Database Vulnerabilities and NoSQL

Information Security professionals state that perimeter security alone is not sufficient; just having network firewalls is not enough to secure your environment.  Both devices and people can circumvent perimeter security.  Devices:  how would you discover if a wireless router was placed on your network?  People:  do you ever use consultants, temps or contract workers?

There are many ways DB’s are vulnerable, with new ones occurring with new features and new releases.  How current is your DB on security patches? Did any of your DB installs create demo or sample databases?  While those don’t have sensitive data, they do represent security exposures.

At a recent chapter meeting of a web application security group, OWASP, some vendors were present.  Chatting with one, Application Security (http://appsecinc.com ), I was glad to learn about a tool that deals with database vulnerabilities, DbProtect.  I’m sure it has competitors with similar functions, but to me, not an InfoSec specialist, it was very impressive, covering most of the common distributed DB’s.

While the mainstream relational DB’s have tools to help address vulnerabilities, the newer NoSQL data solutions do not, yet are subject to many of the same types of vulnerabilities.  Use of MongoDB, CouchDB, Riak, Redis, Hadoop, MapReduce, etc. continues to rapidly grow.  And these are being used in more business-critical applications, or with sensitive data.

Even if used for non-critical applications and non-sensitive data, they still can present a risk, for some may have accounts with privileged access to the critical DB’s, the relational ones; or they may provide elevated access to the operating system.

If you’re using a NoSQL DB, check with your vendor for security assurance tools, or at least some recommendations for those.  Make inquiries of existing DB security vendors;  even if they don’t currently have a suitable tool, they might respond to market demands and create one.

Even if insufficient when compared to commercial products, in the absence of a suitable tool, consider creating a tool, script or checklist to seek common vulnerabilities. Change passwords to any DB default accounts, and use strong passwords (not ones that might appear in a dictionary.) Check for vendor patches frequently.  Keep posted about security exploits against that specific DB.  Something like a Google Alert using a string based upon the DB name (e.g. Sybase) and “security exploit” could bea s good starting point.  Keep learning about DB security.

Advertisements

One Response to Database Vulnerabilities and NoSQL

  1. itguy113 says:

    Thimios Panagos has told me of a paper outlining some of the vulnerabilities for NoSQL
    https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: