Security sleuths, sniff out the stupid from your Oracle DBs
DBAs and hackers, you can learn to get along
Databases remain a security nightmare, says Datacom TSS hacker David Litchfield, so he's built an application to give admins a hand.
The Datacom TSS hacker says the Database Security Scorecard will help inform system administrators of security shortfalls in databases and help bridge the language gap between management and tech.
Litchfield (@dlitchfield) revealed the scorecard at the AusCERT2015 conference on the Gold Coast, and will publish the free platform to his website later this week.
"Database security does not receive the support it deserves," Litchfield says.
"It is a no-man's land where security think it's the DBA's responsibility and DBAs think it's security's responsibility.
"The way the scorecard works the more components are installed the more points you are going to accrue."
The Database Security Scorecard
One problem, he said, is that scan reports can be hundreds of pages long, and if you've got twenty databases, you'll have to plough through much of the same stuff for all of them.
The scorecard simplifies that down to scores for seven major security domains, grouping similar security problems into blocks that can be fixed with a single remedy.
The scanner will check for internal firewalls, weak credentials, and unused connected database components which Litchfield says will expose databases.
The scorecard will allow administrators to determine if systems have been hardened according to industry standards; if there is evidence of backdoors; whether the principle of least privilege is being applied to key datasets, and if access is properly audited.
He says the tool uses simple SQL select statements and will not alter metadata, and recommends punters create a separate non-privileged account on which to run the scorecard since doing so with an admin account opens a avenue of attack should a hacker be in a position to modifies the queries.
Litchfield will implement some additional tweaks before uploading the tool later this week.
The tool follows a January disclosure of dangerous vulnerabilities in Oracle's E-Business Suite that fully exposed database servers. ®