Research on database leak-scanning technology

Database vulnerability scanning is a professional technology for automatic security assessment of database system, which can fully expose and prove the security loopholes and threats of database system and provide intelligent repairing suggestions, and transform the security construction work of enterprise database into proactive prevention by ex post-mortem. The security self-examination of the database is promoted by the inefficient manual method to the efficient and accurate automatic check way, and presented to the user by the report, the patching method and the security implementation strategy are put forward in time, and the security condition of the database is continuously monitored, thus helping the user to keep the safe and healthy state of the database and realize the "precaution".

1. Where is the core user value of database vulnerability scanning technology?

2. Analyze internal insecure configuration to prevent unauthorized access

Log in to the database server through a read-only account, enable internal-to-external detection, provide vulnerability perspectives and database configuration security assessments of existing data, and initially diagnose unauthorized access inside and outside.

1. Monitor database security status to prevent deterioration of database security

Establish a security baseline for the database, periodically scan the database for timely reporting and analysis of changes in all security conditions.

1. User authorization status Scan, easy to find broad rights account

For the users in large business systems, as well as the user's authorization status, especially the grant status of Administrator rights, is the key to system security, from the perspective of security compliance, user and authorization status always review the points, provide automated collection tools, to obtain independent DBA Authority report.

1. Rich weak password dictionary cubby, instant display of insecure password settings

Based on various mainstream database password generation rules, the password matching scan is implemented to avoid user lock-in and efficiency problems based on database login.

Provides a dictionary-based library, rules-based, multi-modal implementation of weak password detection; 20 million weak password dictionary library, compatible with CSDN password library.

1. Identify external hacker attacks to prevent external attacks

Implementation of non-authorized external-to-internal detection, simulation of hacker use of vulnerability detection technology, in the absence of authorization, the security of the target database to conduct in-depth detection and analysis; collects details about database vulnerabilities that outsiders can exploit.

1. Identify sensitive data and protect core data assets

There are hundreds of tables and thousands of columns in the background database for general applications, and to protect your core data assets, first understand where the core data assets are, scan the tables and columns that store passwords, personal identification information, credit card accounts, etc. through the sensitive Data discovery feature, and also support user-defined Sensitive object search keywords.

1. Flexible policy management According to different safety testing requirements

Provide policy management functions, classification of policies to meet the needs of different security level checks, such as level protection, industry and other security policies.

1. The functional range of database leak-sweep technology

2. DBMS security vulnerability Knowledge Base

The database leak scanning technology must have a knowledge base which can completely cover the database security hidden trouble, including DBMS vulnerability, weak security configuration, Patch, default username/password. The basic vulnerability detection covers buffer overflow vulnerability, power-up vulnerability, denial of service vulnerability, and so on.

1. Database Discovery and Security checks

Database leak scanning to support a variety of database Automation inspection and Network Database discovery technology, in the implementation of database server discovery, but also provide database port discovery.
The database leak-sweep realizes the password generation technology of many DBMS, and provides multiple password blasting libraries for fast weak password detection.

1. Predefined security Policy collections

Database sweep to include a series of predefined scan policy collections to help users complete different scan tasks immediately, such as: Full scan scans all detections in the vulnerability Library, basic scans scan database usage defects, DBMS system defects, and quick scan is a defect in database usage and DBMS Risk levels in system defects are scanned for high-risk and medium-risk detections.

1. Database Security Status Monitoring

Database leakage can not only be used as a database vulnerability checking tool, but also can monitor the operation and maintenance status of database, including related security configuration, connection status, user change status, permission change status, code change status, etc. A real-time security view of the database is presented through periodic monitoring of the operational state and important operations of the database.

1. Database simulation infiltration attack

In the database vulnerability type, is the system injection, buffer overflow and denial of service attacks are the most harmful to the database system, in order to let users more sober awareness of the security risks of the database, database leak scanning technology can simulate the hacker to infiltrate the database, such as password attack, SQL injection and buffer overflow, and to ensure that damage to the target database can be quickly restored.

1. Smart Fix recommendations

For the vulnerability that needs to be repaired manually, it can give the suggestion of intelligent bug fixing, indicate the risk level of the vulnerability, the harm to database system and the source of vulnerability, so that the security hidden danger after the database risk assessment is eliminated.

1. Research on different technical routes

At present, the main methods of database leak scanning technology are "known intrusion detection" and "known vulnerability Scan", which is the technology based on knowledge base. Therefore, one of the important signs of determining a vulnerability scan evaluation technique and product is the number of intrusion types and vulnerabilities that can be detected. To improve the security of the system, Oracle, SQL Server and other mainstream databases have opened the database vulnerability platform, timely release of new vulnerabilities and patches information, and to help users maximize all security information, Common Vulnerability disclosure CVE and China National Information Security Vulnerability Database CNNVD and other platforms and organizations have been set up successively. These vulnerabilities can be directly acquired by the users and security vendors, and become a good foundation for Database vulnerability assessment techniques.

The main technical routes for discovering database vulnerabilities are black boxes, white boxes, and penetration testing in three ways.

The principle of black box detection method is not aware of the database login account, according to the authority of the vulnerability Disclosure platform and database version number, guess what vulnerabilities, traditional network scanning is based on the black box detection method out of the database vulnerability Detection report, the main defects are as follows:

1, unable to scan out the database of low security configuration and all the weak password;

2, if this version of the database does not install the vulnerable components, may lead to false positives;

3, the same database version number scan out the database vulnerability is the same.

The principle of the white box detection method is to use the database user and password login, based on the vulnerability knowledge Base to build the vulnerability description and repair the proposed model, using the detection rule base to form a vulnerability detection method, using the international mainstream Security detection script language NASL script language implementation detection. Leading database leak-sweeping techniques are generally used in this way, and the advantages of this method are as follows:

1, the default knowledge base will cover the most important database security threats in CVE and CNNVD;

2, for the expansion or upgrade of the knowledge base, simply add the description of the vulnerability in the knowledge base and repair suggestions, while supplementing the NASL script Checker, the system can automatically complete the expansion or upgrade of the vulnerability database;

3, can scan out security configuration and weak password problems, the DBMS vulnerability can be detected more accurately.

Penetration testing is to simulate the hacker's use of vulnerability detection technology and attack means, without authorization, the security of the target database for in-depth detection and analysis, and the implementation of attacks (which may lead to downtime or damage to the database), to obtain real evidence of system security threats. Through penetration testing, it is possible to directly see the consequences of an application vulnerability being attacked, such as obtaining system privileges, executing system commands, tampering with data, etc., which are generally used to verify the existence of a data vulnerability.

1. Core technology of database vulnerability scanning

2. Intelligent Port Discovery Technology

The bottleneck of implementing the automatic discovery Technology of database server is the Port Automatic identification technology, for the common database service port, such as 1433 is SQL server,1521 is oracle,3306 is MySQL, this kind of port can be quickly identified according to the Knowledge Base, However, it is more difficult for service recognition to modify the default port.

Gets the port information that the specified database is running through "proactive", that is, polling a range of ports, sending it a connection request that conforms to a specific database protocol, and, in the event of a conforming response, the port that the specified database service listens on.

As an example of Oracle's TNS protocol (server-to-client communication protocol), a connection request is sent to a port that, if it is the listening port of an Oracle server, will inevitably return a reject message and redirect message. As soon as one of the above two messages is received, the port is the listening port for the Oracle service.

1. Matching Technology of Vulnerability library

Based on the database system security vulnerability Knowledge Base, by using rule-based matching technology, we can form a set of standard database System Vulnerability Library According to the research of database attack characteristics, hacker attack case analysis and DBA's actual experience of database system security configuration. Then the corresponding matching rules are formed on this basis, and the scanning program is automatically scanned for vulnerability.
The effectiveness of this technique depends primarily on the integrity of the vulnerability library. For the unknown vulnerabilities that hackers have detected, their defenses are significantly reduced because they are not included in the vulnerability library. In addition, the revision and update performance of the vulnerability library can also affect the accuracy of the inspection results.

1. Development status at home and abroad

Foreign database vulnerability scanning products start earlier, more products, according to commercial purposes, can be divided into open source products and commercial products. Open source products include scuba by Imperva, the main commercial products are FORTIDB, Securesphere DAS, Microsoft Baseline Security Analyzer (MBSA), and so on. Open source products are generally used for academic research, the type and number of supported vulnerabilities, product level is not high, is a lightweight database scanning tool, the following major international and domestic mainstream commercial products for analysis.

1. Fortidb

FORTIDB is a security product designed specifically for data vulnerability assessment by US-based flight tower to protect your database by monitoring password vulnerabilities, storage permissions, and configuration settings.
With a wide range of product models, including fortidb-400b,fortidb-1000b and fortidb-2000b, it can meet the vulnerability assessment of up to 10-60 parallel databases with the advantage of supporting large-scale database applications, and the product also has strong industry compliance Meet industry regulatory requirements such as PCI, financial industry GLBA, and HIPAA in the healthcare industry. But the product does not support China's national security policy, does not support domestic databases and China's National Information Security Vulnerability database, and there is a clear lack of its own security features.

1. Securesphere DAS

Imperva's Securesphere Discovery and Evaluation Server (DAS) enables enterprise customers to manage the discovery of data assets, the classification of storage data, and the comprehensive vulnerability management that identifies misconfiguration and potential vulnerabilities, expands the need to support large heterogeneous environments, and provides enterprise-level reporting and analysis views. Includes data risk management and historical trend analysis.
But the product does not support penetration detection function, not conducive to forensics. In addition, it is also faced with issues such as non-compliance with national security policies and support for domestic databases.

1. Professional database security products in China

An Huaqin and Database Vulnerability Scanning System (abbreviated as Dbscan) is a professional software that helps users to evaluate the current database system automatically, as a leading domestic database vulnerability scanning product, which can help users to prevent and effectively expose the security problems of the current database system. Provides continuous monitoring of the security posture of the database to help users maintain a safe and healthy state of the database.

The product can achieve the following safety inspection and protection effect:

Detection of external hacker attacks to prevent external attacks: the implementation of non-authoritative external-to-internal testing, simulation of the hacker's use of the vulnerability detection technology, in the absence of authorization, the security of the target database to conduct in-depth detection and analysis; collects details about database vulnerabilities that outsiders can exploit.

analysis of internal insecure configuration to prevent unauthorized access: through the read-only account, to achieve internal-to-external detection; Provide the vulnerability perspective and Database Configuration security assessment of existing data; avoid unauthorized access inside and outside.

Monitor database security to prevent deterioration of database security: periodically scan the database to report and analyze changes in all security situations.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1685529

Research on database leak-scanning technology