SECURITY ISSUES REGARDING SQL SERVER DATABASES
There are several kinds of database infiltration which can
result in problems for a company.
The 2 dimensions are: type of attack and route of attack.
The type of attack can be:
- destructive and detected
- destructive and undetected (difficult one this!)
- non-destructive and detected
- non-destructive and undetected
The routes of attack can be:
- through internet
- through Local Area Network (LAN) by company employee/system user
- through IT Department System Administrator(s)
Of the 12 possible combinations, non-destructive and undetected attack by IT Department System administrator can be the most damaging. Sql Server is at risk from this kind of attack more for example than a well-installed Oracle System;
It is in fact almost impossible to stop that kind of attack from happening, whether the system under attack
is a package like Pastel, Navision, SAP, or Sage, or whether it is an in-house bespoke application. It is also
very difficult to detect such an attack. Even so-called C2 techniques of high security monitoring as used by
the US Military can be subverted and circumvented by determined System Adminstrators.
I was recently called to Rwanda to try to beef up security on a banking system, which had been written in Visual Basic 6 front-end with a Sql Server 2000 back-end. After examining all possibilities (including C2 as mentioned above), I designed and developed a clever but simple technology which detects each and every illegally updated, illegally inserted and illegally deleted line in every protected database table within 24 hours of the action taking place. The very knowledge alone by the System Administrators that the protective system is in place will in 99.999% of cases be sufficient to deter them from attempting any illegal action.
The technology can be applied to any bespoke system and to many package systems (such as Pastel, Sage etc..). It uses encryption technology, encrypted stored procedures, and a Scanning Routine which writes any and all illegal actions to the Windows Server Application Event Log. This Scanning Routine runs automatically every night as a Scheduled Job; or it can be set to run continously 24 x 7; and/or it can be started by an Audit Inspector during any random visit.
I am interested in exploring with you the possibility to create and install such a Protection System for your Application(s).
Alex Weir, April 2004
Dynamic contact info including phone numbers
1. no change of any kind to client application - all changes on database and stored procedure side only (that assumes
that all existing writes to protected tables already done thru stored procedures, functions or views; if not then obviously
someone requires to modify existing client-side code to address stored procedures rather than issue direct
2. probably -3% performance impact
3. can even work with existing encrypted stored procedures without getting access to code (in that case preferable/
cheaper if some overview of parameters is provided, but if not then workings can probably be deduced and protection
4. typical cycle time for checking every one of 1 million records = 40 minutes on a very slow (600 MHz) server.
5. typical time to protect system with 4 tables protected - 5 man-days, 40 man-hours.
PS - Additionally, there are 2 techniques which I use for increasing security of client-server applications - normally VB6 with Sql Server 2000, but can be used with any client application and database combination. One of these enables very
frequent database password changes with no action of any kind required on client PC; the other eliminates
the capability of System Administrator using Sql Server Profiler to view the application username and password
travelling from client to database. Contact me also if you want to commission some very basic and rapid but very
important work on these 2 aspects of security. Note that you will NOT find any of these 3 techniques in the textbooks!