Download Scuba by Imperva - Database Vulnerability Scanner

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Cyber-security regulation wikipedia , lookup

Unix security wikipedia , lookup

Information security wikipedia , lookup

Information privacy law wikipedia , lookup

IT risk management wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cross-site scripting wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
DATASHEET
Scuba by Imperva - Database
Vulnerability Scanner
Scuba by Imperva Benefits
▪▪ Automate vulnerability discovery
▪▪ Secure infrastructure and measure
compliance
▪▪ Prioritize risk and focus remediation
resources
▪▪ Safely test enterprise class databases
Many businesses are concerned that their databases are vulnerable to hackers and
insiders and want to assess the risks they face. Unsure how to automate the discovery
of database vulnerabilities, they often rely on manual work or wait for a vendor fix.
Scuba is a free tool that scans leading enterprise databases for security vulnerabilities
and configuration flaws, including patch levels. Reports deliver actionable information
to immediately reduce risk, and regular vulnerabilities updates ensure that Scuba keeps
pace with new threats.
Scuba offers nearly 1,200 tests against Oracle Database, Microsoft SQL Server, SAP
Sybase, IBM DB2, Informix and MySQL. These tests can be run without experiencing
downtime or performance degradation because Scuba does not exploit
the vulnerabilities it finds. From configuration flaws such as weak
passwords, to known security risks and missing critical patches, Scuba
delivers a snapshot analysis of the security posture of your databases and
database infrastructure.
All risks are prioritized and presented in easy to understand reports
along with instructions on how to fix the vulnerabilities. This helps to
reduce risk and meet compliance mandates without the cost, labor, and
database expertise required by other approaches.
World Class Accuracy and Coverage
Scuba’s assessments go beyond basic software version checking. Assessment data is
collected and carefully analyzed to validate vulnerabilities and eliminate time spent
sorting through the false positives. Imperva’s team of expert security researchers
regularly update Scuba with new tests so that you can stay on top of the latest
vulnerabilities.
Prioritized Reporting
To develop an effective vulnerability remediation plan, Scuba analyzes and prioritizes
risks providing both summary and detailed reports. Summary reports display the results
in an easy to digest format, whereas detailed reports include itemized vulnerabilities
along with instructions on how to fix them.
Unmatched Breadth of Coverage
Scuba delivers unmatched breadth of testing by covering software flaws, system
configuration errors and privilege management best practices. This ensures that all
avenues of risk to your information infrastructure are assessed.
Assess Risk – Without Risk
To safely test your databases, Scuba assessments never run the discovered exploits. This
approach makes Scuba ideal for testing production databases without risk of downtime
or damage.
The Next Step – SecureSphere
Using Scuba is an important first step to protecting your sensitive data. Armed with the
assessment results and remediation information Scuba provides, you will understand
how important it is to stay vigilant. While Scuba helps to reduce the risks associated with
database vulnerabilities, developing a comprehensive database security plan requires
additional capabilities. Following a phased approach, such as the one we lay out in our
“Database Security and Compliance Lifecycle”, helps you focus and simplifies moving in
this direction.
Database Security and Compliance Lifecycle
Phase 1 – Identify
Phase 3 – Audit & Monitor
Before you can find database vulnerabilities, monitor usage, and
control access to critical data, you first need to know where your
sensitive information is. This knowledge is essential to help scope
your database activity monitoring program.
Once you have identified all of your databases, sensitive data,
and vulnerabilities, you can focus on monitoring database
activity, analyzing usage patterns and implementing security
controls. Capturing database activity details, along with alerting
and blocking when suspicious access occurs, is central to any
database auditing and monitoring project.
Required Capabilities:
▪▪ Maintain an inventory of all databases – including “rogue”
instances – through ongoing discovery scans. Many
organizations struggle to maintain an accurate database
inventory and are surprised when new databases appear.
▪▪ Discover and classify sensitive data such as Personally
Identifiable Information, cardholder data, and financial
records.
SecureSphere Discovery and Assessment Server enables
organizations to accurately scope security and compliance
projects with database discovery, data discovery and
classification capabilities.
Phase 2 – Assess
Ongoing scanning for database vulnerabilities and user rights
information is crucial to reduce exposure to data loss and meet
compliance mandates.
Required Capabilities:
▪▪ Scan databases for security vulnerabilities, missing patches
and configuration flaws.
▪▪ Virtually patch vulnerabilities by blocking access to any user
that tries to exploit them.
▪▪ Run user rights scans to identify over-privileged and
dormant users.
Scuba helps start the process of identifying database
vulnerabilities, configuration flaws and missing patches. However,
Scuba does this one database at a time with limited reporting
and no analytics. To support larger environments, you need
additional capabilities such as scheduling, assessments across
multiple databases, customized reporting, and risk analysis.
SecureSphere Discovery and Assessment Server enables
organizations to schedule vulnerability assessments across
heterogeneous database environments then prioritize and
manage mitigation efforts. Discovery and Assessment Server also
includes vulnerability mitigation, risk analysis capabilities and
enterprise class reporting.
Required Capabilities:
▪▪ Collect and securely store detailed transaction records for
reporting, analysis and forensics.
▪▪ Establish a baseline of normal user access activity.
▪▪ Generate alerts, or block, when prohibited or anomalous
database access occurs.
SecureSphere Database Activity Monitoring provides policy
based user activity auditing, analysis, alerting, and reporting.
SecureSphere also establishes a baseline of user activity and can
generate alerts when access deviates from normal behavior.
SecureSphere Database Firewall protects against data theft
by blocking attacks and abnormal access requests.
Phase 4 - Measure
To get the most out of a database security initiative, you will need
to produce summarized and detailed information for auditors,
security teams and executives.
Required Capabilities:
▪▪ Generate reports to support PCI, HIPAA, SOX and other
regulations, as well as internal audit and security.
▪▪ Advanced analytics to accelerate incident response and
forensic investigation.
SecureSphere Database Activity Monitoring and Database
Firewall summarize key information required to meet
compliance and security mandates through pre-defined and
custom reporting and interactive analytics.
Conclusion
Imperva SecureSphere Database Security products deliver the
functionality required by each of the four phases of the Database
Security and Compliance Lifecycle, combining full visibility and
granular controls for data discovery, assessments, user rights
analysis, monitoring, reporting and analytics.
SecureSphere User Rights Management for Databases
helps reduce the risk of a data breach and demonstrate
compliance by mapping user rights and privileges to
sensitive data.
www.imperva.com
© Copyright 2014, Imperva
All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.
All other brand or product names are trademarks or registered trademarks of their respective holders. #DS-SCUBA-BY-IMPERVA-0414rev2
Related documents
Imperva SecureSphere Database Assessment
Imperva SecureSphere Database Assessment
SP_scuba_shortened_respiratory_lesson
SP_scuba_shortened_respiratory_lesson
Role of Web Application Vulnerabilities in Information
Role of Web Application Vulnerabilities in Information
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
Direct Marketing
Direct Marketing
database management system
database management system
Web Application Security Vulnerabilities Yen
Web Application Security Vulnerabilities Yen
Understanding Web 2.0
Understanding Web 2.0
Chapter 14
Chapter 14
Reasons to Rely on Databases Instead of the Open Internet
Reasons to Rely on Databases Instead of the Open Internet
Concepts
Concepts
database systems: dis 308
database systems: dis 308
Imperva Simplifies PCI DSS 1.2 Compliance
Imperva Simplifies PCI DSS 1.2 Compliance