Data security experts are raising the alarm: viruses are getting increasingly more specialized and have lately attacked SQL Server installations that did not install the latest Microsoft security patches.

The SQL Slammer worm created high network data traffic resulting in a sort of denial of service scenario. In this case the worm did not attack data residing in the database but the case shows that there is a potential threat. Hackers could create a virus that tries to read and steal data from relational databases. Especially where enterprises have interfaces between their own network and the public Internet the risk of attack by hackers is high: each year an immense amount of damage is caused by data thieves who gain access to IT systems. In many cases the threat does not come from outside the company but from within. Disloyal employees steal data, for example sales managers leaving for another job, copy customer data before they leave. Modern security technology is like a safety bar which can securely lock the door to the valuable data assets, securing data from external and internal attacks.

There are various possible methods which data thieves can use. The most important of these are:

  • A hacker starts an attack on physical database files in order to see or alter information; he can physically access the system even though he has no authorization. This occurs in the case of mobile client systems, for example.
  • A data thief pretends to be an authorized user of a system, a database or an application. For this purpose there is software for the generation and automatic use of password lists. Often a simple phone call from the "user service" suffices, with a direct request for password and caller ID.
  • An attacker uses an existing database connection via a network, which has been set up by an authorized user (hijacking). A sniffer intercepts uncoded information while it is being transmitted via a network.
  • Most database vendors have reacted on increased security needs and have released product versions that include highly increased security. Oracle has greatly improved security in its database server product and is calling it unbreakable. Unbreakable might be a little bit exaggerated since no IT system so far has proven to be unbreakable. But Oracle certainly has introduced a lot of functionality to improve data security. Microsoft is challenging Oracle by integrating Windows security and encryption into its SQL Server product making it a very secure database. Sybase offers security and encryption features in its enterprise product Adaptive Server Enterprise and its workgroup server Adaptive Server Anywhere. Now it is up to the user to choose the right product offering for his needs. Following are detailed descriptions of the security features of the previously mentioned databases vendors.

    Overview of Oracle security features

    Oracle has concentrated very much on improving the logon and user account features to make data in the database more secure. User accounts have advanced expiry settings that allow to lock a user account after a given date or that only allow access during specified times of a day. Oracle user tools force database administrators to change passwords for preinstalled database accounts to close security holes directly after product installation. A very common security problem are preinstalled database accounts that use pre-defined passwords being equal for all product installations. Many time hackers could access detailed ordering information including credit card information because companies operating webshops did not change the default password of administrators in the underlying database. Oracle has introduced blocks which disallow the "ANY" keyword that can be used to delete all tables from the database like the old DOS command del *.*. Once enabled this feature prevents unwanted data loss. A very important security feature in Oracle is the encryption of network traffic. Sniffer attacks to sensible data can be easily prevented using encrypted communication between client and database server. Other security features include a list of disallowed IP addresses, preventing access from known bad sources. These security features make Oracle a pretty good secure database. Oracle has C2 certification for its database product. Compared to the other vendors security offerings Oracle is lacking one important area and that is data encryption in the database itself. Making Oracle somewhat vulnerable against internal attacks, like system administrators that have direct access to the database file itself could read and change values in the database file itself since the data is not encrypted.

    Microsoft SQL Server offers security based on Windows security features

    Microsoft offers comprehensive security features for its SQL Server database product. Since SQL Server requires the Windows platform it makes sense for Microsoft to integrate the Windows security features like encryption into SQL Server. Microsoft offers a tool that analyzes possible security holes like unchanged admin passwords and excessive rights on the guest account. SQL Server can be installed using SQL Server authentication or integrated Windows authentication. It is recommended to use integrated Windows authentication since the Windows user and password settings are enforced like the necessity to change a password after a predefined period of time and other logon and authentication features of Windows. The Windows NTFS file system allows full encryption of directories and files. This feature of Windows can be used to force encrypted database files to protect against direct file attacks. Reading such an encrypted file using hex editors does not unveil any information in text or readable format. For SQL Server database administrators must be aware that the majority of the SQL Server security features are operating system features and must be set in Windows administration tools, not in SQL Server tools. Another important security feature is database auditing that help to reconstruct the way how security holes have been used. Auditing protocols all login and SQL activity of specified users or groups. Microsoft has obtained C2 security certification for SQL Server running on a special Windows NT4 release. Later SQL Server platforms like Windows 2000, XP and 2003 Server are not C2 certified.

    Sybase offers secure features in Adaptive Server Enterprise and Adaptive Server Anywhere

    Both Sybase database server products, the enterprise and workgroup server offer good competitive security features. The Sybase Adaptive Server Enterprise offers strong security including triple DES encryption of data in the database. Making the product pretty secure against internal data attacks. Adaptive Server Enterprise includes role based access, segregation of duties, auditing and tested performance. The communication between database and server is encrypted in both Adaptive Server Anywhere and Adaptive Server Enterprise disallowing unwanted analysis of network traffic. The Sybase security offering is superior to Oracle and more integrated than the Microsoft SQL Server security implementation. The Sybase offering is very much tuned for the financial market where requirements from several public and industry groups have been implemented like for example requirements from VISA and Mastercard for secure ebusiness.

    Responsibility for users

    The bigger the company, the more difficult it is to restrict access exclusively to authorized users. The problems involved in keeping security-relevant information within a restricted group of persons increase with the number of users. This is not a question of the trustworthiness of the staff but of carelessness and unawareness on the part of the users.

    Due to the number of passwords and user IDs involved, users tend to leave notes on their desk or to simplify the passwords in such a way that they make it easy for unauthorized persons to gain access to protected areas. Incorrect logging off and failure to shut down the computer mean that an unoccupied workplace offers sufficient opportunity to do damage to the company. Here self-discipline and a sense of responsibility on the part of the users are called for. But relief is available for the user: for some time already professional databases which encode their data independently have existed for the PC platform. This process takes place automatically, without a cryptography tool having to be activated first. The user does not notice that anything is happening. In other words, he does not have to think about encoding any more.

    Thanks to this security technology, it does not matter if a field representative's notebook is stolen – except for the value of the lost hardware – since the thief will be unable to get hold of the data on the hard disk. Unless of course the user was so silly as to leave a note of his password inside the case of the notebook.

    Safely from LAN to LAN

    Companies with several sites or who have outsourced their IT infrastructure can also profit from encoding their data. For transmission from A to B only seldom takes place via a protected com-munication network, such as is offered for example by a backbone based on Ethernet technology in a Metropolitan Area Network (MAN). Instead, data traffic travels through the IP backbone or another public network, which offers hackers enough opportunities for their work. Each server has its own IP address; in order to discover these addresses, it suffices to intercept a single track between two communicating systems. The hacker is then able to record the whole of the data traffic between the sender and receiver ad-dresses. Encoding of the data therefore provides protection against attacks on existing network connections to the outside: an unauthorized person cannot intercept communication between two databases, without first cracking the code.

    Conclusion: Companies who attach importance to maximum security for their information cannot rely on a firewall alone. A network offers enough weak points to allow a professional data thief to attain his goal. For optimum protection against unauthorized access to servers, workstations and data lines, encoding of security-relevant data is therefore the best solution.

    Different needs require for different database products. The group of databases presented in this article have their specific strength's. For large volume, many users secure systems, Sybase seems to have a lead in front of Microsoft SQL Server and Oracle. For embedded and workgroup databases Gupta SQLBase offers the best security currently available.

    After selecting a database product that offers the security features that meet the customers requirements the most important and often forgotten task is to enable and use the advanced security features provided by almost all database manufacturers.

    The author is Product Manager at Gupta Technologies in Munich.