Databases often hold an organisation's most critical and important business data. Hardening and securing critical databases should be performed as part of a structured development programme. Database security reviews are key tools in identifying misconfigurations and security weaknesses in database systems. Our database penetration testing service interrogates all aspects of database security and offers practical ways to harden, defend and secure.
Underlying Server Security
If the underlying operating-system that the database is running on is not secure then the attacker will usually be able to access all the data. Types of vulnerabilities could be insecure network services listening, a lack of firewalling, weak user accounts and privilege escalation vulnerabilities etc.
Many vulnerabilities have been identified in authentication mechanisms used by common database deployments. Ideally the database is locked down to allow only authorised users from specific workstations but unfortunately, this is rarely the case. Buffer overflows, format strings and authentication bypass vulnerabilities could allow an attacker to gain full access to the server and database.
Data and Communications Encryption
Who is listening on the network? This is impossible to know for sure and it is therefore imperative to encrypt all network traffic including login credentials and database session data going over the wire. Further, to protect data from unauthorised users or attackers with access to hard disk volumes,
User Permissions and Privilege Escalation
Databases with weak user accounts can give an attacker full access to the database. In some situations it may be possible to gain access as a lowly privileged user and elevate privileges to take full control of the database.
Logging and Auditing
Logging and auditing are key areas in identifying what actions have been performed on the database and by whom. In the event of a security breach, without sufficiently logging and auditing data, it may be impossible to detect where the attack came from and how to recover from it.
Patching and Updating
Vulnerabilities in database code are being discovered all the time, it is therefore imperative to keep database servers patched and up-to-date before vulnerabilities are exploited by the bad guys.
ReactionIS have experienced consultants on-hand for database penetration testing and security review projects in Oracle, SQL Server, MySQL, Sybase, Informix, DB2, PostgreSQL and more.
Please get in touch for more details.