Black Hat 2011: Database threats and mitigationsDate: Aug 04, 2011
In this video from Black Hat 2011 security conference in Las Vegas, Josh Shaul, CTO of Application Security Inc. talks about the plight of DBAs to bolster database security while under constant pressure to maintain uptime and performance. Databases have come under increased attacks in recent months from hacktivist groups and cybercriminals using more sophisticated automated tools, he said. Shaul explains why database discovery and classification is important in understanding the organization's risk profile and ultimately to apply the appropriate security technologies.
Read the full transcript from this video below:
Black Hat 2011: Database threats and mitigations
Rob Westervelt: All right, so we're here with Josh Shaul. He's the Chief Technology Officer of application security. Thanks for taking the time out.
Josh Shaul: My pleasure Rob, good seeing you.
Rob Westervelt: Let's talk about database security. Very general question here, but are DBAs getting any better at patching their databases?
Josh Shaul: Database patching is still a huge challenge. So I don't think they're really getting any better. I think they're starting they're starting to a little more aware though of the security issues that are out there, and I see some organizations starting to put new roles in place like security DBA, and that's pretty encouraging. But the operational issues continue to be operational issues and getting data bases patched is tough.
Rob Westervelt: We've been talking about this for years, right? Patching has always been an issue.
Josh Shaul: It's been an issue forever. Folks are so nervous about their applications that those databases are hosting that the fear of that application stopping to work after a patch is just tremendous.
Rob Westervelt: Can you give some examples of some common database vulnerabilities that attackers target? Some really common ones.
Josh Shaul: We see attackers taking advantage of access to the database left and right. Sequel injection is probably the most common database attack that we see. We hear about it left and right, we're starting to see some denial of service attacks on databases. Recently we saw some announcement from Walsac that they had built a new tool, I think it was Anonymous, they built a new tool to attack databases with denial of service attacks exploiting some database vulnerabilities, so we're seeing an uptake there as well.
Rob Westervelt: You mentioned Walsac, and of course Anonymous as well has been in the news. We've also seen a lot of high profile breaches. Some of it could be attributed to these two activist groups, some of it maybe not. Can you describe the threat landscape as it pertains to the database?
Josh Shaul: Sure, the database tends to be the vaults where all the valuable data is stored for an enterprise. So that's the target, and the threats are out there are folks trying to steal data. So they're really going out trying to find their way into the database and ex-filtrate what's there. There's two real broad classes of threats today. There's the act/hackivist kind of threat, the nuisance type of threat you can call it. LulzSec and Anonymous just trying to make folks look bad and steal simple data that's out there. Then there's the more persistent more advanced threat. We saw that big announcement from McAfee about this operation Shady Rat with 70 or 80 companies have been hacked over the past couple of years. That's serious valuable data that's been ex-filtrated there. I think 13 defense contractors were involved, and that's the scary threat, that's the deep stuff. Where folks are spending years trying to break in, find their way to the data and then steal that most valuable data. So organizations are facing this kind of mixed threat of the simple annoying nuisance kind of stuff from Anonymous and LulzSec, and then behind that there's a much more nefarious threat from the real criminals.
Rob Westervelt: What about the layered approach? It seems like databases have plenty of security layers between the database and the internet, right?
Josh Shaul: I wish it was that simple. There certainly are security layers on the network, but it's so common that folks just don't protect the database. When you've got a situation where you've got a web application, internet facing, talking to a database on the backside, and folks are able to use that web application to directly interact with the database. There's no more layers of security there in a typical model. Folks are talking directly to the database. So there's firewalls and intrusion detection systems and antivirus that's out there tends to be all bypassed on the attacks that we're seeing.
Rob Westervelt: So I know this is going to vary with whatever database you're using and most organizations are using different databases, but I was hoping you could address maybe some common configuration issues, or some ways to reduce the threat by maybe turning off certain things with the database or making some configuration changes?
Josh Shaul: Complexity is always the enemy of security, and databases are shipped very complex out of the box. They tend to have every feature turned on, every option installed and most of that stuff never get's used. So the basic thing is to just reduce the surface area of the database. Reduce the attack surface. If, for example, you're never going to use Oracle spacial features that help you calculate differences between two geographical points, then you should probably remove the spacial features from the database. And that's an area where we've seen a bunch of vulnerabilities in functionality that majority of folks don't end up using. And it's not different from the other database platforms. So that default configuration of everything turned on, and everything accessible, that's really a big issue that's out there.
Rob Westervelt: This your first Black Hat?
Josh Shaul: This is my first Black Hat.
Rob Westervelt: You've been in the security industry for some time. What is it about this year you've finally decided to come out, what do you think of Black Hat thus far?
Josh Shaul: It's pretty exciting and I sort of feel bad for not having have come in the past. I think it's been more personal, I get in a lot of trouble in Las Vegas sometimes. But this is a pretty cool conference with an amazing amount of talent out here.
Rob Westervelt: There is a talk here at Black Hat, I think David Leechfield is giving a talk on database security. I'm sure he's got some vulnerabilities up his sleeve that he found. As a DBA, how close do you pay attention to this database security research? Do they have time to actually keep track of all the vulnerabilities that may come across in the news, or what have you?
Josh Shaul: They don't unfortunately. DBA role has changed over the years and now we see more an more databases supported by each and every DBA. Their job is to keep those databases running and running fast. It's rarely to keep those databases secure, so the emergence of this new database security DBA role is really valuable. But your typical DBA isn't thinking about security at all. They're thinking about performance, they're thinking about up time, and I don't think that's going to change.
Rob Westervelt: Everything relates to each for the up time and that's why we've always had the patching issues. Your firm does database discovery, and I'm hoping you can kind of shed some light on what your customers actually find when they run that initial discovery of their systems to find databases?
Josh Shaul: Shock and awe is the typical response. I like to say that organizations think they have 30 to 60% less databases than they actually have, but it's not uncommon for us to find 10 or 20 times more databases than an organization thinks they had. Even security conscious organizations. So not that long ago, we were working with a branch of the military and doing some discovery on one of their networks where they thought they had 6 databases and we found 38 databases on that network segment. Honestly it's not that unusual.
Rob Westervelt: The other area that you guys do is database classification. I'm hoping you can kind of give us an idea of why it's so important to classify your database? Don't most organizations do that already, or no?
Josh Shaul: It's really important to understand the business value of your systems. You can't really secure what you don't know about, and if you've got sensitive data that's sort of floating around that you don't know where it is, you're not going to put the right protections in place. You'd think organizations would know where their sensitive data is, and they certainly know where their mainframes are and their CRM systems, and some of the key apps. But that data moves around a lot for testing purposes, for developing purposes, you really see that data start to proliferate throughout the organization and it's easy to lose track of where it is. So it's important for organizations to go through and carefully classify the data in all their systems, so that they can apply the right security of those systems, or even better yet. Get rid of the sensitive data that doesn't need to be there.
Rob Westervelt: Let's talk about the cloud briefly and cloud based services. Is that changing the way databases are accessed and in turn the way they need to be secured?
Josh Shaul: Not yet, but it certainly will, but it certainly will. So we're starting to see a lot of organizations moving to cloud in a lot of different ways. Moving software applications to the cloud. Moving their data centers to the cloud, but most of what were seeing today is traditional databases just being run externally in a cloud based environment. And they're really secured the same way. But we're seeing the emergence of this new database as a service concept. Like Microsoft with their SQL Digiore and SalesForce with their Database.com. Amazon with their relational database service. That's really going to change the way people access and use their data. It's going to change the model that people use to protect their databases. That's your early phase, so we're looking at how that model and market evolves, and how they can put the right security controls in place so that they can enable that market to be successful. Until there's security there, it's going to be very hard for folks to trust moving their databases to these new type of cloud platforms.
Rob Westervelt: It's really still evolving. Mobile is also an area we hear so much about. Is there anything there in terms of database? Does that also affect database security or is it kind of periphery?
Josh Shaul: Right now it's on the periphery. I mean, certainly a mobile device is an entry point onto the corporate network that lets somebody get to the inside, and get at those databases, and I think that's sort of important. We're also seeing databases as a service, vendors offering models where mobile devices can connect directly to the database and get richer applications as a result of it. So I think we'll see some interesting evolution there, but honestly right now I think mobile is a lot of hype. We're talking about protecting this every growing perimeter, and not focusing on protecting the data that people are trying to steal from them, and I think that's a huge mistake.
Rob Westervelt: Before we let you go any kind of next generation security technologies that are out there in terms of the database, or is it all pretty much fundamental technology that have been around for quite some time? Is there anything you're looking at, anything you're interested in?
Josh Shaul: The technology definitely continues to evolve, so beyond the basics of vulnerability assessment and database monitoring, we're starting to see database intrusion prevention systems get really realistic and capable, to be able to stop attacks. Data leakage prevention hitting the database, so actually stopping exfiltration of sensitive data out of those systems. I think that's really exciting and can make a big difference. We're also seeing identity management systems actually getting tied into databases in a meaningful way. Which should really make it easier to track who's doing what, look at where data is going, make sure authorized users are doing authorized stuff and I think that's going to make a difference as well. So the technology continues to evolve, but the market, really the industry needs to start catching up and doing the basics, before they can really take advantage of some of this new cutting edge kind of stuff that vendors such as Application Security are putting out into the market.
Rob Westervelt: Well Josh, thanks very much, and enjoy the show.
Josh Shaul: My pleasure Rob, thank you.