A recent article in Information Week indicated that not all Oracle DBA's routinely check their logs and other controls to ensure that unauthorized access to their data isn't occurring. Check out the article:
http://www.informationweek.com/news/security/app_security/showArticle.jhtml?articleID=210602800
As a pen tester for many years this isn't a shock at all, and it's certainly not limited to Oracle DBA's. I've worked on many dozens of tests involving different database systems and routinely find systems where the default account/password combinations haven't been changed. Or, the passwords are easily guessed or found in dictionary files. Another huge problem is incorrect permissions on database files that allow anyone with read access to the data. This allows anyone with any account on the system to at least view many databases to which they shouldn't have access.
What's the solution to this problem? The solution is the same for DBA's as it is for application developers, security awareness training. DBA's and application programmers need a basic course on security issues, with a focus on the current attack vectors used by the bad guys. Microsoft, love them or hate them, has spent a lot of money re-tooling their entire application development staff. DBA's need to know more than just how to create a database, optimize queries and ensure data availability. They need to know about patching, buffer overflows, SQL injection and the dangers of sloppy account management.
And don't get me started on reading those logs to detect unauthorized access attempts....
The Story on Leading with Intention
3 years ago
Posts
0 comments:
Post a Comment