Light Dark
January 25, 2017 By Kathryn Zeidenstein 4 min read
Data Protection

The inevitable happened — attackers stole data from thousands upon thousands of misconfigured MongoDB databases and are now demanding ransom money to get it back. These cybercriminals are going after even more misconfigured systems on the internet.

Don’t say we didn’t warn you. The IT community has known for some time that default settings can leave databases open for attack. MongoDB has made no attempt to hide these issues. In fact, the company encouraged users to read its security manual and directly addressed the latest round ransomware attacks on its blog. A technical rep from MongoDB has even posted on Security Intelligence about the importance of hardening the MongoDB server and following security best practices.

Unfortunately, these education efforts won’t sink in with everyone. In this case, it failed to resonate with a lot of people. I do not know the nature of the organizations being attacked, but I think we can safely assume that in many cases the MongoDB instances are owned by application teams that are not tied into the security community as closely as some of us are. Or maybe people just plain didn’t know one way or another whether they were at risk.

Data security software was invented to fill in those gaps. You can read all the manuals and warnings in the world, but let’s face it — people forget things, fail to follow process or simply lack the time and awareness to adhere to security best practices. IBM enhanced its Guardium Data Protection Platform to support MongoDB and developed the software with input from the MongoDB security team.

Read the white paper: Finding the path to security in the big data landscape

The MongoDB Security Checklist

Let’s look at the MongoDB Security Checklist and discuss how a data protection solution can automate the work of monitoring, encrypting and hardening your databases.

Enable Access Control and Specify the Authentication Mechanism

While someone has to set this up, you can schedule automated, regular checks to verify that the system is been enabled. Make sure to enable this checking on new MongoDB servers. This is not a one-and-done process: A Guardium Vulnerability Assessment can regularly check that the authentication system is configured and that you’ve disabled the localhost authentication bypass.

Configure Role-Based Access Control and Follow the Principle of Least Privilege

Later releases of MongoDB include role-based access controls that enable administrators to assign specific users to roles that do not allow access beyond what is necessary. Guardium Vulnerability Assessment includes tests to check regularly for users that have highly privileged roles, such as dbAdmin and userAdminAnyDatabase. Guardium Data Activity Monitoring also enables you to see when roles are created and populated.

Encrypt Communication

A basic best practice is to encrypt communications to the database server and even between nodes. If you’re not sure if your team has done this, a security tool can check to see whether secure sockets layer (SSL) is configured. Activity monitoring can also work with encrypted traffic.

Encrypt and Protect Data and Configurations at Rest

MongoDB has an option to encrypt data in the storage layer using the WiredTiger storage engine. If you aren’t using that storage engine or would rather use a system that integrates with the rest of your environment, consider using Guardium Data Encryption. You can use this to encrypt data, backups, log files and configuration files with an easy-to-use, policy-based interface.

Guardium Vulnerability Assessment can also run tests to check the file ownership and permissions on critical configurations and other objects to help protect the confidentiality, integrity and availability of the MongoDB databases.

Limit Network Exposure

Limiting network exposure was once the source of many headaches. In earlier releases, the MongoDB default configuration enabled listening on all interfaces. Although MongoDB corrected this in the latest releases, it’s important to ensure that you use the bind_ip configuration appropriately. You should also ensure that only trusted connections get through. Guardium Activity Monitoring enables you to monitor and profile connections to the database, monitor their activities and even block connections that are not vetted.

Audit System Activity

Why wait for a ransom note to find out your database is under attack? Monitoring access to data and configurations is critical for both real-time and forensic analysis. MongoDB Enterprise includes native auditing capabilities. To really take advantage of real-time alerting and blocking, outlier detection and out-of-the-box integrations with security intelligence systems, consider a solution that is tailor-made for data security and does not impact performance as native auditing sometimes does.

For example, you can set up real-time alerts when data is being read at an excessive rate, which is an indication of a potential attack. You can also receive alerts when someone is attempting to guess passwords. In the following screenshot, you can see that Guardium produces a notification when a user reaches the failed login threshold.

Run MongoDB With Secure Configuration Options

This section of the checklist includes some miscellaneous but extremely important items. For example, you should use only the MongoDB wire protocol on production deployments. Mongo recommended disabling the REST, JSON and HTTP interfaces.

MongoDB supports execution of serverside JavaScript for some operations such as mapReduce, group and $where. This can potentially be a launchpoint for an injection attack. If you can avoid these operators, you can disable serverside scripting. Additionally, Guardium Activity Monitoring can monitor database traffic and flag the use of these operators, as shown here.

Keep Current on Maintenance

Although not specifically listed in the MongoDB checklist, it is critical to keep your systems up to date. Whenever an exposure is discovered, the database vendor must address the vulnerability. The response speed depends on the severity of the problem. Guardium updates its test database quarterly, so if MongoDB ships a patch required for security, Guardium can test to make sure that patch is applied.

Certified Data Protection

To see Guardium Vulnerability Assessment in action with MongoDB, check out this video demonstration. For technical details on implementing a database activity monitoring solution for MongoDB using Guardium, see our IBM developerWorks article series.

Guardium is certified with MongoDB and other vendors such as Cloudera, Hortonworks and Teradata to help you provide data protection capabilities across your operational databases, as well as big data and NoSQL systems.

Read the white paper: Finding the path to security in the big data landscape

 |  |  |  | 
Kathryn Zeidenstein
Technology Evangelist and Community Advocate, IBM Security Guardium

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature