Top 10 Common Database Security Issues
Monday July 21, 2014
The database typically contains the crown jewels of any environment; it usually holds the most business sensitive information which is why it is a high priority target for any attacker. The purpose of this post is to create awareness among database administrators and security managers about some of the areas on which it is important to focus on when implementing a new database or hardening the security of an existing one.
One of the activities of the @NCCGroupInfosec team is to perform security reviews on clients’ systems, looking for any configuration or lack of hardening that may put the system at risk.
NCC Group conducted an analysis of 20 database build review reports to discover which security holes are most commonly overlooked by system administrators.
The chart below shows the top 10 issues that were discovered most frequently during our assessments.
- Excessive permissions: 50 per cent of the databases assessed were found to have users configured with excessive permissions. While a selection of the databases had a large number of accounts with the DBA role assigned, the majority of cases showed that user accounts contained default privileges or were granted roles that had access to functionality that was unnecessary.
- Weak passwords: 45 per cent of databases were found to have users with either weak or default passwords. Weak credentials are a problem for every organisation. Systems which do not enforce a strong password policy can easily be compromised. A weak password policy is also an indication that other systems inside the network might have weak credentials, which expands the attack surface for an attacker. These passwords may be easily guessed or brute forced and may allow an attacker privileged access to the database. This issue also featured in the Top 10 Windows Server Security Misconfigurations, coming in at number four.
- Missing Patches: 35 per cent of the databases assessed were missing security updates or were running old versions of the software. The interesting thing here is that the majority of these systems were lacking patches which are more than a year old. This raises the question: is this the fault of owners and administrators finding it too difficult to apply the relevant patches, or of the organisations in question having an inappropriate patch-management policy? Either way, the fact that over a third of databases are missing these patches is extremely worrying. This issue also featured in the Top 10 Windows Server Security Misconfigurations, coming in at number one.
- Poorly configured logging/auditing: 35 per cent of the databases were not correctly configured for logging or auditing. This is a feature that all databases have in order to track and audit events such as data modifications and access. Not tracking events such as account creation and access or modification to sensitive data on a production system can make it more difficult to discover what has happened if a breach occurs. While this issue is generally considered low-risk, it is still important to include auditing when building a database. This issue also featured in the Top 10 Windows Server Security Misconfigurations, coming in at number two.
- Default Account Name: Thirty percent of databases were found to contain default accounts. As a part of a defence in depth strategy it is always recommended that that default accounts are renamed and locked where possible as they can be used as the target of a brute-force or password guessing attack.
- Excessive stored procedures: 25 per cent of databases were found to have an excessive number of potentially dangerous stored procedures, including those that can run system commands or access files on the underlying operating system. This issue is considered to present a risk to the security posture of a database as stored procedures effectively increase the functionality available which could be leveraged to launch attacks against the underlying operating system of the host and even against other hosts on the network.
- SSL Not Enabled: 20 per cent of databases accepted connections over clear text channels, if an attacker has access to the network and is able to sniff the network traffic then the confidentiality and integrity of this transmission could be affected.
- Blank passwords allowed: 15 per cent of databases were configured to allow blank passwords. Similar to the weak password issues, however none of the databases were actually configured with a blank password.
- Duplicate passwords: 15 per cent of databases had users configured with duplicate passwords. This generally indicates that a single default password is used on account creation, or that users have not been educated on how to create a strong password or worse case change their password.
- Primary Account Number in clear text: Five per cent of databases were found to contain Primary Account Numbers (PANs) in clear text which is a breach of PCI. All sensitive information should be stored in an encrypted format within the database.
These were the most common findings that we discovered in our recent database assessments. The difficulty with a lot of these issues is that they generally take quite a while to assess, checking the permissions for each user on the database or trawling through all data to see if it contains credit card numbers is very time intensive, this is why NCC Group recommend using our Squirrel range of software products (squirrel vulnerability scanner).
Squirrel not only checks for these issues and more but can also provide one click fixes and comprehensive vulnerability reporting.
Of course if you don’t have the skills or time to run such a tool then of course you can engage NCC Group consultants who can on your behalf.
Published date:  21 July 2014
Written by:  David Spencer