How to Run a Database Vulnerability Scan with Scuba
You’ve downloaded and installed Scuba, Imperva’s free database vulnerability scanner, which provides more than 2,300 assessment tests for detecting database security vulnerabilities and configuration flaws on popular enterprise databases such as Oracle, Microsoft SQL, SAP Sybase, IBM DB2 and MySQL.
Now you want to know if there are any security vulnerabilities in your database(s) and, if there are, what you need to do to remedy the situation. This post walks you through the steps.
First, you need to set baseline permissions for your database(s). (For more information, see the Scuba User Guide.) Then you can begin your scan, view the results, and evaluate corrective action options.
Let’s get started.
Running a Scan
Running a Scuba database scan is a simple, four-step process.
- Open Scuba.
- Select your database type from the dropdown list. (Options include Oracle, Microsoft SQL Server, SAP Sybase, IBM DB2, Informix, and MySQL.)
- Enter details for the selected database, as follows.
- Host/ IP
- Port (or use default Port)
- User Name
- Database / Instance / SID (depending on selected database type)
NOTE: Microsoft SQL Server supports Windows Authentication, which is enabled by default. To disable and manually enter a User Name and Password, click the Authentication button next to the User Name field. Enter the appropriate User Name and Password.
- Click Go to start the scan. The scan will run without the database experiencing any downtime or performance degradation.
Set Scan Parameters
Disable Windows Authentication
You can view the scan's progress, as well as the number of tests being performed, by viewing the lower-right corner of the open Scuba window.
Viewing Scan Results
When the scan ends, the application closes and the Results screen automatically opens in your default browser, with the results organized into three panes.
Top Pane — Displays an Executive Summary about:
- Number of database security risks detected during the scan
- Whether the database currently meets Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) standards
- Total failures out of total number of tests
- Time to complete the scan
Middle Pane — Displays Statistics that include:
- Compliance — Percentage of database compliance with CIS and DISA standards
- Results — Number of failed and passed tests, as well as number of tests requiring more information to determine security risk
- Failures — Number of failures that are critical, high, medium, or low status
Bottom Pane — Displays Assessment Details, organized into a sortable table with the following summary about each test:
- Test — Displays an identification code and brief description of the test focus
- Category — Displays type of risk (Known Attacks or Unknown Attacks)
- Compliance — Displays whether tested element is CIS and DISA compliant
- Result — Displays Failure status (critical, high, medium, low)
Scan Results — Top, Middle, and Bottom Panes
In this example, 90 vulnerabilities were detected, the database is only 63% compliant with CIS or DISA (STIG) standards, and 23% of the database is at risk (219 failures out of 937 tests). Of those failures, 93 are critical, 77 are high risk, 44 are medium risk, and 5 are low risk. All of this was determined in 2 minutes and 39 seconds.
With this information, you are now ready to determine what actions are needed to correct the failures.
Opening a Quick View of Corrective Actions
Hovering over the Medical Kit icon displays a quick view of corrective actions for the selected item.
In this example, test CVE-2016-5555 had a critical failure that can be corrected by installing Oracle JavaVM patch update from October 2106 or later.
Expanding View of Assessment Details
You can easily expand an Assessment Detail row by clicking that row's + (plus) icon, which lets you view the following information:
- Details — Describes the type of possible security vulnerability
- Description — Describes what the test scans for
- Data — Displays the source of the security vulnerability, which is determined by the type of assessment test (in the screenshot below, the source is the scanned user accounts, which are identified by User Name and Account Status)
- Remediation — Recommended action to correct the issue
In this example, the scan tested for database User Accounts that use a default password. The results return a list of all accounts currently using a default password and indicate whether the account is Locked, Expired & Locked, or Open.
With this information, you can begin changing default passwords, starting with Open accounts and then proceeding to Locked & Expired and Locked accounts.
NOTE: An Open account using a default password presents a higher risk than a Locked or Expired & Locked account.
As you can see, it's easy to use Scuba to scan for database security vulnerabilities and identify where and how to take corrective action. And a reminder: it's free for your continued use.
For more information on how to secure your data and prevent breaches, read about Imperva's data security solutions.
Authors & Topics: