Database security undermined by protocol loopholes, lax defenses

By Robert Westervelt, News Editor 06 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

This is a new threat because we're only starting to look at these protocols. For years, they were not scrutinized by researchers. Amichai Shulman, chief technology officer, Imperva Inc.

In his presentation to attendees at the recent Black Hat DC training conference, Amichai Shulman, chief technology officer and founder of Foster City, Calif.-based database-monitoring vendor Imperva Inc., explained that the client-server protocols, which are used to exchange data and commands between client software and database servers over TCP/IP, are ripe for attack.

The method can be used to victimize nearly all brands of database servers, including IBM's DB2, Oracle Corp., and Microsoft's SQL Server. The loopholes allow an attacker to manipulate structured information and work below the radar of the database built-in mechanisms, Shulman said.

"Using very simple changes to network messages you can deliver SQL queries to the database server bypassing any access control in the database server," Shulman said.

Podcast: Amichai Shulman Security Wire Weekly -- Mar. 5, 2007: In this special edition of Security Wire Weekly from the Black Hat DC Conference, database security expert Amichai Shulman explains why attackers are targeting communication protocols to gain access to critical files. Shulman, chief technology officer and founder of Imperva calls the threat serious and also gives mitigation steps to defend against it. Download MP3

The protocol vulnerabilities that Shulman noted currently pose only an internal network threat, but he added that researchers are investigating ways to exploit the flaws remotely through SQL injection.

"This is a new threat because we're only starting to look at these protocols. For years, they were not scrutinized by researchers," Shulman said.

The threat can be mitigated reactively by ensuring database management systems have up-to-date patches, or by installing a database security gateway, he said. While Shulman represents a vendor that sells database security gateways, analysts agree that the threat is serious enough to warrant additional security.

In his presentation, Shulman illustrated the flaw using Oracle's database server, showing that an attacker can bypass access controls with a simple text editor on a client machine. He said Oracle has released a patch.

"People are finally becoming aware that you cannot rely on built-in database mechanisms," he said. "You need a defense line in front of your database server."

Database security gateway market heats up

In addition to Imperva, Waltham, Mass.-based Guardium Inc. sells gateways and currently has more than 250 customers, Yuhanna said. Maynard, Mass.-based Tizor Systems is also another startup. There are signs that larger security and network vendors may follow, Yuhanna said. Cisco Systems Inc. has a stake in Guardium and security giant Symantec Corp. got into the business last year.

"All private data in an organization is stored in a database and even if that organization has the best firewall, it's not good enough," Yuhanna said. "You need to do intelligent monitoring to prevent attackers from breaking in."

Yuhanna estimates that about 75% of database intrusions are internal, making flaws in database monitoring a logical priority. He said automated tools that monitor database server queries are a good fit for DBAs because they enable them to monitor employee database usage while preventing the task from becoming burdensome.

"DBAs are spending less than 7% of their time on security," Yuhanna said. "They don't have the time; they're doing upgrades, migrations and tuning, so security is a lower priority and that's why there's a need for automated solutions."

Tags: Database Security Management,  Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management IBM to acquire database security firm Guardium What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Database Security Management Research Network Protocols and Security How to keep networks secure when deploying an 802.11n upgrade Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary