The threats facing databases today are numerous and constantly evolving as the perimeter continues to fall away in favor of multi-cloud environments. This change means organizations must adopt an in-depth, data-centric security approach that includes a program designed from the ground up to protect databases.
Many products currently available market themselves as capable of handling database security but, in fact, were originally designed for another security purpose, such as server operating system or network vulnerabilities, and then had database security tacked on afterward.
What is needed for today's threat environment is a solution created to protect databases.
To help visualize the threat surface, let's look at some current high-level threats currently in the wild and some issues uncovered by the elite Trustwave SpiderLabs team.
The Threat Facing Databases
The reason why an in-depth approach is necessary is apparent. The dangers facing databases have never been greater. Just take a look at Gh0stcringe.
Gh0stcringe, also known as CirenegRAT, is a remote access trojan (RAT) threat actors use to attack poorly secured databases focusing on Microsoft SQL and MySQL servers. Particularly those servers with weak access credentials or which may no longer be tracked by the organization. GhostCringe is based on the older Gh0stRAT malware, whose leaked source code enabled a new wave of adversaries to create new threats.
Gh0stCringe is embedded in a system and then connects with its command-and-control server. It is designed to conduct long-term surveillance on a system and can perform numerous malicious tasks, such as keylogging, allowing it to steal login credentials, data exfiltration or download additional payloads.
One of the most common errors organizations make is believing that a solution that regularly scans their database is, in fact, delivering a high level of security.
However, scanning only scratches the surface. What is required is a deep clinical assessment, not only around database vulnerabilities but into other database security aspects / initiatives that organizations have.
So, what other areas must a true database security solution investigate?
Going Beyond the Scan
As we can see with Gh0stCringe, having strong passwords is key when it comes to securing a database.
It is an unfortunate reality, but the human element is the weak link to database security. That means any solution must ensure that an organization has a strong password policy in place and ensures that the organization is following the policy.
The solution must make certain that workers are not using easily guessed passwords like "Password123" and the technology should have the capability to create a "password dictionary" specific to that organization. A password dictionary is a listing of words and phrases that are likely to be chosen by an employee but are, in fact, so obvious that threat actors could easily decipher them and gain unauthorized access.
For example, if a company is located in Texas, any passwords containing that word will be automatically disallowed.
A security product should include the ability to manage user access rights to support the organization's zero trust initiatives. Additionally, a world class solution should also provide database activity monitoring with anomaly detection to identify and act on suspicious or malicious activity.
Sensitive data discovery is another necessary feature. A well-designed database security program that includes this feature cannot only find sensitive data, discover who has access and can lock down an environment when needed.
The final feature set one must look for when searching for a solution is the ability to validate that all of an organization's systems are in sync, that all the databases are configured in the same manner and that any legacy systems that might be buried and forgotten deep in a network are found and then tracked.
Trustwave's Database Security Offering
Trustwave DbProtect proactively assesses threats to databases to help you gain visibility into the vulnerabilities in your on-premises or cloud databases that could lead to a data breach.
Trustwave has in place 78 different policies, which are custom checklists with specific target audiences in mind. Security teams use these policies to support a variety of compliance regulations, including Australian Government ISM and Australian Signals Directorate's ACSC, HIPAA, GDPR, FISMA, and the DoD DISA Security Technical Implementation Guides.
DbProtect automates securing critical data by uncovering vulnerabilities that attackers can exploit, limiting user access to the most sensitive data, and alerting suspicious activities, intrusions, and policy violations. As a result, you can spend less time chasing database security alerts and more time on activities that drive value, like remediating risks and reducing your attack surface.
Trustwave has multiple checks in place that helps DBAs and security staffers ensure that their data is well protected.
These include ensuring that databases are up to date on patches, and preventing attackers from exploiting publicly disclosed vulnerabilities. While this is cybersecurity 101, it is often ignored with security teams using the excuse, "but my database is in a separate network segment, etc." However, this set up is easily circumvented by an adversary that has already infiltrated the customers network, or an insider.
Trustwave makes certain permissions to access data are granular and follow best practices to minimize the impact of malicious activity and that database and operating systems are configured to minimize the client's attack surface and potential impact from an attack. Finally, we properly configure logging to allow for monitoring of database activities and forensic analysis.
DbProtect's key benefits:
- 7x more database-specific security and compliance checks vs. vulnerability assessment tools. DbProtect delivers database security and not just compliance
- 100+ hours saved per database audit vs. manual processes reducing stress on your limited personnel
- 0 required proprietary appliances or license increases as databases grow, simplifying implementation and reducing total cost
- 12 annual knowledgebase updates vs. quarterly updates from other solutions, so you have the latest and best knowledge from the SpiderLabs database team
- 150+ member strong Trustwave SpiderLabs database research team focused only on database security and able to provide clear guidance on how to remediate weaknesses
- 5,000+ purpose-built database checks that guide a customized monitoring approach
- 200+ database-specific vulnerabilities discovered by Trustwave threat researchers.
