Tianmin Qu
Department of Computer Science Helsinki University of Technology
“The most sensitive data for commercial web sites will usually reside in databases that exist behind the corporate firewall. Clearly, the database holds the jewels in the Web site’s vault.
For this reason access to the database must be carefully controlled.”
Anup Ghosh – E-Commerce Security; Weak Links, Best Defenses
Abstract
Due to the rapid development of computer and Internet technology, more and more assets of a company is stored in digital format in database, especially in the E-commerce company. Databases are also widely used in every person’s daily life. This article concentrates on the common threats to an open database system, the strategies to be considered when securing a database, and how to secure a database in four most important layers.
1. Introduction
It is becoming more evident that, the assets of a company are mostly stored in digital data format. The assets may include the intellectual property products of the company, classified information about business partners and customers. More likely than not, this data sources are relational database. It is extremely the case regarding an E-commerce company. Most of those assets are opened on-line to administrators and customers.
Commonly used database systems are Oracle, Sybase, and MS SQL Server.
Internetworking technology not only greatly facilitates the cooperation to manage its assets flexibly, but also gives a chance to criminals or hackers to access corporation’s digital assets. Therefore, all companies are spending more and more effort to secure their database against malicious intrusions. At the same time they have to make their data available at any time to any authorized users. Security of the relational database should be a principal part of
The basic and most popular schema of database in E-commerce system is that, web applications access the database for information retrieval and exchange.
There are many layers involved when a web application accesses a database. To secure those layers will strength the security of the database. We will examine each layer in detail and introduce how to secure the database on those layers in latter chapters.
2. Why we need database security
All companies use database management systems to house their information assets. E-commerce companies allow applications to share information and resource to be accessed by business partners and customers. In the Internet wrold and the information economy, databases hold the valuable assets of a company which is always kept online. The company must make the information available for use at any time to any authorized users, such as customers, employees or business partners. Companies by no means leave a single chance to intruders. Cooperations and
governments also use database to mangage personnel information, employee payment, which should be kept privacy and confidential even to certain unautherized insiders.
Sensitive financial data, such as trading records, business transactions etc, must be prevented form disclosure by business competitiors, even unauthorized internal access. detailed customer
information including financial accounts, credit card numbers.
Information is money. Hackers target on the database more frequently.
In building the security infrastructure of a company, database security should not be overlooked. Not properly protecting the database will cause a corporation’s most valuable assets left exposed to malicious persons. Database is so critical to most enterprise nowadays, that destruction of database can have catastrophic impact on it. Insecure of a companies system can harm both the company itself and the customers. The following report depicts severeness of an insecure database.
According to the advisory of American National Infrastructure Protection Center (NIPC) in 2000, there were increasingly attacks on U.S. e-commerce system. " The majority of the intrusions have occurred on Microsoft Windows NT systems, although Unix based operating systems have been victimized as well. The hackers are exploiting at least three known system vulnerabilities to gain unauthorized access and download propriety information. Although these vulnerabilities are not new, this recent activity warrants additional attention by system administrators. In most cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion " [8].
Another important reason for database security is that an insecure database will not only
compromise the database itself, but the operating system and other trusted systems running on it. The intruder can first get access to the poor secured database, then use powerful buit-in database features to access the local operating system. If the databse have relationship with other trusted systems, the intruder can attack all other systems as well.
3.1 Denial of service attack
Denial of service attack (DoS) is to make a database server greatly slower or even not available to legitimate user at all. Even though DoS attack does not result in the disclosure or loss of the database information, it can cost the victims much time and money.
Common Dos attacks on databases are: • Ping of death attack
Pings are used to test a network to see if an Internet address is valid by sending ICMP (Internet Control Message Protocol) request ping to the destination host. However the attacker can send oversized ICMP requests at very high frequency. The victim’s reply to these requests will cost much of CPU load. The system will slow to provide service to other process and even crash finally. Ping of death happens not only on Unix system and other PC operating system, but also on
mainframes and some specialized operating systems [1]. • Syn attack
For an application server to transmit data with database, a connection oriented and reliable service is needed. Therefore TCP is used as transmission protocol. Before the transmission of data, connection has to be established by TCP three-way-handshake. First, the attacker sends SYN packets the target host with its spoofed IP address, which is unreachable. Then the target host respond with SYN/ACK packets, and waits for the final ACK to complete the
three-way-handshake. However, ACK will never come [1].
Another kind of syn attack is that, when TCP connection is established in database side, a buffer is reserved for three-way-handshaking. The attacker sends a large amount of connection requests rapidly but don not reply the respond. This will cause the buffer get full and legitimate request cannot get the service. Even though the packets in the buffer will be dropped after some timeout, the legitimate user cannot get the service on time.
3.2 Sniff attack
To accommodate the e-commerce and advantage of distributed systems, database is designed to be distributed and in a client server mode. Attackers can use sniffer software to monitor data streams from the database, and acquire some confidential information, for instance the credit card number of a customer. Legitimate user's IP address login name and password can be figured out, and this information can be used for later spoofing [6].
3.3 Spoofing attack
Attackers forge a legal web application to access the database, and then retrieve data from the database and doing some evil transactions.
The most common spoofing attacks are TCP spoofing and DNS (Domain Name System) spoofing. In TCP spoofing, the IP addresses in the packets are forged. While DNS spoofing is to forge the mapping between IP address and DNS name or machine name [2].
3.4 Trojan Horse
A Trojan Horse is a malicious program that embeds into the system. They are commonly reside in operating systems. Trojan Horse can modify the database, security labels or user roles without being noticed by the administrator.
The intruder or even malicious insiders can place a torjan horse in the database system.
One kind of torjan horse can modifies the procedure of changing and storing passowrd. When the password is changed, the password is stored in a log file or written to an external file.
3.5 Other pitfalls of database security
• Bad account and password settings:
Databases with less or even poor user settings are often vulnerable. There is no control mechanism to control quality of a password, so that bad password can be used. Moreover,
passwords are not obliged to change frequently. Login time is not restricted and "well known" user name and password are used [7].
• Inadequate audit mechanism:
Database operation can generate a large amount of audit files. To save disk space,
Operator sometimes disables the function of auditing. This will harm the accountability of the system. Even insider can do something maliciously and ca not be traced for responsibility. Audit trails are critical for analysis the operation on the database. They cannot be ignored in any case.
The following table is a reference to some pitfalls of database systems: [7] MS SQL
Server Sybase Oracle 7 Oracle 8
Account Lockout Facility
No No
No
Yes
Rename Admin Account
No
No
No
No
Require Strong Passwords
No
No
No
Yes
Stale Accounts
No
No
No
No
Password Expiration
No
Yes
No
Yes
• Default Ports
Many modern database systems have some features that can facilitate intrusion. One common feature is some default ports. For example, most relational database systems have default ports which can be accessed directly. Accessing to those ports can bypass the security mechanism of the operating system. Intruders can just utilize trivial query tools to make connection to those ports directly. For instance, Oracle 8 can be accessed via TCP/IP on their default ports of 1521 and 1526 [12].
One thing should be kept in mind, no matter how secure the database is, it still has vulnerabilities, which are quite hard to find out. If attackers identify new vulnerability before administrators notice it, the database subject to reveal to attackers.
4. Strategies to secure databases
4.1 Authentication
Access to a relational database is a matter of authentication. Database is accessed by its interior network or visited as an object by remote client.
Every access process, whether successful or not should be monitored, and corresponding actions, such as disable the account which has several successive unsuccessful login. However, one closing account will also disable large number of legitimate uses, this features can be used as denial of service attack. One solution is sending notice information to the real party. The password of the account should be changed periodically, and use above strong authentication method will reduce the chance to attackers [4].
4.2 Auditing and analytical Tools
In addition to strong authentication and authorization controls, another strategy is maintaining the audit trails at the database level.Even though some third party software applications have built-in auditing functions, but they only record events that take place through the application. That information is incomplete to detect possible intrusions [11].
A database auditing strategy should also include checks to validate the integrity of the business rules within an application. This should also be performed on any application security tables that are maintained within the database in order to ensure that manipulation of security or business rules is not taking place via the back door [11].
Some databases also have built-in audit utilities, however, they are complex and cannot provide enough information for auditing requirements. Sometimes, native database auditing utilities are disabled.
Another shortcoming is the audit log files are in huge amount and are hard to understand. There is no sufficient tool to filter out the suspicious log. The problem became even worse if multiple database audit trails must be maintained.
5. How to secure an E-commerce database
As the other technologies, database system is not an isolated entity. It depends on many other systems. Therefore, database security is a cooperation of many other related systems as well. The following picture (Figure 1) is a normal schema of E-commerce Company. As depicted in the picture, there are four basic layers to defend a database system. These systems are the operating system on which the database system run. Firewall, a commonly used mechanism to block the intrusion from the outside network. Web server and web application, which provide multiple services to the end user by accessing the database. Network layer, the medium in which the data is transferred.
Figure 1 E-enterprise Architecture
5.1 Operating system layer
Security of operating system is a very important aspect in database administrations.
Application Services Operating System
OS Kernel Hardware
Figure 2 Layers of IT system
According to the IT system layers stated by Gollmann, there are five layers in IT system. As depicted in Figure 2, each layers is structured on top of other underlying ones [5]. Database systems is at the service and application layer, it is reside above the operating system layer. If the attack is destined for the operating system layer, the upper layer is threatened. Since if the operating system is compromised, all the upper layer security mechanism can be easily changed.
Weaknesses of the operating system platforms must be identified. Those weaknesses may lead to unauthorized database access or manipulation. Database configuration files and scripts, which are server level resources, should be protected strictly to ensure the integrity of the database
environment [9].
It also should be noticed that, in many database environment, membership in Operating system group is allowed full control over the database. To avoid misuse of the membership, those users' membership and access to the database should be justified regularly.
Administrator should configure the operating system settings or adjust the size of the buffer and the timeout period, thus will avoid the denial of service attack stated previously.
Most operating system vendors provide system patches freely and quickly if any vulnerability has been found on the system. So, another thing, which is often ignored by the administrator, is to update the operating system with the latest patches to eliminate the latest discovered holes of the system.
5.2 Network layer
When web applications communicate with database or other distributed components, data has to be transmitted through the network, including local LAN and Internet. There are two main network transmissions, from user to the web server and from web application to web database server. Both of these communications must be made secure.
Unfortunately the administrator can ensure the security of the network in local domain, but global Internet is out of his control. How to secure the communication on insecure network? One powerful technology is encryption. The encrypted data is unreadable and extremely hard to guess or decrypt even if it is intercepted by the attacker. The cipher text can only be decrypted by corresponding key. There are two ways to apply encryption in database system. One is to use the encryption options provided by database products, the other way is purchase encryption products form trusted vendors. One solution for a secured connection is using secured protocols above TCP/IP, for instance, Ipsec and VPN (Virtual Private Network) technology [10]. Especially, VPN can provide private traffic through the public Internet by using encryption technology.
Another commonly used cryptography on top of TCP/IP is SSL (secure sockets layer). It was developed by Netscape to provide secure web sessions. It gets support of many other Internet application developers, including Microsoft. It is embedded in most web browser and web server
products. SSL has become the de facto standard. Recently, SSL has evolved into Transport Layer Security (TLS). TLS ensures that no third party may eavesdrop or tamper with any message [9]. One thing should remember that, SSL is used to authenticate and secure web sessions, not to secure the computer itself.
5.3 Web servers
Web applications program is quite different from common application programs in the domain of security, Common programs do not need security features, while the web application program concerns about security greatly. The flaw in the web applications is difficult to detect. Web server is situated between the application server and firewall, which protect outside intrusions. It is used as mediator to access data we allowed to be accessed.
CGI (common gateway Interface) is widely used software in web applications at present. It is a simple way to enable web server perform a diverse function [3]. CGI can be as simple as a web page counter. It can also be complex such as reading the input form the remote user, the input can be processed as a query to a local database, after retrieving the database, CGI returns the result to the user. However, it is dangerous because CGI scripts allow software applications to be executed within the web server [3]. Perl is a popular language for CGI scripts because it is easy to construct applications and parse the input form the user. However, Perl also provide some powerful system commands, which can be used by malicious users.
If one web server has a poorly implemented CGI, there will be a great threat to the system, because the attacker can destroy the system easily. They can remove files from the Web server, access confidential files or even add a Trojan Horse into the system.
Some practice can be used to eliminate the threats of CGI somehow.
The user is forbidden to write CGI scripts as the input to the web server. The web server should also be configured that the CGI program can be executed in a single directory.
Great care should be taken when writing CGI script. Remove any CGI applications that no longer in use, especially sample CGI applications that may come with your Web server. Many of the older CGI samples had security holes and are a common target for attack [3].
If the database system interacts with CGI, great care must be taken, Web application server's default settings may be a great flaw of the system.
If a use logs into the database, the system should check what operation is not granted to the user. The best way is use web serve with authentication mechanism built in CGI. That means to write a CGI script with login name and password to protect the document. The document can only be read from the server, but not accessible from the web. All CGI scripts, no matter they are self-developed, downloaded or purchased, should be tested fro security holes strictly.
5.4 Firewalls
Firewalls are the most important layer to block the intrusion outside of the system. There are two kind of firewall mechanism, packet filter and proxy server. The data being transmitted between the application and database are split into packets. Those packets include many information in it is headers, such as source and destination address, protocol being used. Some packets with source address which are not supposed to reach the database are filtered out [4].
The firewall also should reserve log files to trace the suspicious attackers. Proxy server is composed of two connections, the connection between cooperation's database and proxy server, and the connection between proxy servers also provide the log and audit files.
However, powerful firewalls are difficult to configure and audit trails are also too large and hard to analysis.
5.5 Database server
Database servers are the foundation of virtually every Electronic Business, Financial, and Enterprise Resource Planning (ERP) system, and frequently include sensitive information from business partners and customers.
Database server functions by using the service provided by the operating systems. Some good security practices are:
• Use multiple passwords to access a server. For example, using one password to access the system for administration.
• Use a different password for other operation.
• Every transaction of the database server should be audited.
• Use application specific user name and password. Never use a default user name or password.
• Back up the system properly for later recovery in case of system accidentally crash. It is useless for an end user to know the name and location of the database; moreover, it is a great threat to expose physical location and name of every database in the system. We should use service names and aliases to mask them.
The file which manages the access to database service should be maintained in multiple copies. Each copy corresponds to a particular user group.
The member of each group only can get the files, which contains the resource they can access.
6. Conclusion
A company or an organization's assets are largely stored as digital format in online relational databases. Database security is a crucial element in the assets management of nowadays enterprise. To protect database is to protect access to a company's sensitive information and digital assets. Database is a complex system and very difficult to manage and hard to secure.
Like other secure systems, database security also ensures Confidentiality, availability, integrity. Database security can be controlled at different layers. Auditing is critical, but analysis is hard. Future analytical tools will be a great help.
There are many layers to protect an on line relational database. Those layers should cooperate together to get secure strengthened. Authentication and encryption play a very important role in database security.
References:
[1] CIAC, IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities, December 10, 1996 <http://www.ciac.org/ciac/bulletins/h-12.shtml>
[2] Felten Edward W., Balfanz Dirk, Dean Drew. Web Spoofing: An Internet Con Game Feb. 1997 <http://www.cs.princeton.edu/sip/pub/spoofing.pdf>
[3] Gardner Keith, Is your web server secure? 1999 < http://www.gt.ed.net/keith/cgi/security.html>
[4] Ghosh Anup K., Why Firewalls May Not Protect Your Corporate Assets, 1997 < http://www.cigital.com/~anup/firewall.html>
[5] Gollmann Dieter, Computer security, 1999, p13,
[6] Hillebrand Mary, New security tool aims to sniff out hackers E-Commerce Times July 1999 <http://www.ecommercetimes.com/perl/story/864.html#related-864>
[7] Internet Security Systems, Securing Database Servers, <http://documents.iss.net/whitepapers/securingdbs.pdf> [8] NIPC , E-Commerce Vulnerabilities, 2000,
< http://www.nipc.gov/warnings/advisories/2000/00-060.htm>
[9] Pruitt Paul, Cours Steven, Securing the Web Server: Windows NT vs. Unix, 1997 < http://www.cigital.com/~anup/survey.htm>
[10] Stein Lincoln D. & Stewart John N., Version 3.1.1, September 12, 2001 <http://www.w3.org/Security/Faq/>
[11] White B.Gregory, computer system and network security, 1996 [12] ISSEL, Oracle installation guide
