.com
Planning an Attack

       Create a Map
          What does the network look like?
       Reconnoiter
          Collect information about the layout of the target
          What looks intere$ting?
       Probe, Progress, Plot
          What can we do?
          Build the springboard for further activity
          Plan the strike
       Retreat and Re-attack


                                                                www.appsecinc.com
How are search engines used for attacks?

 First thing an attacker needs is information
    Where to attack
    What a site is vulnerable to
 Search engine is a large repository of information
    Every web page in your application
    Every domain on the Internet
 Search engines provide an attacker:
    Ability to search for attack points on the Internet
    Ability to search for an attack point in a specific website
    Ability to look for specific URLs or files
 http://johnny.ihackstuff.com/index.php?module=prodreviews



                                                            www.appsecinc.com
Example – looking for iSQL*Plus

 Oracle HTTP Servers
   Provides a way to run queries on database using an HTTP
    form
   Accessed using the URL /isqlplus
   By default runs on any Oracle HTTP server installed with:
      Oracle Applications Server
      Oracle Database Server
 Search can be performed on Google or Yahoo
   looking for Oracle HTTP servers
   Using the “allinurl” advanced search feature




                                                          www.appsecinc.com
Using Google Advanced Search




                               www.appsecinc.com
Results of Google Advanced Search




                                    www.appsecinc.com
Yahoo! Advanced Search Works Too…..




                                      www.appsecinc.com
Connect with default username/password




                                         www.appsecinc.com
Attacker can execute any query




                                 www.appsecinc.com
Example – SQL Injection in demo applications

   Oracle HTTP Servers
       Provided default web applications
       /demo/sql/jdbc/JDBCQuery.jsp
       /demo/sql/tag/sample2.jsp
   Contains SQL Injection
       Google search value of “allinurl:JDBCQuery.jsp”




                                                          www.appsecinc.com
Vulnerable Oracle HTTP Servers




                                 www.appsecinc.com
                                                     Oracle Example
  Oracle


X’ UNION SELECT password FROM dba_users WHERE username=‘SYSTEM




                                                                      www.appsecinc.com
Password Hash Returned



      Customer address: EED9B65CCECDB2E9




                http://www.pentest.co.uk/sql/check_users.sql

                                                               www.appsecinc.com
SQLINJECTION1




                www.appsecinc.com
SQLINJECTION1




       7778/demo/sql/jdbc/JDBCQuery.jsp




                                          www.appsecinc.com
SQLINJECTION2




          sys.database_name



                              www.appsecinc.com
SQLINJECTION3




                www.appsecinc.com
SQLINJECTION4




                sys.login_user


                                 www.appsecinc.com
SQLINJECTION5




                www.appsecinc.com
SQLINJECTION6




         NUMTOYMINTERVAL


                           www.appsecinc.com
SQLINJECTION7




                www.appsecinc.com
Hackers Can Find Credit Cards

       Recent posting to security newsgroups
          To: bugtraq@securityfocus.com Subject: New google's
           top query?
          Instructions on finding credit cards on the Internet
             Involves using Numrange searches in Google
                http://www.google.com/search?q=visa+4356000000000000..435
                 699999999999
             Can focus in on a single domain
             Can focus in on a single person
             “Numrange can be used to specify that results contain
              numbers in a range you set. You can conduct a numrange
              search by specifying two numbers, separated by two
              periods, with no spaces. Be sure to specify a unit of measure
              or some other indicator of what the number range
              represents.”
                                                                   www.appsecinc.com
Google Advanced Search Page




                              www.appsecinc.com
How Do You Address These Vulnerabilities?

       Stay Patched
          Stay on top of all the security alerts and bulletins
       Defense in Depth
       Multiple Levels of Security
          Regularly perform audits and penetration tests on your
           database
          Encryption of data-in-motion / data-at-rest / data-in-use
          Monitor database activity log files
          Implement application layer intrusion detection
             Especially if you can’t stay patched!




                                                                  www.appsecinc.com
How Do You Address These Vulnerabilities?

       “I’m running auditing, vulnerability
        assessment, and IDS tools for the network/OS.
        Am I secure?”
          NO!!!!
       Databases are extremely complex beasts
       Databases store your most valuable assets
       Significantly more effort securing databases is
        necessary
           “If your workstation gets hacked, that’s bad. But if your
           database gets hacked, you’re out of business.”
                                   http://www.devx.com/dbzone/Article/11961



                                                                  www.appsecinc.com
Best Practices Provided by Database Vendors
& Notable Third Parties

       Oracle
          Oracl9i Security Checklist
       SANS Institute (SysAdmin, Audit, Network,
        Security)
          Oracle Database Checklist
       Microsoft
          10 Steps to Secure SQL Server
       SQLSecurity.com
          SQLSecurity Checklist




                                                    www.appsecinc.com
Oracle9i Security Checklist
A Security Checklist for Oracle9i
    Install Only What is Required
    Lock and Expire Default User
     Accounts
    Change Default User
     Passwords
    Enable Data Dictionary
     Protection
    Practice Principle of Least
     Privilege
    Enforce Access Controls
     Effectively
    Restrict Network Access
    Apply Security Patches and
     Workarounds
                             http://otn.oracle.com/deploy/security/oracle9i/index.html
                                                                             www.appsecinc.com
10 Steps to Secure SQL Server 2000
AppDetective Compliance Capabilities

       1) Install the most recent service pack
       2) Assess your server’s security with Microsoft Baseline Security
       Analyzer
       ((We’d suggest AppDetective!!))
       3) Use Windows Authentication Mode
       4) Isolate your server and back it up regularly
       5) Assign a strong password
       6) Limit privilege level of SQL Server Services
       7) Disable SQL Server ports on your firewall
       8) Use the most secure file system
       9) Delete or secure old setup files
       10) Audit connections to SQL Server
     http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp


                                                                                        www.appsecinc.com
Database Security Resources

  SQL Server Security
     www.SQLSecurity.com
       www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

  Oracle Security
     www.sans.org/score/checklists/Oracle_Database_Checklist.doc
     otn.oracle.com/deploy/security/oracle9i/index.html
  Database Security alerts
     www.appsecinc.com/resources/mailinglist.html
  Database Security Discussion Board
     www.appsecinc.com/cgi-bin/ubb/ultimatebb.cgi




                                                                                    www.appsecinc.com
How Do You Secure Apps?

Apply the vulnerability management lifecycle...
    Establish “as is” position                                Determine risk and
    Identify vulnerabilities                                   prioritize based on
    Develop ideal                                              vulnerability data, threat
     baseline                                                   data, asset classification
                            Baseline/           Prioritize
                            Discover




                                                 Shield and
                                  Monitor
    Baseline                                     Mitigate
     compliance                                                High-priority vulnerabilities
    Vulnerabilities                 Maintain                  Establish controls
    Threat environment                                         and eliminate root causes



                                                                                   www.appsecinc.com
Proactive Hardening
Complete Database Vulnerability Assessment


    Database Discovery
    Penetration Testing
    Security Audit
    Reporting                  Baseline/
                                            Prioritize
                                Discover
    Remediation: Fix Scripts
    Keep current: ASAP
     updates protect against
     latest threats              Monitor
                                             Shield and
                                              Mitigate




                                                         www.appsecinc.com
Real-Time Monitor
Security Alerts + Focused, Granular Monitoring

Who, What and When

 Activity Monitoring & Alerting
     All User Activity and System
                                       Baseline/
      Changes                                             Prioritize
                                       Discover
     Complex Attacks and Threats
     Misuse and Malicious Behavior           Microsoft SQL Server
                                              Oracle
 Configurable Detection                      Sybase
                                              IBM DB2             and
                                                              Shield
     User Defined Alert Rules          Monitor
                                                             Mitigate
     User Defined Threat Signatures
 Regularly Updated
     ASAP Updates™


                                                                       www.appsecinc.com
Security Industry Direction

     More focused and complex attacks

     Blended attacks

     Increased audit and tracking requirements

     Mixed Database vendors with less resources
                                          Oracle
                                          Microsoft SQL Server




                                                                  www.appsecinc.com
AppSecInc Direction
     Product working closer to together
     Vulnerability scan feeding IDS monitoring
     Reporting across functions for compliance issues
     Security Change Audit tracking



                                       Baseline/
                                                   Prioritize
                                       Discover




                                                    Shield and
                                        Monitor
                                                     Mitigate




                                                                 www.appsecinc.com
Contact Info

        Ben Brieger – Northwest Regional Manager
          650-796-4919
          bbrieger@appsecinc.com
          www.appsecinc.com
        James Bleecker – Senior Systems Engineer
          949-310-4639
          jbleecker@appsecinc.com
          www.appsecinc.com




                                                www.appsecinc.com

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:126
posted:10/17/2008
language:English
pages:56