According to Verizon’s 2012 data leak investigation and analysis report and technical analysis of information security incidents, two trends of information leakage are summarized: (1) Hackers steal data from databases through B/S applications using Web servers as a springboard; Traditional solutions have no control over application access and database access protocols. For example, SQL injection is a typical database hacking method. (2) Data leakage often occurs internally, and a large number of operation and maintenance personnel have direct access to sensitive data. Traditional network security solutions to prevent external leakage have lost their place of use.

Database in the leak became the leading role, with us in this ignores the database security problems in the construction of traditional security, in the traditional information security protection system in the core position of the database is to be protected, not easy to be external hacker attacks, the database itself has a strong security measures at the same time, the surface safe enough, but the thinking of the traditional security defense, There is a fatal flaw.

Common database attack methods

Here are six database attacks:

1. Brute force (or not brute force) cracking weak passwords or default user names and passwords 2. Privilege promotion 3. Exploit vulnerabilities in unused and unwanted database services and functions 4. Targeting unpatched database vulnerabilities 5.SQL injection 6. stealing backup (unencrypted) tapes

The following are analyzed respectively:

Cracking weak passwords or default user names/passwords

Previously, Oracle databases had a default user name: Scott and a default password: tiger. And Microsoft SQL Server system administrator account default password is also well known. But even unique, non-default database passwords are not secure. “You can always find weak passwords and easy to guess passwords from customers,” Sentrigo’s Markovich said. It’s easy to find by brute force cracking or just trying different combinations.” Password cracking tools abound and are easily available through a Google search or sites such as sectools.org, which links you to popular tools like Cain, Abel, or John theRipper.

Privilege promotion

There are several ways in which an insider attack can cause a malicious user to claim more system privileges than he or she should. And external attackers sometimes gain higher levels of privilege by damaging the operating system. “It’s a common threat factor,” said Ted Julian, vice president of sales at Application Security. Privilege promotion usually has more to do with misconfiguration: a user is wrongly granted more access and privileges to a database and its associated applications than he or she really needs to do his or her job. Sentrigo’s Markovich was recently able to break into a customer’s database using a user account with a few privileges. “They asked me to break into their database,” Markovich said. I found a user password with a few privileges and entered the system. I then checked his privileges. He has read-only access to the database, so a user with limited privileges can access and read any table in the database, including credit card information, personal information. So I said, ‘I don’t need to break into a database. ‘”

Exploit vulnerabilities in unused and unwanted database services and functions

Of course, an external attacker will look for weak database passwords to see if a potential victim is running a Listener function on their Oracle database. Listeners can search for a network connection to an Oracle database and forward the connection, exposing the user’s connection to the database. With just a few Google hacking attacks, an attacker can search and find exposed listeners on database services. “Many customers don’t have passwords on listeners, so hackers can search strings and find listeners active on the Web,” Markovich said. I just did some searching and found some interesting things like government sites. It’s really a big problem.” Other features, such as hooks between the operating system and the database, can expose the database to attackers. The hook can be a communication link to the database. Yuhanna says, “When you link libraries and write programs… That becomes the interface with the database, “you’re exposing the database and potentially allowing hackers to get inside without authentication or authorization.

For unpatched database vulnerabilities

The good news is that Oracle and other database vendors are indeed working to patch their vulnerabilities. The bad news is that units can’t keep up with these patches, so they’re always under the control of wily attackers trying to take advantage of some kind of opportunity. Database vendors are careful not to disclose the details of the vulnerabilities that their patches fix, but organizations still struggle with the amount of manpower and time it takes to test and apply a database patch. For example, patching a program requires testing all applications affected by the patch, which is a daunting task. And some hacker sites publish scripts that exploit known database vulnerabilities, he said. Units should patch even if they have great difficulty keeping up with the patch cycle. For example, oracle’s April 15 patch contained 17 issues within the database, he said. These and other fixes should not be taken lightly. Each of these problems can break your database.

SQL injection

SQL injection attacks are nothing new, but they are still rampant on websites these days. More recently the attacks have hit thousands of high-profile websites.

While the affected web page and the users who visit it are typically highlighted in these attacks, it is a clever way for hackers to gain access to the database. Database security experts say it is much easier to execute an SQL injection attack on a Web application facing a front-end database than an attack on the database itself. SQL injection attacks directed against databases are rare.

SQL attacks occur when fields are available for user input and direct queries to the database can be made through SQL statements. That is, the attacker needs to submit a piece of database query code, based on the results returned by the program, to obtain some of the data he wants to know.

After the client, Web applications are the most vulnerable link. In some cases, if an attacker gets a screen for an application that asks for a user name and password, and the application does not check what was logged in, all he needs to do is provide an SQL statement or database command and go directly to the database.

Steal (unencrypted) backup tapes

If a backup tape is lost in transit or storage and the database data on the tape is not encrypted, if it falls into the wrong hands, hackers can do it without ever having to touch the Internet. But such attacks are more likely to happen to an insider who sells media to the attacker. As long as the stolen or unencrypted tape is not some older version of Informix or DB2 on HP-UX, all the hackers need to do is install the tape and they will have the database.

Database Audit

What is database auditing

Database audit service is a professional, active, real-time monitoring database security audit product.

Database audit service combines database monitoring and audit technology with public cloud environment, supports auditing of RDS cloud database and ECS self-built database in Ali Cloud platform, records and alarms database risk behaviors such as DATABASE SQL injection and risk operation, and forms security protection for core data. Provide perfect security diagnosis, maintenance and management functions for your cloud database.

The database audit service records and generates alarms for risky database operations, such as SQL injection and risky operations. Supports RDS cloud databases and ECS self-built databases, and provides security diagnosis, maintenance, and management capabilities for databases on the cloud.

RDS database audit

The database audit Agent is deployed on the application system server that accesses the database to obtain the access log data for log audit to audit the RDS cloud database.

Audit the ECS self-built database

This section describes how to install the database audit Agent on the ECS and obtain database operation logs to audit the ECS self-built databases. Support all kinds of popular databases to ensure compatibility and effectiveness of data audit.

Database audit function

1. User behavior discovery audit

  • Associate application layer and database layer access operations
  • Traceable to the identity and behavior of the user

2. Multidimensional cue analysis

  • Risk and hazard clues: high, medium and low risk levels, SQL injection, blacklist statements, SQL behavior that violates authorization policies
  • Session cues: Analyzed by time, user, IP, application, and client
  • Detailed statement clue: Provides multiple search criteria such as user, IP address, client tool, access time, operation object, -SQL operation type, success or not, access duration, and number of affected rows

3. Abnormal operations, SQL injection, and blacklist and whitelist real-time alarms

  • Abnormal operation risk: Defines the risk access behaviors to be monitored based on IP addresses, users, database client tools, time, sensitive objects, returned rows, system objects, and high-risk operations
  • SQL injection: The system provides a systematic SQL injection library and a DESCRIPTION of SQL injection based on regular expressions or syntax abstraction
  • Whitelist and whitelist: Provides an accurate and abstract way to describe specific access SQL statements in the system, enabling rapid alarm when these SQL statements occur

4. Refined reports for abnormal behaviors

  • Session behavior: Login failure report and session analysis report
  • SQL behavior: New SQL report, SQL statement execution history report, failure SQL report
  • Risk behaviors include alarm reports, notification reports, SQL injection reports, and batch data access reports
  • Policy report: Sybanes report