10
March 2014

Protecting MSSQL from the Insider threat

Andy Harris

IT Security is a very wide ranging subject. At Osirium we like to think of its application to the business stack. By this we mean all the components that are layered together to provide a business service.

A typical stack might have a virtual machine running an operating system that supports business applications. So protecting the OS and the applications through anti-malware and firewalls is a pretty standard approach.

However if we consider the insider threat, some other components in the stack form the softer underbelly that is easier to attack or subvert. Two such components are the SAN (Storage Area Network) and Database. Given access to the SAN the attacker can make a silent copy of a virtual machine to be hacked at leisure. However in this blog entry we’re going to consider access to the database.

Lets return to our stack for a moment, the database is a component that supports business applications. To interact with the database normal users go through applications, privileged users, for example supervisors use the same applications, but with more options, e.g. to reverse a transaction. In both cases the business can see what has been done; transactions processed, goods sent, money collected. In essence the database describes the state of the business at any point in time.

But what if our attacker has raw access to the database? They could alter the number of goods sent/received or monetary transactions. The journal file would show the changes, but they can be consolidated and cleaned. So now our attacker can remove goods or money and the business users see no anomaly. At some point in the future the company accounts will show either stock or money missing. At this stage they’ll use the applications to reconcile all the transactions and come up with nothing amiss. Now they have to go one step backwards and try to reconcile what they received from supplier documentation. On the money side they’ll have bank records but a missing cash transaction would be very hard to trace.

By now you’ll realise that this is a bigger threat than losing control of administrator credentials. We’ve been thinking this for some time. We just releasing our solution for MSSQL Management Studio. This Single Sign On approach means that you can really limit who gets to know the db_owner credentials whilst allowing your team full access to the database. You can chose to session record as well.

The real benefits of all this are

  • No more sharing the db_owner credentials, no chance for them to escape your organisation through spreadsheets, post-it notes or run books
  • You know who accessed the database when and for how long
  • With Session recording you can review what happened on the database

Please contact us if you like to see how Osirium can protect your MSSQL implementation (or SANs, OS’s and all manner of other devices).