Information Security Excellence

Database Security Assessment

Abstract
Databases are at the heart of almost every companys computer system and are also the site of many serious security breaches. Databases are where companies store their most confidential information from corporate financial data and employee records to Social Security numbers, credit card numbers, and medical information. Databases also often are used as a back-end for applications. While most businesses place a high value on network security and other security measures, database security often is neglected. As a result, databases are particularly vulnerable to fraudulent activity, which can damage companies reputations and can destroy customer confidence. Many companies know they need stronger protections, but they may lack the budget to employ full-time database security personnel. A Database Security Assessment from FishNet Security, one of the largest security consulting firm in the nation, offers a cost-effective alternative, providing strategic and technical assessments to vastly improve any organizations database security posture. Using a three-phase system of detailed information collection, comprehensive vulnerability assessment, and a full vulnerability analysis, FishNet Security offers direct feedback, practical recommendations, and database security solutions all of which empowers organizations to protect their most confidential information.

The Problem
Databases are a key component in information storage for almost every modern business, from the medical industry to the financial industry to national security and because they also are part of the underlying structure for many applications, they are a popular target for malicious attacks. A long list of highly publicized data breaches over the past several years highlights the growing threat to database security in general and illustrates the rise of this type of attack. Even the nations largest and most powerful companies are vulnerable. Well-known examples include the CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, and the TJ Maxx incident in 2005, where 45.7 million credit card numbers reportedly were revealed. Attackers can exploit vulnerabilities in unprotected databases to create malicious files and libraries, to access database administrator-level privileges, to obtain sensitive data, and to cause disruptions in service. Most companies utilize databases heavily, but few have the specialized security knowledge necessary to effectively assess their security levels and prevent threats from materializing. Traditional security solutions, such as perimeter and intrusion-detection systems (IDS), are insufficient, as they show attacks only after they have occurred. At this point, data may already be lost. Intrusion-prevention systems (IPS) often fail because attacks against the database can be cleverly obfuscated. Database encryption, another common approach that protects data at rest, still may not be effective against privileged users or hackers who hijack application servers to reach back-end databases (such as in SQL injection attacks). Without specific database protection, any security system lacks the important element of layered security that further shields their confidential data. Budgetary restraints may prevent organizations from hiring a full-time database security specialist. Many companies turn to network administrators, who may have a limited understanding of the database platform, to secure their entire solution. Hackers and security vulnerabilities always will threaten IT systems, so its essential that database administrators have the right information and a solid strategy to properly secure their databases and to protect their most important data.

Understanding the Solutions Design and How It Solves the Problem

FishNet Security offers comprehensive database security services that discover and understand the "true" risk to their clients' environments by providing strategic and technical-based assessments that evaluate policies, processes, and controls and that test for vulnerabilities. Because FishNet Security actively recruits many of the nations most highly regarded security consultants and database experts (including many former application developers), our team possesses a greater understanding of security issues than many other companies and offers clients a high level of expertise at a fraction of the cost of hiring in-house security personnel. Our Database Security Assessment consists of a three-phase process for evaluating the strength of database
ID# 09SS0059

Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 888.732.9406

2009 FishNet Security. All rights reserved.

www.fishnetsecurity.com

Application Security Assessment - White Paper

Information Security Excellence

management systems. FishNet Security personnel first gather information to identify weaknesses; next, they utilize the results to test for known issues and to discover any vulnerabilities present; and finally, they provide a vulnerability analysis, which consists of the detailed findings and recommendations needed to secure a companys database.

Phase 1: Information Gathering

In the Information Gathering phase, FishNet Security obtains information about all scoped servers, including internal domain name system (DNS), Windows information network services (WINS), and remote procedure call (RPC) information. The company also performs a general footprinting of scoped hosts network services,and executes various network queries to identify and interrogate all available services.

Phase 2: Vulnerability Discovery

During the Vulnerability Discovery phase, various checks are performed to identify weaknesses within the hosts and database instances (as well as in the host application, if applicable). Results then are analyzed and correlated to uncover application infrastructure vulnerabilities. The company then conducts comprehensive testing, including both automated scanning and manual analysis. This detailed, two-stage approach gives FishNet Security an important edge in discovering vulnerabilities, as the logical errors and typical usage issues identified through manual checks often are missed in automated scanning. During the first stage, the company conducts automated vulnerability scanning on all devices and services, including network vulnerability scanners, commercial database scanners, and freeware database scanners. The results are then correlated and aggregated, and manual testing begins to evaluate the database, operating system, and application (if applicable) for configuration strength and consistency. For these tests, FishNet uses operating system security configuration checklists, database security configuration checklists, an account management review, user and role configurations within databases, application access privileges and access levels to components, and a manual review of access methods and security controls, including encryption usage and privileged uses.

Finally, FishNet Security analyzes the data collected, aggregating and correlating all data to create a deliverable with pertinent information about discovered vulnerabilities. Within this report, direct feedback and recommendations are provided based on testing data, professional experience, analysis, and input from client technical staff. FishNet Securitys reports explain findings from a causality perspective, focusing on the underlying causal flaws that create database weaknesses and add unnecessary risk. Each findings technical impact and steps required for remediation are explained.

Conclusion
By providing a comprehensive, three-phase assessment conducted by leading experts in database security, FishNet Security offers its clients a cost-effective approach to protecting their confidentiality. A Database Security Assessment from FishNet Security helps companies meet regulatory compliance requirements; helps prevent unauthorized activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle or EDS; and helps avoid exposure of critical information that can cause costly legal issues, identity theft, fraud, disruptions in sales and service, loss of business opportunities, and damage to a companys reputation.

About FishNet Security

We Focus on the Threat so You can Focus on the Opportunity. Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support, and training. FishNet Security solutions have enabled 3,000 clients to better manage risk, meet compliance requirements, and reduce cost while maximizing security effectiveness and operational efficiency. For more information on FishNet Security, Inc., visit www.fishnetsecurity.com. ID# 09SS0059
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 888.732.9406 2009 FishNet Security. All rights reserved.

www.fishnetsecurity.com

Phase 3: Vulnerability Analysis

Application Security Assessment - White Paper