WareValley Cyclone

on search of vulnerabilities of DBMS - the solution of WareValley Cyclone company.

Carrying out in the organizations of separate checks of information security, such as user enumeration (obtaining the list of the existing logins of users), checks of cracking of passwords and a fazzing can not give the broad picture of security of DBMS. Cyclone copes with this task - provides multidimensional check of security of DBMS according to different global standards and makes recommendations about improvement of its degree of protection.

Cyclone works with the following DBMS: Oracle, MS SQL, Server IBM DB2/UDB, Sybase ASE, Mysql, etc.

Cyclone in the mode of the scanner collects information on a system: detects the set DBMS and defines their versions, carries out penetration test, simulates the attacks of external hackers, books audit of a system and prepares the report. Cyclone detects critical data on certain requests and analyzes degree of protection of these data. In auditing process of Cyclone issues recommendations about elimination of vulnerabilities using messages of Fit Scripts. At the end of audit the user receives the complete report of vulnerabilities of DBMS and methods of their elimination.

10 main threats of DBMS in terms of vulnerabilities and errors of a configuration are included below:

• The user name is set by default or is absent, weak password
• Code injection in the SQL query of DBMS
• Privileges of certain users and groups inappropriate to roles
• Connection of not used DBMS functions
• The broken configuration management (broken configuration management)
• Buffer overflow (buffer overflows)
• Exceeding of privileges (privilege escalation)
• DDoS attacks
• Lack of the last patches on DBMS (un-patched databases)
• Not ciphered confidential data (unencrypted sensitive data)

All these and many other vulnerabilities can be found and eliminated using the solution Cyclone which basic functions is:

• Detection using penetration test of critical vulnerabilities of a security system (protocol vulnerability, password attack, buffer over-flow, DDOS attack). The analysis of a possibility of "fall" of the database owing to such influences as buffer overflow (BOF) and the attacks of DoS. Besides during this test resistance of DBMS to Brute Forcing, Dictionary Attack, Password Cracking methods is checked
• Search of all other vulnerabilities of a system using Security audit which includes: determination of vulnerability owing to incorrectly set privileges (passwords and profiles), incorrectly organized Backup, issue of the status on installation of necessary patches (Patch Management) and the status of integration of OS and application
• Simple management of security policy on the received recommendations of Fix Scripts

• Obtaining complete report on assessment of vulnerabilities of DBMS