How can you ensure that your database security is adequately maintained?
We offer assurance that your databases are continually protected.
- Full range of software to offer security assurance for six types of database.
- Scan any size of network.
- Contains special checks for compliance templates.
- Manage risk on an on-going basis with minimal effort.
NCC SQuirreL Suite
NCC Group’s extensive experience and expertise within the IT security services industry combines our knowledge from respective divisions, to develop and deliver the most powerful vulnerability assessment scanner available for database servers.
NCC SQuirreL supports RDMS for Microsoft SQL Server, Oracle, MySQL, IBM’s DB2, IBM’s Informix and Sybase ASE.
- One click fix - fixes vulnerabilities by generating lockdown scripts.
- Multiple reporting formats (Text, RTF, HTML and XML).
- Flexibility - multiple audit levels with an option to change the configuration of all checks performed.
- Checks for unencrypted sensitive information such as credit card and Social Security numbers.
- Comparative reporting (confirmation of fixed issues and alerts on new threats).
SQuirreL versions are available for Microsoft SQL Server, Oracle, MySQL, IBM Informix, IBM DB2 and Sybase ASE. These vulnerability assessment scanners set the standard for relational database infrastructures and have been developed with the help of the highly experienced NCC Group research team. More than simply scanners, some SQuirreL versions provide the capability to audit password quality, rectify identified threats and manage users and roles as well as system and object privileges.
How do you check your database for vulnerabilities?
Auditor is an enterprise class database vulnerability scanner, suitable for finding vulnerabilities in many of the most widely used databases.
Auditor uses a distributed architecture system based upon a repository, scan engine, scheduler and management console. The repository (on a SQL Server database) stores the settings, results, reports and schedules for each scan together with the relevant system configuration data. All data contained within the repository is encrypted.
The scan engines can be placed in discrete database segments (such as the DMZ) allowing security auditing from any point in the enterprise. Each scan engine runs vulnerability checks for each of the hosts and stores these results in a designated repository. Hosts that are to be scanned can be specified by the user, or the scan engine can perform host discovery based upon a range of IP addresses.
Auditor can produce trend analysis and a wide selection of compliance auditing reports, including PCI, SOX, HIPAA, GLBA, FISMA, CIS Benchmarks (SQL Server and Oracle) and the NSA Benchmark for SQL Server.
- Distributed architecture
- Supported RDBMS systems to scan:
- MSSQL 7/2000/2005/2008/2012/2014
- Oracle 8i/9i/10g/11g/12c, DB2 V7x/8x/9x & 10x
- Sybase ASE (SAP) all versions up to and including V15.7
- MySQL 4.1/5.0/5.1/5.5/5.6/5.7
- Informix IDS 9x/10x/11x/12x
- Encryption of data within the repository
- Multiple distributed scanning engines
- Scan Engines can be added as required to support growth
- Lights out automated function via built-in scheduling engine
- Role based access (Admin, Reporting, Scheduling etc.)
- Highly configurable policy based scanning hierarchy:
- Grouping of systems to be scanned by:
- Database type (Oracle/ DB2/ MySQL etc.)
- System location (e.g. London, U.K., Europe, Dallas, U.S. etc.)
- Client (for Service Providers)
- Secondary grouping per client (for device type etc.)
- Ad-hoc grouping as required by client
- Powerful reporting engine with separate reporting aimed at all the following:
- Executive Management, Mid-Level Management
- Security Management, Technical Security Staff
- Trend analysis via comparative reporting
- Built-in compliance auditing covering:
- Payment Card Industry (PCI)
- Sarbanes –Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley Act (GLBA)
- National Institute of Standards and Technology (NIST SP 800-53)
- Defense Information Systems Agency- MSSQL & Oracle (DISA)
- Center for Internet Security (CIS)
- Framework for Improving Critical Infrastructure Cybersecurity (FICIC)
- International Organisation for Standardisation (ISO 27001)
- Multiple report formats (TXT, RTF, HTML, XML, External Database)
- Built-in risk dashboard and results analyser reporting tools
Do you want full control of the security issues surrounding your online applications and front-end servers?
OraScan performs robust, in-depth security vulnerability audits, seeking out potential problem areas like SQL injection, cross-site scripting and poor web server configuration in Oracle web applications.
OraScan can also be deployed to audit the configuration of IAS web servers, ensuring that the web application portion of your database software architecture is free of any security weaknesses.
- Flexible web server auditing:
- Oracle web applications on Oracle Internet application servers
- Oracle web applications on any other web application servers
- Complete automated auditing:
- Front-end server security and online applications security
- Configuration audits:
- Ensures that no security holes exist within the base software
- Includes PL/SQL, JSP, SQLJSP and XSQL
- Advanced spidering capability:
- Derives the structure of an Oracle web application and tests each functional component
- Includes checks for all site links and referenced scripts
- Multiple reporting formats (TXT, RTF, HTML, XML & External Database)
- Fast, easy to use & highly configurable
- In-depth vulnerability audits uncovering threats such as:
- SQL injection
- Cross site scripting
- Poor web server configuration
- New checks added in August 2011 include: -
- Over 200 new default DAD's
- Many new default directories and files
- 12 vulnerable PL/SQL packages
Domino Scan II
Do you know how exposed your Lotus Domino web servers are?
Domino Scan II vulnerability scanner is able to discover vulnerabilities on servers that may otherwise have remained hidden using other conventional vulnerability scanning software. It will undoubtedly help you guard against a variety of digital threats and maintain a strong defence posture.
Domino Scan II can be quickly configured to perform a detailed range of highly focused scanning activities, and deployed as part of a focused auditing process.
In order to ascertain your risk exposure, Domino Scan II uses a rigorous methodology to interrogate every view, form and agent within a database, even if ACL access protection has been invoked. It then performs an exhaustive range of tests on each document, auditing over a hundred sensitive and default databases and subjecting all documents to a vigorous set of vulnerability assessment checks. By using its intelligent spidering technology it performs deep-level database enumeration.
- Supports Domino versions R6 to R8 inclusive
- Attempts to gain access to over 100 sensitive/default databases:
- Web Administrator template access using ReplicaID
- Web Administrator template access using buffer truncation
- cache.dsk access using buffer truncation
- Directory traversal
- Database browsing
- Audits bespoke databases & Notes applications
- Unique database structure enumeration technology:
- Finds hidden & visible views, forms & agents
- Bypasses ACL protection
- Default navigator access:
- Attempts to bypass default navigator protection
- Evaluates database design:
- Checks every document for edit access
- Attempts a forced search
- ReadEntries & ReadViewEntries access
- Multiple reporting formats (TXT, RTF, HTML, XML & External Database)
- Fast, easy to use & highly configurable
- Can perform focused audits
- Unique spidering capability offering intelligent script & link scanning
- Ability to scan with or without credentials
- Ability to perform QuickHit Audit
- Vulnerability link to CVE
SQLCrack Password Utility
How strong are your passwords?
Weak passwords can render even the most secure systems vulnerable, but with SQLCrack you can guard against weak passwords that make your network susceptible to attack.
This clever database password cracking utility for Microsoft SQL Server, Oracle, MySQL, Postgres and Sybase ASE will identify user accounts with weak passwords so they can be reset with stronger ones, thus protecting the overall integrity of your database infrastructure.
- Contains multiple phases each with built-in presets:
- Customised options are available as well as:
- Common names
- Keyboard patterns
- CVC patterns
- Dictionary attack
- Brute force
- Phase variations can be increased by using:
- Password hashes can be manually added or retrieved from the database
- Note: Only DB admin and local admin accounts can access password hashes
- Supported RDBMS versions:
- MS SQL Server 7/2000/2005/2008/2012/2014
- Oracle 8i/9i/10g/11g/12c
- Sybase ASE 15.x
- Password hashes can be pasted from query analyser
- Password hashes can now be imported from MySQL and Postgres database architectures for analysis
- Passwords can now be hidden at user's request
- Password strength meter for quick password strength review
- Correct SQL for retrieving hashes from instances named "MSSQLServer"
- Cost effective - requiring minimal time and labour to use
Typhon Network Scanner
Can the process of identifying and fixing infrastructure and web application vulnerabilities ever be an exact science?
Typhon is a standalone low cost security network and server vulnerability scanner that is trusted internationally by both large and SMBs. It can efficiently and non-intrusively run live scans of your network. Typhon is continuously updated with the latest known threats such as the recent Heartbleed bug.
Typhon allows users to audit and manage their exposure across an unlimited IP range and or selected targeted IPs as frequently as they need. It will run checks for all known vulnerabilities identifying and reporting weakness to; patch levels, configuration issues and industry compliance offering remediation advice and links to fixes.
Typhon also offers our clients free software support from our experienced developers.
- Outside In (non-credentialed) or Inside Out (credentialed) scans
- Audit using Windows or SSH credentials.
- Scan without credentials following a port scan.
- Automatically generate reports after completing a scan
- Run scans on a daily, weekly or monthly schedule.
- TCP protocol discovery identifies nearly 100 different protocols.
- HTML format Compliance reports for the following regulatory standards.
- Compare two sets of scan results to highlight new, fixed and persisting vulnerabilities
- Integrated web spidering capability offering intelligent script & link scanning
- Scans every script and referenced link on every page
- SQL Injection and Cross Site Scripting (XSS) checks in web forms
- Multiple vulnerability report formats (TXT, RTF, PDF, HTML, XML & External Database)
- SOX, HIPAA, GLBA, FISMA, ISO 27001(2013), PCI DSS 3.0 and SANS Top 20
- Trend analysis via comparative reports.
- Lockdown scripts for Windows registry issues (one click fix)
- Internal database of ~10,000 checks
- Patch Checking – contains vulnerabilities on over 250 software products
- Searchable by either CVE identifiers
- All severities based on Common Venerability Scoring System.
- External data sources
- Downloads and uses patch checking schemas from Microsoft and Oracle
- Easy to use with scan wizard and intuitive User Interface
- Lease License model supports unlimited IP addresses
- Per engagement or per project licenses supported