A fabulous piece from Rick Osgood on Hacking Microsoft SQL Server Without a Password.
Using a man in the middle attach and ARP spoofing with a combination of free tools like Wireshark, Ettercap filters is able to hijack the SQL connection and execute arbitrary queries instead of the real queries. He manages even to create SQL users and modify result data that is passed to the SQL client.
His recomandation list on securing a database connection:
– encryption on all database connections
– ensure remote queries never use accounts with elevated privileges, such as the SA account
– all database queries, especially the programmatic ones, should use an account with the absolute least amount of access they need to do the job
– ensure your infrastructure is patched regularly
– segment and isolate database systems from the corporate network
The above example gives us an idea why stuff like PCI became a requirement in fintech environments. In case of fintech enterprise environments that deal with card data or with financial data in general all the RFPs have a strong requirement that the environment implements the PCI standard.
In general the rule of thumb on how to implement this is to completely isolate from the rest of the system the part that deals with PCI restricted data.
For more details see the official documents PCI Document Library
Pingback: Blog Links: Web site security – blog.voina.org