By Randy Reiter CEO of Don’t Be Breached
In May 2020 the software giant SAP made available eighteen security fixes for its Adaptive Server Enterprise (ASE) database system (formerly Sybase ASE). ASE is used by SAP products and 30,000 organizations worldwide. 90% of the top 50 banks and security firms use ASE.
Four of the eighteen security fixes had a CVSS score of 8 or higher. Common Vulnerability Scoring System (CVSS ) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. Vulnerabilities are scored from 0 to 10 with 10 being the most severe.
One of the security fixes was for SQL Injection Attacks. This vulnerability allowed any user of a database regardless of their permission level to gain Administrator access to the entire database. Wow.
SAP software products are comprehensive and complex. SAP customers have added on average up to 2 million lines of custom code to their deployment. This makes applying security patches a lengthy process due to comprehensive application testing requirements prior to deployment of the security fixes.
Other 2020 Database Security Vulnerabilities:
- June 2020. KingMiner botnet operation targets SQL Server databases with brute force attacks. The KingMiner botnet has been active since 2018. Once KingMiner gains access to SQL Server it is capable of gaining root access to the Windows server.
- May 2020. Hacker leaked online the database for 7,600 websites serviced by Daniel’s Hosting. Daniel’s Hosting is the largest free web hosting provider for Dark Web services. The leaked database included 3,000+ email addresses, 7,000+ account passwords and 8,000+ private keys for .onion (dark web) domains.
How to Protect Confidential Database Data from Insider Threats and Hackers?
Confidential database data includes credit card, tax ID, medical, social media, corporate, manufacturing, law enforcement, defense, homeland security, and public utility data. This data is almost always stored in Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server, and Sybase databases. Once inside the security perimeter a Hacker or Rogue Insider can use commonly installed database utilities to steal confidential database data.
Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from a network tap or proxy server with no impact on the database server. This SQL activity is very predictable. Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique queries or SQL commands that run millions of times a day.
Advanced SQL Behavioral Analysis of Database Query and SQL Activity
Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database activity is. Then from a network tap or proxy server, the database query and SQL activity can be non-intrusively monitored in real-time and non-normal SQL activity immediately identified. Non-normal SQL activity from Hackers or Rogue Insiders can be detected in a few milli seconds. The Hacker or Rogue Insider database session can be immediately terminated and the Security Team notified so that confidential database data is not stolen.
Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to 10,000 unique SQL queries sent to a database. This type of data protection can detect never before observed query activity, queries sent from a never observed IP address, and queries sending more data to an IP address than the query has ever sent before. This allows real-time detection of Hackers and Rogue Insiders attempting to steal confidential web site database data. Once detected the security team can be notified within a few milliseconds so that a data breach is prevented.
About the Author
Randy Reiter is the CEO of Don’t Be Breached a SQL Power Tools company. He is the architect of the Database Cyber Security Guard product, a database data breach prevention product for Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle, and Sybase databases. He has a Master’s Degree in Computer Science and has worked extensively over the past 25 years with real-time network sniffing and database security. Randy can be reached online at rreiter@DontBeBreached.com, www.DontBeBreached.com, and www.SqlPower.com/Cyber-Attacks.