Enterprise database infrastructures, which often contain the crown jewels of an organization, are subject to a wide range of attacks. Amichai Schulman, CTO, Imperva, lists the most critical of these, followed by recommendations for mitigating the risk of each.
1. Excessive privileges
When users (or applications) are granted database privileges that exceed the
requirements of their job function, these privileges may be used to gain access to confidential information. For example, a university administrator whose job requires read-only access to student records may take advantage of excessive update privileges to change grades. The solution to this problem (besides good hiring policies) is query-level access control. Query-level access control restricts privileges to minimum-required operations and data. Most native database security platforms offer some of these capabilities (triggers, RLS, and so on), but the manual design of these tools make them impractical in all but the most limited deployments.
2. Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes. For example, a user with privileges to view individual patient records via a custom healthcare application client may abuse that privilege to retrieve all
patient records via a MS-Excel client.The solution is access control policies that apply not only to what data is accessible, but how data is accessed. By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access
privileges.
3. Unauthorized privilege elevation
Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. For example, an attacker might take advantage of a database buffer overflow
vulnerability to gain administrative privileges. Privilege elevation exploits can be defeated with a combination of query-level access control and traditional intrusion prevention systems (IPS). Query-level access control can detect a user who suddenly uses an unusual SQL operation, while an IPS can identify a specific documented threat within the operation.
4. Platform vulnerabilities
Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers. IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.
5. SQL injection
SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database. Query-level access control detects unauthorized queries injected via web applications and/or stored procedures.
6. Weak audit
Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery. Unfortunately, native database management system (DBMS) audit capabilities result in unacceptable performance degradation and are vulnerable to privilege-related attacks -- i.e. developers or database administrators (DBAs) can turn off auditing. Most DBMS audit solutions also lack necessary granularity. For example, DBMS products rarely log what application was used to access the database, the source IP addresses and failed queries. Network-based audit appliances are a good solution. Such appliances should have no impact on database performance, operate independently of all users and offer granular data collection.
7. Denial of service
Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked. DoS prevention should occur at multiple layers including the network, applications and databases. Database-related recommendations include deploying an IPS and connection rate controls. By rapidly opening a large number of connections, connection rate controls can prevent individual users from consuming database server resources.
8. Database protocol vulnerabilities
Vulnerabilities in database protocols may allow unauthorized data access, corruption or availability. For example, the SQL Slammer worm took advantage of a Microsoft SQL Server protocol vulnerability to execute attack code on target database servers. Protocol attacks can be defeated by parsing and validating SQL communications to make sure they are not malformed.
9. Weak authentication
Weak authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks, social engineering, and so on. Implementation of passwords or two-factor authentication is a must. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures.
10. Exposure of backup data
Some recent high profile attacks have involved theft of database backup tapes and hard disks. All backups should be encrypted. In fact, some vendors have suggested that future DBMS products may not support the creation of unencrypted backups. Encryption of online production database information is a poor substitute for granular privilege controls.