First GROAN of the New Year - Sister CISA CISSP
Home > IT Blogs > Sister CISA CISSP > First GROAN of the New Year
>>VIEW ALL POSTS  

Sister CISA CISSP

« Encrypting Company Laptops
The Purpose of Audit »
Jan 8 2009   6:10PM GMT

First GROAN of the New Year



Posted by: Arian Eigen Heald
Security, Tearing My Hair Out

I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.

Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID - but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.

Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.

KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Suzmonster  |   Jan 9 2009   3:57PM GMT

I am so glad you share all the boneheaded things you come across. It might just give me a better chance at recognizing a bad configuration before it’s too late. With the variety of businesses being compromised increasing I no longer feel so safe.