Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.
Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.
Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.
In November, two critical vulnerabilities affecting MySQL and some of its forks were disclosed which could lead to arbitrary code execution, root privilege escalation and server compromise.
This is the type of rattling vulnerability disclosure that database administrators have unfortunately become accustomed to. Between 2012 and 2016, industry exposure to database vulnerabilities increased by more than 100%, according to internal stats from Qualys, which performs more than 3 billion scans every year.
In 2016, MySQL ranked first with 32% of total database vulnerabilities, followed by databases from Microsoft (26%) and from Oracle (14%).
MySQL, an open source database owned by Oracle, also has the highest rate of vulnerability growth, marked by a 30 percent jump in vulnerabilities in 2016 alone, as the graph below illustrates.
Given this hair-raising scenario, it’s key for organizations to close or mitigate in a timely manner critical vulnerabilities impacting their databases.
Here are a few tips organizations can use for closing database vulnerability gaps before hackers exploit them:
- Make sure you have a complete inventory of these database systems and a continuously updated snapshot of their vulnerabilities.
- Use vendor severity and CVSS scores as their base metric for prioritization of remediation.
- Factor in whether a vulnerability can be exploited remotely and without the attacker needing neither special privileges nor access.
- Give weight to vulnerabilities for which proof-of-concept exploit code exists.
- Assign highest priority to vulnerabilities that are being actively exploited in the wild.
The other big enemies of database security are misconfigurations. Whether due to carelessness or ignorance, configuration errors can expose databases to attacks by, for example:
- awarding elevated access privileges to users who don’t need them, thus multiplying the chances that a hacker will compromise an account with broad and deep power over the database
- displaying “verbose” error messages that disclose critical system information which hackers can use to craft an attack
- disabling essential security protections
For example, starting in December, hackers went on a MongoDB ransomware rampage, hijacking in a matter of weeks more than 27,000 databases that hadn’t been properly secured.
Below we offer some tips to prevent configuration errors, with some MySQL-specific guidance.
- Use dedicated and least privileged accounts
- Disable interactive login
- Only grant full access to database administrators, and make sure sensitive permissions are removed for non-DBA users.
- MySQL permissions to review: create_user_priv, file_priv, grant_priv and shutdown_priv, for all
- Enable and configure auditing and logging.
- MySQL settings to review: log_error, log_warnings, log-raw
- Make sure client-server traffic is always encrypted with secured TLS configuration.
- MySQL settings to review: have_ssl, ssl_type,
- Securely configure authentication mechanisms, like password hashing to prevent brute-force credential compromises, and preventing clients with outdated auth mechanisms from connecting.
- MySQL settings to review: old_passwords, secure_auth, sql_mode, ‘validate_password_xxx’
- Make sure passwords are set for all accounts.
- Only allow users to connect from the designated host.
- Don’t allow the existence of anonymous accounts.
Organizations should also review technical standards and database security benchmarks available from various organizations, such as the Center for Internet Security.
(This article was originally published on SC Magazine and was reprinted with their permission.)
Get a free trial of Qualys’ Security and Compliance Suite.