February 16, 2017

How to Run a Database Vulnerability Scan with Scuba

IStock-485572352_scan_with_scubaYou’ve downloaded and installed Scuba, Imperva’s free database vulnerability scanner, which provides more than 2,300 assessment tests for detecting database security vulnerabilities and configuration flaws on popular enterprise databases such as Oracle, Microsoft SQL, SAP Sybase, IBM DB2 and MySQL.

Now you want to know if there are any security vulnerabilities in your database(s) and, if there are, what you need to do to remedy the situation. This post walks you through the steps.

First, you need to set baseline permissions for your database(s). (For more information, see the Scuba User Guide.) Then you can begin your scan, view the results, and evaluate corrective action options.

Let’s get started.

Running a Scan

Running a Scuba database scan is a simple, four-step process.

  1. Open Scuba.
  2. Select your database type from the dropdown list. (Options include Oracle, Microsoft SQL Server, SAP Sybase, IBM DB2, Informix, and MySQL.)
  3. Enter details for the selected database, as follows.
    • Host/ IP
    • Port (or use default Port)
    • User Name
    • Password
    • Database / Instance / SID (depending on selected database type)

NOTE: Microsoft SQL Server supports Windows Authentication, which is enabled by default. To disable and manually enter a User Name and Password, click the Authentication button next to the User Name field. Enter the appropriate User Name and Password.

  1. Click Go to start the scan. The scan will run without the database experiencing any downtime or performance degradation.

Set Scan Parameters

Disable Windows Authentication

  Launcher   Launcher_Windows_Authentication_Tooltip

You can view the scan's progress, as well as the number of tests being performed, by viewing the lower-right corner of the open Scuba window.

Scan Progress

Scan_progress
 

Viewing Scan Results

When the scan ends, the application closes and the Results screen automatically opens in your default browser, with the results organized into three panes.

Top Pane — Displays an Executive Summary about:

  • Number of database security risks detected during the scan
  • Whether the database currently meets Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) standards
  • Total failures out of total number of tests
  • Time to complete the scan

Middle Pane — Displays Statistics that include:

  • Compliance — Percentage of database compliance with CIS and DISA standards
  • Results — Number of failed and passed tests, as well as number of tests requiring more information to determine security risk
  • Failures — Number of failures that are critical, high, medium, or low status

Bottom Pane — Displays Assessment Details, organized into a sortable table with the following summary about each test:

  • Test — Displays an identification code and brief description of the test focus
  • Category — Displays type of risk (Known Attacks or Unknown Attacks)
  • Compliance — Displays whether tested element is CIS and DISA compliant
  • Result — Displays Failure status (critical, high, medium, low)

Scan Results — Top, Middle, and Bottom Panes

Results

In this example, 90 vulnerabilities were detected, the database is only 63% compliant with CIS or DISA (STIG) standards, and 23% of the database is at risk (219 failures out of 937 tests). Of those failures, 93 are critical, 77 are high risk, 44 are medium risk, and 5 are low risk. All of this was determined in 2 minutes and 39 seconds.

With this information, you are now ready to determine what actions are needed to correct the failures.

Opening a Quick View of Corrective Actions

Hovering over the Medical Kit icon displays a quick view of corrective actions for the selected item.

Quick View

Assessments_Table

In this example, test CVE-2016-5555 had a critical failure that can be corrected by installing Oracle JavaVM patch update from October 2106 or later.

Expanding View of Assessment Details

You can easily expand an Assessment Detail row by clicking that row's + (plus) icon, which lets you view the following information:

  • Details — Describes the type of possible security vulnerability
  • Description — Describes what the test scans for
  • Data — Displays the source of the security vulnerability, which is determined by the type of assessment test (in the screenshot below, the source is the scanned user accounts, which are identified by User Name and Account Status)
  • Remediation — Recommended action to correct the issue

Expanded View

Assessments_Drill_Down

In this example, the scan tested for database User Accounts that use a default password. The results return a list of all accounts currently using a default password and indicate whether the account is Locked, Expired & Locked, or Open.

With this information, you can begin changing default passwords, starting with Open accounts and then proceeding to Locked & Expired and Locked accounts.

NOTE: An Open account using a default password presents a higher risk than a Locked or Expired & Locked account.

Conclusion

As you can see, it's easy to use Scuba to scan for database security vulnerabilities and identify where and how to take corrective action. And a reminder: it's free for your continued use.

For more information on how to secure your data and prevent breaches, read about Imperva's data security solutions.


Authors & Topics:

Share:
Share on LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.