Incident Response, Malware, TDR

The way in: Application security

Some months ago I was reviewing an investigation into a breach. An analysis of the investigation revealed that initial access to the enterprise was made through a web server and from there, via a circuitous route, to a database server where the actual data thefts occurred. Neither of these is any real surprise given the known weaknesses in the security postures of both types of targets, especially web servers. 

The accesses were exacerbated by the use of malware and that, as well, should be no surprise. What should not have been a surprise, given the findings of Verizon's recent breach report, was that the attacks were not particularly sophisticated, consistent with the Verizon reports for two years now.

These were attacks against low-hanging fruit. This month's products are quite capable of moving that fruit nearly to the top of the tree and providing significant protection for web applications and databases. This month, we look at web application and database security tools and, while the crop is small, there are some powerful contenders in it.

Unfortunately, web applications as front-ends for databases provide the way into an enterprise through simple attacks, such as SQL injection. A year ago, I was called on to test a website for vulnerability to SQL injection. The premise under which I was asked was that it was a sophisticated attack that, basically, could not be prevented or protected against. My approach was simple. I became a script kiddy.

Rather than use tools and accepted manual penetration-testing techniques, I went to the Internet, found an information site on SQL injection attacks, and duplicated – keystroke-for-keystroke – what I found. I was in the database in under five minutes, including finding the information site. In just a little more time, I had extracted credit card data and posed as the administrator for the database. These are not sophisticated attacks, but that does not mean that the protection against them should not be sophisticated. 

Why? The simple answer is that SQL injection, like many other types of attacks, is a class of attack targeting a class of vulnerability. Just as there can be dozens, or even hundreds, of variations in malware, there can be many variations of the same exploit attack. Attack signatures just are not enough. Tough protection is needed and that is what you'll find this month in our product pages.

We looked at both web application security and database security. Our tools included security management applications and firewalls, both separately and in combination. We had appliances, software and one virtual appliance available from our vendors – a who's-who of the industry.

Also, this is another month where we have enlisted the talents of the information security students at Norwich University. A team of five exceptional students took on these six products and under the leadership of Cadet Rebecca Weaver, a senior graduating in December, ran them through their paces in our cyber war room using the Center for Advanced Computing and Digital Forensics' virtual environment and a multi-workstation test bed. I've called out their names in the individual reviews they provided. I trust you will find their ministrations satisfactory, I know that I did. So, on with the show!

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.