Securing MySQL. Closing vulnerabilities in your open source databases. White Paper

Transcription

1 White Paper Closing vulnerabilities in your open source databases By Slavik Markovich, Chief Technology Officer, McAfee Database Security

2 Table of Contents Introduction 3 Without Multilayered Protection, Every Database Is Vulnerable 4 Inoculating IT security against SQL injections 4 Are your privileged users feeling a little too privileged? 4 To secure your databases, audit and monitor 5 An Off-the-Shelf Solution: The McAfee MySQL Audit Plug-in 5 Step one: Choose a MySQL database to audit 6 Step two: Add monitoring and alerting 7 Step three: Protect against additional vulnerabilities and scale protection to other databases 8 Step four: Apply virtual patching 9 Step five: Connect the dots with centralized security management 9 Conclusion 11 2

3 Every database, from the largest corporate data store to a small-scale MySQL deployment, contains valuable information. Hackers remain as determined as ever in their efforts to cash in on this treasure. Equally concerning is the rising tide of employee-related abuses. Insider risks run the full spectrum of careless administrators to criminal privileged users who abuse their role and skirt security parameters. The most effective way to protect any database and keep an eye on insiders is with effective multilayered database protection. Compliance officers and regulators know this. So does McAfee. That s why McAfee has recently bridged the MySQL security gap with a unique solution that combines an open source auditing plug-in with industry-leading database security modules the McAfee MySQL Audit Plug-In Introduction You know the old cliché: necessity is the mother of invention. Well, it s true. Open source databases are a case in point. The economic challenges of recent years forced IT decision makers to do more with less. Open source software, including the MySQL database and applications that run on it, quickly filled this need. Companies began deploying MySQL in test and development environments without paying for additional database licenses. As MySQL continued to mature, it grew into one of the most widely deployed database platforms, with more than 65,000 downloads per day, a vibrant developer community, and users ranging from small businesses to large enterprises. MySQL databases continue to take on greater roles in business operations and increasingly contain more sensitive and valuable information. And while MySQL has enjoyed remarkable adoption and application development support, this database platform has not kept pace with today s security and compliance requirements. Specifically, it lacks native auditing capabilities, which are standard features of major database brands. Without a complete audit trail, it s difficult, if not impossible, to determine who accessed what data, including when data was accessed or modified. In other words, without database auditing, it s impossible to comply with regulatory mandates. The increasing popularity of MySQL databases has placed database administrators and IT security teams in an unsettling position. After all, open source software and industry-leading security are terms rarely, if ever, mentioned in the same sentence. Until now, that is. The security experts at McAfee have recently made contributions to the open source community that allow MySQL users to capture audit trail data. In addition, customers can augment MySQL with state-of-the-art database security capabilities. That s great news for MySQL customers and a definite setback for would-be database hackers. 3

4 Without Multilayered Protection, Every Database Is Vulnerable There s a reason why data breaches make the headlines week after week. Poorly protected databases are ripe targets for hackers, who just keep hitting them. And these days, the database of choice for many hackers is MySQL. Without proper protection, no one is immune to these exploits not even MySQL.com. In September 2011, MySQL.com, the primary distribution site for MySQL, was hacked and booby-trapped by an alleged Eastern European cybercriminal, who reportedly was selling administrative access to the site for just $3,000 a bargain price for a website that welcomes nearly 400,000 high-value visitors per day. Clearly, the days of protecting data solely by securing the corporate perimeter are long past. Of course, perimeter security remains an essential part of any enterprise security strategy, but state-of-the-art firewalls and other network security technologies do little to protect the database against insider threats. Once inside the corporate perimeter via a back door into your network or with the help of an insider who enters through the front door of your building your precious corporate assets are easily exploited and your company s reputation and future viability are at risk. Cyberthugs with mayhem on their minds can not only steal this valuable data but also wreak havoc and destruction by poisoning the database, infecting every database user. Database vulnerability assessment, monitoring, and alerting must provide essential layers of protection that work in concert with perimeter defenses, endpoint security solutions, and other data protection technologies. These first three capabilities vulnerability assessment, real-time monitoring, and alerting are now considered database security best practices. Unfortunately, MySQL databases lack these critical security capabilities. Inoculating IT security against SQL injections Without proper protection, every type of SQL database, including MySQL, is vulnerable to SQL injection, a type of attack that exploits bad coding practices in applications that access the database. Countless organizations have been attacked by SQL injection, as hackers successfully exploit the trusted relationship between the application tier and the MySQL database. SQL injection allows hackers to circumvent access controls to the database without knowing user names or passwords. Once inside, using various SQL Injection techniques like error codes, hackers can explore the database and determine the type of database, the underlying operating system, the list of database tables everything hackers need to have their way with the database. At this point, a hacker has carte blanche to steal data or write malicious code to corrupt the database, infect database visitors, or use the database as a launching pad into other areas of the organization. Hackers can also use malicious JavaScript to take control of the systems of legitimate database users. Are your privileged users feeling a little too privileged? According to the Computer Emergency Response Team (CERT), up to half of all database breaches are caused by internal users, and about 50 percent of all companies experience at least one malicious insider attack. Insider attacks are typically very effective because insiders often enjoy elevated, superuser privileges that may provide unfettered access to the database. In some cases, privileged users share root administration passwords, making it difficult to identify malicious insiders. Today, either of these situations is considered a database breach waiting to happen. Insiders don t require nefarious motivations to play a role in an attack. Even trustworthy insiders such as database administrators and local IT administrators can be targeted through advanced persistent threats. Once their machines are compromised, it s an easy jump into the database using captured administration credentials. 4

5 To secure your databases, audit and monitor Credible security policy dictates that every administrator must have unique, identifiable credentials, and separation of duties must limit the extent to which one database administrator, system administrator, or developer can access information or modify the database parameters. Once administrative roles are tightly defined, the cornerstone of database security is the ability to capture and audit all activity, including that of privileged users. Regulatory mandates are in a constant state of change and evolution. In fact, there are already more than 400 compliance mandates worldwide. The ability to audit database activity is, or soon will be, a requirement for PCI DSS, GLBA, SOX, COBIT, ISO, HIPAA, FISMA, and other regulations. Depending on which mandates your organization is subject to, it may be necessary to record and audit every transaction performed on the database. Or you may only have to monitor and audit certain tables that hold sensitive data. Your logging tool must be able to capture all activity in the areas of interest and keep that record safe from tampering. While auditing is fundamental for forensic investigation and compliance reporting, it won t help you detect problems as they occur. For that you need real-time activity monitoring and automated alerting. These solutions send the data stream from a logging tool to a rules engine that parses it for suspicious activity. When a suspect event is detected, the monitoring system automatically sends an alert and may trigger defensive actions such as terminating a session or quarantining a user. MySQL lacks native auditing capabilities. The free McAfee MySQL Audit Plug-In fills this void, while offering full integration with critical McAfee database security offerings. An Off-the-Shelf Solution: The McAfee MySQL Audit Plug-in McAfee has stepped up to the MySQL security challenge by contributing a valuable auditing solution to the open source community. The McAfee MySQL Audit Plug-In collects a full audit trail of all activity occurring within your MySQL database and stores it in a file, separate from the database. This plugin supports MySQL versions 5.1 and 5.5 on Linux. When coupled with advanced database protection capabilities, the McAfee MySQL Audit Plug-in allows MySQL users to build enterprise-level database security around their databases for both on-premises databases and databases in the cloud. Figure 1. The McAfee MySQL Audit Plug-In records all database transactions and creates an audit log of all activity. This plug-in is integrated with the complete McAfee Database Security solution for full-featured monitoring, auditing, virtual patching, vulnerability assessment, policy enforcement, and compliance enforcement/reporting. 5

6 The McAfee MySQL Audit Plug-In gives you the ability to conduct a complete audit on all database activity. On top of it, you can add sophisticated database protection afforded by the McAfee Database Security solution. This modular, software-based solution lets you customize and tune database protection, automating the process of database discovery, protection, monitoring, and security management. You receive the flexibility to purchase only the modules you need, and the assurance of integration and interoperability across the entire solution set. McAfee database security modules include: McAfee Database Activity Monitoring provides real-time and granular monitoring, policy enforcement and breach prevention McAfee Vulnerability Manager for Databases automatically discovers all database instances and tables that contain sensitive information and helps you assess vulnerabilities and mitigate risks McAfee Virtual Patching for Databases helps you protect databases from potential breaches until you are ready to install the vendor-released patch updates and provides hardening and behavior-based protection against attacks McAfee epolicy Orchestrator (McAfee epo ) software provides an enterprise security management console for end-to-end visibility into database security, enterprise security, and compliance It is not necessary to deploy every module in the solution suite. However, each additional security module provides additional levels of visibility, value, security automation, and protection. Here s a no-risk approach to evaluating the McAfee Database Security Solution. Step one: Choose a MySQL database to audit Auditing a MySQL database doesn t have to be an arduous process. Start small. The free-of-charge open source McAfee Audit Plug-In for MySQL databases will provide greater insight into database activity by capturing detailed activity logs. Choose a database containing sensitive data that you would like to monitor. The free open source audit plug-in, released on March 26, 2012, can be downloaded here: github.com/mcafee/mysql-audit/downloads. Download the plug-in, and install it on a Linux-based MYSQL database (versions 5.1 and 5.5). Once installed, the plug-in will begin generating an auditable transaction log like the following: { msg-type : activity, date : , thread-id : 38, queryid : 269, user : root, priv_user : root, host : localhost, cmd : update, objects :[{ d b : test, name : test4, obj_type : TABLE }], query : UPDATE test4 SET b4 = b4 + 1 WHERE a4 = NEW.a1 } { msg-type : activity, date : , thread-id : 38, queryid : 270, user : root, priv_user : root, host : localhost, cmd : insert, objects :[{ db : test, name : test2, obj_type : TABLE }], query : INSERT INTO test2 SET a2 = NEW.a1 } { msg-type : activity, date : , thread-id : 38, queryid : 271, user : root, priv_user : root, host : localhost, cmd : delete, objects :[{ db : test, name : test3, obj_type : TABLE }], query : DELETE FROM test3 WHERE a3 = NEW. a1 } { msg-type : activity, date : , thread-id : 38, queryid : 272, user : root, priv_user : root, host : localhost, cmd : update, objects :[{ d b : test, name : test4, obj_type : TABLE }], query : UPDATE test4 SET b4 = b4 + 1 WHERE a4 = NEW.a1 } { msg-type : activity, date : , thread-id : 39, queryid : 0, user : debian-sys-maint, priv_user : debian-sys-maint, host : localhost, cmd : C onnect, query : Connect } 6

7 Step two: Add monitoring and alerting In addition to lacking native auditing functions, MySQL does not include native monitoring or alerting capabilities. Although some proprietary databases offer some of these features, most lack the sophisticated capabilities required for effective database protection and compliance. That s why companies are increasingly strengthening their protection with third-party monitoring and alerting solutions such as McAfee Database Activity Monitoring. McAfee Database Activity Monitoring monitors database transactions as they occur. It places minimal impact on server performance and requires no change in network architecture or database function. By monitoring all activity, local or remote, it protects against attacks, regardless of where they originate. A trial version of McAfee Database Activity Monitoring is available at McAfee.com/dbsecurity. Test driving this award-winning product is a good way to get a real indication of its true value. McAfee Database Activity Monitoring provides visibility into all database activity, including privileged user access and sophisticated attacks from within the database. This software-only solution is fast and easy to deploy (typically in less than an hour), and doesn t require special hardware or appliances. Upon installing McAfee Database Activity Monitoring, you begin to see the integration benefits of these modules working together. McAfee Database Activity Monitoring integrates with the McAfee MySQL Audit Plug-In, analyzes the full audit trail data according to your policies, and sends security events to the McAfee Database Security Server for resolution and forensic purposes. Figure 2. McAfee Database Activity Monitoring, analyzes the full audit trail data according to your local policies, and sends relevant audit data to the McAfee Database Security Server for policy enforcement. In addition to monitoring database activity and alerting security personnel of suspicious activity, McAfee Database Activity Monitoring can be configured to prevent intrusion by automatically terminating sessions that violate your security policies and quarantining malicious users, allowing time for your security team to investigate the intrusion. This enforcement feature helps you maintain separation of duties as required by many regulations. Policy rules can apply to SQL statements, database objects accessed, time of day or day of month, specific user profiles, IP addresses, and the applications used among other parameters. 7

8 Figure 3. A typical McAfee Database Activity Monitoring alert. Step three: Protect against additional vulnerabilities and scale protection to other databases Larger organizations may choose to perform this action as the second step. Whether you re doing a small pilot trial or enterprise-wide database security analysis, it s important to discover all of the databases that require protection and assess your database configuration states and vulnerabilities. Once again, this doesn t need to be an overly complicated process highly effective tools are available to automate this process. 8

9 McAfee Vulnerability Manager for Databases can spare you considerable legwork and guesswork. It automatically discovers databases on your network and conducts more than 4,500 individual vulnerability checks. It also includes out-of-the-box compliance reports for PCI DSS and other regulations. If you run multiple database platforms, you ll be glad to know that McAfee Vulnerability Manager for Databases also assesses vulnerabilities on Oracle, Microsoft SQL Server, Sybase, PostgreSQL, SQL Azure, and IBM DB2 databases. This risk assessment product is developed and maintained by the same team credited with contributions to seven of the last 10 critical patch updates released by Oracle. McAfee Vulnerability Manager for Databases evaluates risks from virtually every threat vector, determines if the latest patches have been applied and tests for common vulnerabilities such as weak passwords and default accounts. It identifies database-specific risks such as SQL injection vulnerabilities, buffer overflow, and malicious or insecure database code. Equally important, its vulnerability scan identifies which databases contain sensitive data, such as payment card information, Social Security numbers, phone numbers, salary information, and more. This comprehensive assessment is likely to find plenty of vulnerabilities that require attention. Not to worry McAfee Vulnerability Manager prioritizes security gaps, highlighting those that require immediate attention, and often offers actionable data and usable ideas, including fix scripts wherever possible, that help you quickly remediate risks. Step four: Apply virtual patching As long as there is software, there will be software vulnerabilities that require patching and cyberthugs racing to exploit them. McAfee Virtual Patching offers an innovative way to protect databases from known vulnerabilities without database downtime until patches can be created, tested, and installed. By understanding your unpatched database vulnerabilities, McAfee Virtual Patching for Databases detects and prevents attempted attacks and intrusions in real time to keep your databases safe, secure, and online. Not only does this solution save time, it supports a proactive patching strategy, allowing you to schedule database patch deployment within your preferred timeframe and resources. In addition, compliance auditors recognize McAfee Virtual Patching as a valid compensating control, which allows you to maintain business continuity without sacrificing regulatory compliance. If your organization runs databases that cannot be taken offline for patching, or if you have a large database population that s creating patch deployment delays, McAfee Virtual Patching is worth a serious look. Like all of the modules discussed thus far, it s available for a complimentary trial. Step five: Connect the dots with centralized security management Many databases especially departmental databases have historically been isolated and managed as their own information silos. Similarly, as companies have implemented multilayered protection, many have deployed a patchwork of security point products, all of which need to be managed. This has resulted in uncoordinated security protection, often fraught with costly administrative redundancies, blind spots, and coverage gaps. Put simply, this level of organizational disarray has created painful challenges for those who must secure systems and prove compliance to internal and external auditors. 9

10 McAfee epolicy Orchestrator (McAfee epo ) software is a proven solution for coordinating enterprise wide security. Widely acknowledged as the industry s most advanced and scalable security management platform, McAfee epo software provides end-to-end security visibility and management that spans database security, enterprise security, compliance postures, and compliance reporting. This award-winning console integrates with other McAfee security and risk management products and those of McAfee Security Innovation Alliance Partners. Within the database security solution set, you can manage all McAfee Vulnerability Manager database functions within the McAfee epo console by simply installing a McAfee epo software extension. This allows you to use the same system trees, policy assignments, server tasks, reporting, and dashboards for vulnerability management. No other enterprise security management console offers this level of integrated visibility and protection. Figure 4. McAfee epo vulnerability management for databases scan summary. 10

11 Conclusion Protecting your company against today s onslaught of security attacks can seem overwhelming at times. But there s no need to feel vulnerable or defeated. At McAfee, we realize your databases store your most critical business assets. They must be available around the clock to power your business. And, just as your databases don t take a day off, neither do we. It s why we say safe never sleeps. Rest assured, our team of database security experts is relentlessly focused on keeping your sensitive information safe and available, while helping your company ensure compliance with internal policies and industry regulations. The McAfee MySQL Audit Plug-In is the first step to establishing enterprise-grade protection for your MySQL databases. This free plug-in integrates with the complete McAfee Database Security Solution to provide: Complete logging, auditing, and visibility of all database activity Real-time protection from all types of threats: external, internal, and even intra-database exploits Vulnerability assessment and remediation priortization of all known threat vectors Policy enforcement capabilities to ensure compliance and streamline compliance reporting Virtual patching capabilities with zero database downtime Centralized security management of both database security and enterprise security Security solution integration to automate security administration For more detailed information on how McAfee Database Security can help you protect your databases and your business, visit or contact your local McAfee representative or reseller near you. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. 11

12 2821 Mission College Boulevard Santa Clara, CA McAfee, the McAfee logo, epolicy Orchestrator, and McAfee epo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2012 McAfee, Inc wp_mysql_0712_fnl_ETMG