Article

Database security undermined by protocol loopholes, lax defenses

Robert Westervelt, News Editor

ARLINGTON, Va. -- A security expert is warning database administrators about a continued loophole in database communication protocols that would allow an attacker to bypass access controls and gain access to critical files.

In his presentation to attendees at the recent Black Hat DC training conference, Amichai Shulman, chief technology officer and founder of Foster City, Calif.-based database-monitoring vendor Imperva Inc., explained that the client-server protocols, which are used to exchange data and commands between client software and database servers over TCP/IP, are ripe for attack.

The method can be used to victimize nearly all brands of database servers, including IBM's DB2, Oracle Corp., and Microsoft's SQL Server. The loopholes allow an attacker to manipulate structured information and work below the radar of the database built-in mechanisms, Shulman said.

"Using very simple changes to network messages you can deliver SQL queries to the database server bypassing any access control in the database server," Shulman said.

The protocol vulnerabilities that Shulman noted currently pose only an internal network threat, but he added that researchers are investigating ways to exploit the flaws remotely through SQL injection.

"This is a new threat because we're only starting to look at these protocols. For years, they were not scrutinized by researchers," Shulman said.

The threat can be mitigated reactively by ensuring database management

Requires Free Membership to View

systems have up-to-date patches, or by installing a database security gateway, he said. While Shulman represents a vendor that sells database security gateways, analysts agree that the threat is serious enough to warrant additional security.

In his presentation, Shulman illustrated the flaw using Oracle's database server, showing that an attacker can bypass access controls with a simple text editor on a client machine. He said Oracle has released a patch.

"People are finally becoming aware that you cannot rely on built-in database mechanisms," he said. "You need a defense line in front of your database server."

Database security gateway market heats up

Noel Yuhanna, a senior industry analyst at Cambridge, Mass.-based Forrester Research Inc. said enterprises are taking the threat very seriously. The market for database security gateways has been steadily growing with a number of small startups selling the products, he said.

In addition to Imperva, Waltham, Mass.-based Guardium Inc. sells gateways and currently has more than 250 customers, Yuhanna said. Maynard, Mass.-based Tizor Systems is also another startup. There are signs that larger security and network vendors may follow, Yuhanna said. Cisco Systems Inc. has a stake in Guardium and security giant Symantec Corp. got into the business last year.

"All private data in an organization is stored in a database and even if that organization has the best firewall, it's not good enough," Yuhanna said. "You need to do intelligent monitoring to prevent attackers from breaking in."

Yuhanna estimates that about 75% of database intrusions are internal, making flaws in database monitoring a logical priority. He said automated tools that monitor database server queries are a good fit for DBAs because they enable them to monitor employee database usage while preventing the task from becoming burdensome.

"DBAs are spending less than 7% of their time on security," Yuhanna said. "They don't have the time; they're doing upgrades, migrations and tuning, so security is a lower priority and that's why there's a need for automated solutions."