Extensive User and Group Privileges

Monday, August 16, 2010

Application Security, Inc.


Article by Alex Rothacker

Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to provide you with the most up-to-date vulnerabilities, risk and remediation information.

Today we will cover the third database vulnerability - extensive privileges assigned directly to users or indirectly through user groups.

There are two very important concepts that apply to information systems security controls: separation of duties and the principle of least privileges.

Separation of duties manages conflicts of interest and implements an appropriate level of checks and balances on an individual's activities to ensure they do not have toxic privilege combinations.

The principle of least privileges requires that users have the least amount of privileges required to perform their specific tasks - only they the data they need and nothing more.

The process of collecting a comprehensive list of all rights that a user has can become a daunting task. Privileges aren't typically just assigned directly to the users they also inherit privileges from groups or roles they belong to.

In this week's edition of our Database Vulnerability of the day series, we will highlight several important rights, privileges and common groups to look out for when reviewing user and group rights, as well as group membership. We will also let you know how and what to check for to mitigate these risks.

To stay informed on the Top 10 Database Vulnerabilities follow @TeamSHATTER on Twitter.

Alex Rothacker is the manager of Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research). Team SHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.

Possibly Related Articles:
Databases Access Control
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.