This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."
Download it now to read this article plus other related content.
Database security products promise an extra measure of security for your most valuable assets. Are they worth the price?
The crown jewels are at risk: intellectual property, customer ID information and financial records encased in corporate databases. If they're vulnerable, so are your company's finances and reputation. And regulatory compliance failure, triggered by a serious breach or audit that reveals lax database security, can bring heavy fines and/or jail time.
Perimeter defenses alone, such as firewalls, IPSes and Web app shields, can't ensure security in the face of Web-based attacks that exploit myriad database configuration vulnerabilities and insecure front-end Web code.
Your best strategy against these attacks is to harden their target: Properly configured databases will stand strong against most attacks. Moreover, the landscape is changing. Industry database leaders Oracle and Microsoft are beefing up security in new versions of 10.g and SQL Server, respectively, which are better configured out of the box than their predecessors and have much easier native encryption options.
But, database security doesn't end with your initial configuration. Ongoing vigilance is required because even good DBAs make mistakes and malicious or ill-informed users alter configurations. Regular vulnerability scanning and testing, and continuous monitoring for unauthorized change will help keep your databases hardened against attacks.
Database Vulnerability Scanning
If you're in charge of security, chances are you don't have direct, high-privilege access to the database; you need to secure it from the outside. As with network VA, you have two general options: scanners and penetration testing.
Network scanners, like open-source Nessus and eEye Digital Security's Retina Network Security Scanner, may tell you if your database patches are up to date, but they won't find database-specific vulnerabilities, such as sloppy configurations that leave you open to deep SQL manipulation, injection or directory traversal attacks.
To do that, you'll have to turn to one of the handful of database VA scanners, or to professional pen testers who specialize in attacking databases.
Database-specific vulnerability assessment tools take a much more granular look at the database's configuration and the vulnerabilities associated with poor configurations than network VA scanners.
U.K.-based Next Generation Security Software's flagship database scanner, NGSSquirrel, has database-specific versions for SQL Server, Oracle and DB2, as well as DominoScan II for Lotus Domino. Each includes specific checks that target insecure configurations, patch levels, default user accounts, underlying platform vulnerabilities and even some Web-based interface vulnerabilities.
Application Security's AppDetective includes modules for Oracle, SQL Server, DB2, Sybase, Lotus Domino and MySQL. AppDetective performs application discovery, tests that identify database-specific vulnerabilities and configuration-related audits. Application Security also offers a console product, AppSecIncConsole, to manage its suite of security products.
Safety-Lab's Shadow Database Scanner is an open-source, ActiveX-based tool that allows programmers direct access to modify its functionality. As an open-source product, its advantage over commercially products is that it enables security consultants and admins alike to easily customize the tool for target environments. The downside is the lack of technical support.
This was first published in March 2005