1. securityCORNER
Database Security in Linux Environments: Standards & Practices
Database Security in Linux
Environments: Standards & Practices
Richard C. Batka
The Database in the information technology world is really akin to the vault in the old school banking
world. It’s where the cash is.
D
atabase Security: Databases are where run bigger, more powerful databases, and do more with
organizations are storing their crown Jules, them. In doing that, according to the prevailing logic,
there most important information, whether you're going to use less computing power and you will
It be their intellectual property; or customer save a ton of money–because 1 system can host multiple
information, healthcare information, banking or credit card applications. (Yes my friends, performance will be a topic
information. Data has become the heart of the business. for another article).
The database is *THE* place where data lives 99 per- So the world becomes one big happy Oracle database
cent of its life. So it only makes sense to secure that data running on a Linux cluster that can serve 4 or 5 different
repository the same way the banks secure the vault. The applications instead of having 4 of 5 different separately
big heavy door protecting the little compartments inside administered databases. What about Software as a Ser-
and security guards are layers to really protect the inner vice (cloud computing models)? Now some company’s
core – where the money is. are offering up application and even database access as
a service.
Fact Those databases have become these multi-tenant
43 percent of databases contain critical/sensitive data. structures where a bunch of different companies are all
storing their data in a shared database (take the SASS
Consolidation & Clustering model for example.)
There is a radical shift that’s going on in the market and its
being driven by the database vendors. It's a move towards Database Security in Linux Environments
database consolidation, clustering technologies, multi-ap- is Changing
plication, and multi tenant environments. What you will Other changes are taking place; we are seeing a change
find is that these vendors are going into the market saying that is being driven by not only the cloud model, but
44 LINUX+DVD 1/2010
2. securityCORNER
Database Security in Linux Environments: Standards & Practices
by the multi-tenant nature that you see Fact We Need the Security Require-
inside the cloud. Take a look at an internal 84 percent of organizations feel that their ments to Become More Stringent
cloud situation in a large organization; it database security is adequate. You’re not just trying to protect against some
probably doesn’t change very much. But Attackers have a lot more to go after hacker sitting in a dorm room making an
if you’re a company selling cloud services when you have these big repositories internet connection to the database, but your
or a global organization that is a consumer either because they are clusters or they dealing with your legitimate customer. The
of them, you will find applications storing are multi-tenant databases, so it's a more inside user trying to abuse the access you
data from lots of different customers in interesting target with a more valuable have given them inside the system to get ac-
one place. reward. As the target becomes more in- cess to other peoples data and there you see
teresting obviously the security require- the tie-in very clearly between the database
Example ments need to get more stringent in order application and the operating system that
Salesforce.com customer data sits in a to protect that target. runs it.
database with a whole bunch of other
company’s customer data and it's all being Fact Attack the db to Attack the o/s to
served up by the salesforce application. Most organizations will experience more Attach the db?
Security requirements on that system (and then 1 breach every 12 months. We all know that Linux is the premier choice
by the way, they use Linux) are much more As a database user, I become a poten- for a secure operating system platform, but
stringent because the cost of a breach isn’t tial attacker trying to take and get access to that reputation causes people to take a
just one customers data, but the data from a the other tenant’s data in a system because relaxed stance when addressing security.
number of different customers (outside) and chances are, my competitor’s information The environment also changes when you
they know that makes them very attractive is on the same system because they are drop your favorite database on top of that
to attackers. consumers of the same service that I am. operating system. The majority of today's
�� ��
� ��
�� ��
�� ��
�
����� �������
���������� ����������
�������
������
���������
����������� �������������
��������� ����������
��������������
����������
��
��
� ��
�� ���
�
Figure 1. Circle red raw
www.lpmagazine.org/en 45
3. securityCORNER
Database Security in Linux Environments: Standards & Practices
databases are so complicated and intricate Then import it into my local instance of the policy wherever possible. Remember, it’s
it's almost like running another operating database which will let me see all the other everyone’s business at risk. The big credit
system entirely. Vulnerabilities in the tenants’ data. card breaches that we have seen over the
database expose the underlying operating As an owner of data you should become last year or two, the Heartland Payment
system (regardless or vendor) as do the more concerned about the safety of your data Systems, TJX, DSW Shoes – all of them
miss-configurations in the database, all of when you store it in a multi-tenant situation. were apparently done by the same group of
which can turn back around and expose the Be on the lookout for competitive business people using the same attack vectors.
database. situations where you can potentially have a
situation where you have all you competitors Tip
Example storing their information in the same data- SQL injection attacks happen when an
Functionality in the database that lets a da- base as well. application constructs SQL statements
tabase user read and write operating system directly from user input (or) when the
files directly in Oracle (default privilege Example application uses stored procedures to connect
granted to everyone) is called the PRIVI- What if you’re a credit card processor to the cluster. People frequently think that the
LIDGE TO EXECUTE THE UTL FILE. It and you are processing transactions for use of SSL or IPSec will protect them (they
lets you read/write files in the operating sys- competing merchants? Think of all those are just looking at the wrong layer of the OSI
tem through the database, so if I can do that restrictions, those controls that your model.) Popular countermeasures are:
as a user I can now do other stuff like open customers are going to want to have to
up the database backup file and pull out all keep there data segregated from one- • Constraining user input
(copy) the other data (raw data file format). another. Look to deploy very stringent • Parameterized SQL for data access
• Least privileged account to access the
database
• Type-safe SQL in combination with dy-
namic SQL
What you will see is that the SQL injection
attack method will continue to be used and
will be used to inject vulnerabilities in appli-
cations to directly interact with the database
in order to leverage database miss-configura-
tions and vulnerabilities. To directly interact
with the operating system underneath the
database, and then leverage that operating
system access to install things like sniffer
software that could monitor the network
and watch actual credit card transactions
being validated by credit card providers on
the network. That goes from an attack where
you're hitting a web application and maybe
Figure 2. Alert could deface an application to your hitting
the database.
It’s here that you can gain access to
customer information like credit card
numbers and names that you could use to
make fraudulent purchases. Even attacks
where you pick up the actual credit card
validation traffic where now you have all
the information that you need to print fake
credit cards which is really the ultra scary
situation.
Warning
It's the chain of vulnerabilities that gets to
the core operating system that was actually
secure in the beginning, but all bets are off
when you start attacking it as the database
user (which is a privileged operating system
user) on most systems. It's important to pay
Figure 3. Dashboard careful attention to what folks are doing with
46 LINUX+DVD 1/2010
4. securityCORNER
Database Security in Linux Environments: Standards & Practices
there database, since it becomes a matter of Step Three: Assess settings. Having a policy/approach to how
the weakest link regardless of the security – 3 pillar approach your going to secure your database and then
operating system platform. going out and measuring your databases
First Pillar: Vulnerabilities against that policy ensures they are config-
Fact Does your database have vulnerabilities that ured properly and securely – if it's critical.
SQL Injection is a simple attack method and can really expose you? If you don’t have those security settings
continues to be devastatingly effective. Vulnerabilities to look out for are ones turned on, you're leaving yourself open to
From the attacker perspective there like: attacks.
really is no good reason to move beyond it
until it ceases to be such a successful attack • Denial of service attacks, where some- Third Pillar: Entitlement Review
vector. The severity of this situation is only one can stop the database from running Who has access to what? Who can really see
multiplied as the popularity of virtualization or responding from queries, the critical data in the database and how did
/multi-tenant architectures continues to • Buffer overflow vulnerabilities, where they get that access?
grow. someone can take control of the data-
base server and take all the data. Fact
Fact • Privilege escalation vulnerabilities, Privilege models in today’s databases have
The Heartland Payment Systems (Princeton, where a user can either get access to grown in complexity.
N.J.-based provider of credit and debit card data that they shouldn’t have access to It's very difficult to look at a database
processing services) 2008/2009 data breach or in more extreme cases where they and actually know who can see the data. Are
displaced TJX Companies January 2007 give themselves the ability to make there conflicting privileges in the database?
breach in the record books as the largest ever themselves the system administrator and
breach with over 100 million cards being take ownership of the database and all Example
compromised. the data in it. The privilege to add a new check to the
SQL injection attack is so effective be- • Weak passwords queue for processing and the privilege to
cause there are millions of web applications delete those checks from the register.
loaded with vulnerabilities, and people are Second Pillar: Configuration It's very plausible that someone can
just not fixing them. From a systems per- Looking at the database from a configuration write/process checks and then delete them
spective, these risks are so critical, because standpoint. afterwards making it easy to steal money
they exist right at the location where the data Make sure that the security features – take time to look at those entitlements in
is being stored. That is where database secu- in the database are turned on and set up the database at a detailed level. This is a key
rity really comes into focus. properly. Many people are unaware of the pillar of database assessment.
fact that today's databases are jam packed That assessment is going to give you
Database Standards & Practices with security features that are frequently a bunch of findings. So you're going to
Today's Linux security practitioner, tasked overlooked. find some vulnerabilities that you will
with the security of the most valuable corpo- Very often the database vendors ship need to fix. You're going to find some
rate assets, should take a lifecycle approach. their products with a fairly wide open and configuration settings that will need to
insecure configuration by default which change. You're going to find some access
Step One: Discover forces administrators turn on the security controls that are too loose and need to be
Before you can secure anything, you need
to know what you have. A detailed inven-
tory of your database environment is key.
Keep in mind that the environment is con-
stantly changing, so this part will need to
be done continuously to keep up with the
changes in a dynamic environment – par-
ticularly if you are in a heavily virtualized
environment.
Step Two: Classify
Classify your databases. Ok, so you found an
Oracle database, that’s cool, but what does
that mean? What is it holding? Is it the roster
of the company softball team? Or is it the da-
tabase that handles my cash transactions? Or
the next place that I’m going to drill for oil?
Classify the databases by business
value.
It's a critical step in the lifecycle to really
help you focus on what’s important. Figure 4. PolicyEditor
www.lpmagazine.org/en 47
5. securityCORNER
Database Security in Linux Environments: Standards & Practices
tightened up. Now you need to prioritize Fact You have segregation of duties and
the tasks which lead us to our next step. Organizations operating with an unstruc- violations that you cant get yourself out of
tured remediation policy have learned that – everyone has at least one. The database
Step Four: Prioritize this phase takes the most time and cost the administrator, a back office employee,
You know the value of each of the data- most money. It is a leading contributor to who can see and modify any front office
bases (since you went through and classi- the erosion of 5x9’s (Availability) in high data in the database you need to monitor
fied them); you know the vulnerabilities of demand environments. what they are doing to make sure they are
the misconfigurations that you have. Now not abusing the access they've been given
based on the risk posed by those vulner- Step Six: Compensating Control access to.
abilities, those misconfigurations, those Once you fix what you can, you need to It's a continuous cycle because the
inappropriate access controls combined monitor what you can’t. database environment is changing. The
with the business value of the database (you vulnerabilities that are out there (and that
should apply weights/values to everything) • Monitor for someone exploiting the vul- are known) are constantly changing. The
and build a priority list of what you need to nerability that you can’t apply the patch threat vectors are changing all the time, so
fix first. This will lead you to think about to. we need to constantly be cycling through
some interesting math to calculate total net • Monitor somebody taking advantage of this lifecycle in a continuous way to ensure
new exposure cost (a topic I will cover in granted access in a case where you can't that we always manage risk and keep it
another article) revoke it. to a minimal level. In addition to being
• Monitor those things that the security compliant with the regulatory environment
Step Five: Fix it features in the database would prevent that is wrapped around so many of these
Let's be honest – for many reasons technical from happening. databases (just take a look at PCI, Sarbanes-
and not so technical, you're not going to be • Monitor for people making things hap- Oxley, PCI, DSS, DISA-STIG, FISMA, and
able to fix everything. Did someone say the pen. MITS for example.)
political layer? (OSI/Model layer 8.) Many
careers have been damaged due to arguments
about this phase. People have needlessly ar-
gued about remediation and approaches to
wide scale/automated patch management
with little thought as to reason, purpose or
extenuating circumstances. Truth is that in
many cases, it will simply be because an ap-
plication doesn’t support the latest patch or
some unreasonable change will be required
to do so and you can’t button up that privi-
lege escalation vulnerability.
Fact
The nature of remediation is changing and
it's only a small part of the picture.
Resources
• Common Vulnerabilities and
exposures database online http://
cve.mitre.org/
• Secure Code Against SQL Injection
http://msdn.microsoft.com/en-us/
library/ms998271.aspx
• Application Security http://
www.appsecinc.com
• DbProtect (tools the experts use)
http://www.appsecinc.com/products/
dbprotect/index.shtml
• InterviewTomorrow (Helping
Americans get back to work)
Free job posting website http://
interviewtomorrow.com
Figure 5. Report ApplicationInventory
48 LINUX+DVD 1/2010
6. securityCORNER
Database Security in Linux Environments: Standards & Practices
The Tool of Choice DbProtect is the recipient of: The 2009 BAT- The Database Security industry is
An excellent tool to secure these complex KA PRODUCT AWARD FOR DATABASE evolving (thanks to you, the Linux/Database
databases environments is DbProtect. SECURITY. Security Engineer/Administrator) to the point
It’s perfect for asset management, policy For the auditor and IT advisor market where forward thinking is required, no longer
management, vulnerability management, they have AppDetectivePro (6.2 as of this asked for from product managers. Places
audit and threat management, and analytics/ writing) that is laptop based. It receives regu- like Application Security are successfully
reporting. lar updates and has been doing so since 2003. delivering on this request every day. They
DbProtect will go out and do database Impressive! I also like the sheer number of are integrating the lifecycle approach
discovery; database assessment (so it scans checks (in excess of 2000 to date). (discover, classify, assess, prioritize, fix and
for vulnerabilities, misconfigurations, and monitor) into the tools and helping solve
user rights); help you develop a remedia- Conclusion very complex database security problems
tion plan writing fix scripts and since it has
More often than not when you mention from a truly holistic perspective. Take time
a database monitoring capability. It will tell
Database Security to someone they will out to evaluate DbProtect and I know you
you who has access to what data and when,point you in the direction of a 120 page will be impressed. Go forward and secure
who is making what changes, and who is try-
whitepaper that’s really nothing more those databases. I'll see you next time. Now
ing to exploit a known vulnerability in one
then a pseudo exercise in the use of com- where did I put that ream of paper?
of your databases. I like DbProtect for three
plex technical/business vocabulary. Can
key reasons: I get a man page over here please? You
end up being the guy in the office who has
• Management console to search for paper because you used ev-
• Distributed Scanning & Monitoring of erything in the printer, or they tell you to
databases (agentless) download some cool tool that has a great
• Reporting interface.
Thanks to
Josh Shaul and Thom VanHorn for the
interview and excellent background infor-
mation
Eric T.S.Gonzales, John B. Ottman,
Arron C. Newman, Peter Schwartz, John
Colton, Rob Chapdelaine, Dave McNa-
mara, Mariya Lynch, and all the other great
folks at Application Security.
About the Author
Richard C. Batka has
held various management
and engineering positions
with Microsoft, Symantec,
PricewaterhouseCooper,
Thomson Reuters, and
JPMorgan Chase. He has spent the last
17 years devoted to the complex issues
of enterprise application development,
security, infrastructure, data management
and regulatory compliance. A graduate of
New York University he holds numerous
industry certifications. Currently, Mr.Batka
is the CEO of a privately funded consulting
service firm in New York that provides
strategy and engineering services
internationally to a select group of clients.
Mr. Batka holds no financial interest in
Application Security. Mr. Batka can be
reached at rbusa1@gmail.com.
Figure 6. Report NIST
www.lpmagazine.org/en 49