Dan Sherman saw it many times before. The information director for security firm Telos Corp. would do a standard vulnerability assessment with a customer and find a SQL Server database no one knew had been installed -- often it was bundled in with Web-based software like Microsoft’s free SharePoint version. This would leave the database and all of the information in it completely unprotected.
“Many times they are installed using SQL Server authentication and no password,” Sherman said. To connect, a hacker would simply hook up to the database using the system administrator username and a blank password.
Thanks to the popularity of SQL Server, the security of Microsoft’s enterprise database is no small concern. But the problem is not a flood of new and improved attacks; it’s simply one of securing SQL Server against what’s already out there.
Patches, for example, have been historically overlooked. “The SQL slammer worm started infecting servers on January 25, 2003,” Sherman said. “This worm did not use the SQL language but a buffer overflow in Microsoft SQL Server product.” A patch was released six months before the worm was unleashed.
Then there’s the perennial threat of SQL injection. The Hacker Academy’s Mike Murray recalled a blitz in March, when more than 380,000 URLs were breached by a mass SQL injection campaign, an attack dubbed “LizaMoon.”
“For a scale that large, it had to be a far-reaching failure of SQL Server installations, probably servers running default configurations,” Murray said. Likewise, back in June of last year the Wall Street Journal and a number of other large websites were attacked by a SQL injection strain.
Not securing SQL Server: A not-so-grand tradition
Some attacks have gotten more advanced, but most of the vulnerabilities SQL Server has are the same ones it has always had, Murray said. The Open Web Application Security Project (OWASP), a nonprofit that helps organizations improve software security, has listed code injection techniques like the ones targeting SQL statements on its list of most dangerous security risks. In fact, injection attacks have climbed ever higher over the years, and this year reached No. 1.
Rob Kraus, manager of security consulting for Solutionary, a managed security service provider, agrees that the most worrisome threat to SQL Server is SQL injection. According to Kraus, when you submit a request on any application accessible through the Web -- for instance, a retail-oriented shopping cart -- or even sign in you are often, in fact, using a SQL statement that resides in a back-end database to populate data.
Depending on how that is done, an attacker can tamper with what is sent to the back end. In some circumstances, this can allow attackers to gain access to the operating system, which can potentially be even more of a problem. From there they can read, modify or destroy data.
Fortunately, many of the vulnerabilities that lead to SQL injection attacks and other security problems are easy to eliminate with a little effort. “A lot of the attacks that succeed against SQL Servers lately come from two basic things: people don't know what they don't know, and negligence of configuration,” Kraus said.
Roots of the issue
It's pretty straightforward to get a basic SQL Server installation set up and running, but once people do that, they often don't change default configurations, Murray said. He pointed to guides published by OWASP, which have a lot of advice on protecting against SQL injections, as a great place to start.
Beyond the basics, Murray said security has to become part of the business strategy. Too often, security is an afterthought. “Given enough time and resources, a skilled attacker will eventually breach a company. There needs to be a plan in place on how to react as well,” he said.
Philip Lieberman, a 30-year software industry veteran, cybersecurity expert and founder and president of Lieberman Software, said administrators need to keep their eyes wide open. "As with many serious and destructive behaviors, realizing you even have a problem is the first step to recovery.”
But most organizations don't even want to examine the issue, he said. That’s unfortunate, since the solution is usually fairly simple -- it’s a matter of implementing available technology to monitor database activity and controlling or limiting access below the application level.
"The blessing and curse of SQL Server has been its simplicity of installation and configuration which has caused an entire generation of database administrators [DBAs] to vanish,” he said. While Oracle databases still require a DBA presence, SQL Server “just bumps along with few apparent worries.” The consequence has been a mass adoption of SQL Server, but some companies have become complacent about tuning and security, assuming that application vendors take care of these issues, he said.
"When it comes to data monitoring, logging and security information and event management, precious few companies implement the proper controls to monitor and manage the integrity and security of their databases,” Lieberman said.
In fact, Lieberman said, many companies with vast amounts of intellectual property and personal identification information have no chief security officer or other C-level executive responsible for enacting and enforcing a business-wide security policy. Without high-level sponsorship, most organizations operate with a model of “we’ll fix it when it gets broken” rather than investing in the more cost-effective alternative of implementing proper controls and monitoring systems.
Eradicating the disease
Analyst Mark Nicolett at Connecticut-based consultancy Gartner Inc. said coming up with a solution means first assessing what kind of data you have and what kind of protection it deserves.
Second, organizations need to religiously install patches and updates whenever they are available. However, the patching process with any database management system (DBMS) is complicated by the impact the update might have. “If it could cause a failure, that has to be entered into the risk equation,” he said.
Of course, even if all the patches are in place, systems can still be compromised in other ways, for example, an attacker could gain access to user credentials. That’s why monitoring has become so important -- it can provide an indication of an attack.
Thinking in terms of defense in depth, Nicolett recommends providing additional protection, such as selective encryption of important data or an intrusion protection system. When talking about vulnerability management you also need to make sure the DBMS is configured properly -- it isn’t just a matter of installing patches, he notes.
SQL Server should be patched and hardened, agreed Sherman; however, the problem with hardening most SQL Server instances is that the developer of the application probably did not take security into account. Therefore, businesses need to make sure the application still works after security measures are put in place. “From the SQL injection side, many developers do not do proper input validation of fields, which then can allow an attacker to execute code and end up having access to dump the database,” Sherman said.
Securing SQL Server today
As a consultant “on the front lines” for London-based SQL Server firm Coeo, Gavin Payne is often enlisted to perform a health check. First he looks at whether a company’s SQL Server environment is running as it should be; then he determines whether it’s properly secured.
Over the past dozen years or so, he said the problem has gone from putting secure user names and passwords in place to fighting off worms and more advanced kinds of attacks. And the kinds of defenses in place have changed, too. He said when it comes to security practices, the “leading-edge” firms are often those with regulatory drivers such as the Health Insurance Portability and Accountability Act or Sarbanes-Oxley.
“We now need to look beyond securing authentication and look at the privileges we give our user accounts. I see too many organizations where applications get set up in a hurry that are wide open to SQL injection attacks. We need to adopt the principle of least privilege to minimize the risk,” he said.
Payne explains that restricting privileges means giving user accounts access to only the capabilities users need to do their jobs. That means if a given account is ever compromised, the risk can be contained. Solutionary’s Kraus agreed, adding that setting up a Web firewall, event tracking and log reviews can be crucial to a security strategy.
Payne said another element of securing SQL Server should be widespread deployment of encryption, which can help protect data from theft or manipulation in the event of a breach.
And, of course, noted Payne, organizations must still make sure backup media has proper physical protection. “Lost media remains one of the major sources of data breaches.”
Alan R. Earls is a Boston-area freelance writer focused on business and technology.