Headquarters888-732-9406
Security Operations Center 888-732-9407

Database Security Assessment

Joey Peloquin, Director-Application Security

Abstract

Databases are at the heart of almost every company’s computer system – and are also the site of many serious security breaches. Databases are where companies store their most confidential information – from corporate financial data and employee records to Social Security numbers, credit card numbers, and medical information. Databases also often are used as a back-end for applications. While most businesses place a high value on network security and other security measures, database security often is neglected. As a result, databases are particularly vulnerable to fraudulent activity, which can damage companies’ reputations and can destroy customer confidence. Many companies know they need stronger protections, but they may lack the budget to employ full-time database security personnel. A Database Security Assessment from FishNet Security, one of the largest security consulting firm in the nation, offers a cost-effective alternative, providing strategic and technical assessments to vastly improve any organization’s database security posture. Using a three-phase system of detailed information collection, comprehensive vulnerability assessment, and a full vulnerability analysis, FishNet Security offers direct feedback, practical recommendations, and database security solutions – all of which empowers organizations to protect their most confidential information.

The Problem

Databases are a key component in information storage for almost every modern business, from the medical industry to the financial industry to national security – and because they also are part of the underlying structure for many applications, they are a popular target for malicious attacks. A long list of highly publicized data breaches over the past several years highlights the growing threat to database security in general and illustrates the rise of this type of attack. Even the nation’s largest and most powerful companies are vulnerable. Well-known examples include the CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, and the TJ Maxx incident in 2005, where 45.7 million credit card numbers reportedly were revealed.

Attackers can exploit vulnerabilities in unprotected databases to create malicious files and libraries, to access database administrator-level privileges, to obtain sensitive data, and to cause disruptions in service. Most companies utilize databases heavily, but few have the specialized security knowledge necessary to effectively assess their security levels and prevent threats from materializing. Traditional security solutions, such as perimeter and intrusion-detection systems (IDS), are insufficient, as they show attacks only after they have occurred. At this point, data may already be lost. Intrusion-prevention systems (IPS) often fail because attacks against the database can be cleverly obfuscated. Database encryption, another common approach that protects data at rest, still may not be effective against privileged users or hackers who hijack application servers to reach back-end databases (such as in SQL injection attacks). Without specific database protection, any security system lacks the important element of layered security that further shields their confidential data. Budgetary restraints may prevent organizations from hiring a full-time database security specialist. Many companies turn to network administrators, who may have a limited understanding of the database platform, to secure their entire solution. Hackers and security vulnerabilities always will threaten IT systems, so it’s essential that database administrators have the right information and a solid strategy to properly secure their databases and to protect their most important data.

Understanding the Solution’s Design and How It Solves the Problem

FishNet Security offers comprehensive database security services that discover and understand the "true" risk to their clients' environments by providing strategic and technical-based assessments that evaluate policies, processes, and controls and that test for vulnerabilities. Because FishNet Security actively recruits many of the nation’s most highly regarded security consultants and database experts (including many former application developers), our team possesses a greater understanding of security issues than many other companies and offers clients a high level of expertise at a fraction of the cost of hiring in-house security personnel.

Our Database Security Assessment consists of a three-phase process for evaluating the strength of database management systems. FishNet Security personnel first gather information to identify weaknesses; next, they utilize the results to test for known issues and to discover any vulnerabilities present; and finally, they provide a vulnerability analysis, which consists of the detailed findings and recommendations needed to secure a company’s database.

Phase 1: Information Gathering

In the Information Gathering phase, FishNet Security obtains information about all scoped servers, including internal domain name system (DNS), Windows information network services (WINS), and remote procedure call (RPC) information. The company also performs a general footprinting of scoped hosts’ network services,and executes various network queries to identify and interrogate all available services.

Phase 2: Vulnerability Discovery

During the Vulnerability Discovery phase, various checks are performed to identify weaknesses within the hosts and database instances (as well as in the host application, if applicable). Results then are analyzed and correlated to uncover application infrastructure vulnerabilities. The company then conducts comprehensive testing, including both automated scanning and manual analysis. This detailed, two-stage approach gives FishNet Security an important
edge in discovering vulnerabilities, as the logical errors and typical usage issues identified through manual checks often are missed in automated scanning. During the first stage, the company conducts automated vulnerability scanning on all devices and services, including network vulnerability scanners, commercial database scanners, and freeware database scanners. The results are then correlated and aggregated, and manual testing begins to evaluate the database, operating system, and application (if applicable) for configuration strength and consistency. For these tests, FishNet uses operating system security configuration checklists, database security configuration checklists, an account management review, user and role configurations within databases, application access privileges and access levels to components, and a manual review of access methods and security controls, including encryption usage and privileged uses.

Phase 3: Vulnerability Analysis

Finally, FishNet Security analyzes the data collected, aggregating and correlating all data to create a deliverable with pertinent information about discovered vulnerabilities. Within this report, direct feedback and recommendations are provided based on testing data, professional experience, analysis, and input from client technical staff. FishNet Security’s reports explain findings from a causality perspective, focusing on the underlying causal flaws that create database weaknesses and add unnecessary risk. Each finding’s technical impact and steps required for remediation are explained.

Conclusion

By providing a comprehensive, three-phase assessment conducted by leading experts in database security, FishNet Security offers its clients a cost-effective approach to protecting their confidentiality. A Database Security Assessment from FishNet Security helps companies meet regulatory compliance requirements; helps prevent unauthorized activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle or EDS; and helps avoid exposure of critical information that can cause costly legal issues, identity theft, fraud, disruptions in sales and service, loss of business opportunities, and damage to a company’s reputation.