The rates of cyber-attacks and digital warfare worldwide are increasing, and corporate institutions need to be vigilant now more than ever. Organizational databases are key targets for cyber-criminals because of the value attached to sensitive information stored therein. Whether this is financial access data or corporate secrets and intellectual property, cyber-criminals stand to gain extensively by breaching an organization’s database and selling/using the information for financial gain.
There are a host of security failures that cyber-criminals exploit to gain access to your database. However, it is your organizational staff – database administrators, developers etc. – who create the necessary environment that determines whether or not attackers will gain entry into your databases.
This article discusses the 10 most common vulnerabilities that researchers have found to exist in data-driven systems, from the creation phase to the application integration stage and even when patching or updating the databases. Being aware of where to look is the key to improving the security of your databases.
1. Deployment botches
One of the most common causes of database vulnerability is negligence/lack of due diligence at the time of database installation and/or deployment. Even though all databases are typically tested to ensure functionality and confirm that the database can actually do the things that it has been designed to do, very few administrators take time to conduct a comprehensive security audit, which includes confirming that the database cannot do the things that it should not do.
2. Broken databases
Some of you may remember the SQL Slammer worm deployed in 2003, which infected a whopping 90-plus percent of vulnerable databases just 10 minutes after it was deployed, taking down the vulnerable databases with it. The worm was intended to exploit a bug discovered in the previous year’s database software version of Microsoft SQL Server, which few administrators had bothered to fix once discovered, leaving their computers prone to attack.
The worm exploited a buffer-overflow vulnerability, and was successful in demonstrating the dire need of installing security fixes and patches as soon as they are released. Many administrators, however, overlook regular patching, probably because of lack of time and/or resources, and are vulnerable as a result.
3. Data leaks
Databases within an organization are considered part of the ‘back end’ of the office, and are thought to be secure from Internet-based dangers (which means data can be stored without encryption). This is, however, far from true. Databases also have networking interfaces, and this is the type of traffic targeted and exploited by cyber-criminals. To prevent this, administrators are advised to use TSL- or SSL-encryption on their communication platforms.
4. Stolen database backups
Organizations face direct threats from external attackers who in one way or another infiltrate the systems to steal data, but there is also some threat from insiders within the organization. According to reports, disgruntled employees may steal archived data including database backups, for profit, revenge or other gain. This is very common with modern enterprises and organizations should consider storing archived data in encrypted format to protect it from insider threats.
5. Database feature abuse
According to a database security report, a significant number of database exploitation instances occurred as a result of misusing standard database features. For instance, a hacker may use legitimate credentials to gain access to a database, but then force the service to execute arbitrary
queries/commands. Complex, access in many cases is gained through exploitation of simple errors that permit these systems to by bypassed completely or otherwise taken advantage of. Such abuse cases can be limited in future by getting rid of unnecessary tools – not destroying completely the possibility of zero-day exploitation, but rather by shrinking the surface area available to the prying of cyber-criminals looking to launch an attack.
6. Absence of segregation
Every database must have clear separation between administrative and user rights including segregation of duty. This will make it more difficult for internal staffers to perpetrate forms of fraud or theft on organizational information. What’s more, controlling user account access can make it much harder for a hacker who gained legitimate credentials to exploit the entire database.
Instead of simply exploiting buffer pool overflows and gaining complete database access at the initial stages, hackers are fond of playing Hopscotch on the database: they will find a weakness in the database infrastructure that can be then leveraged to launch a series of more serious attacks until they have access to the back end database. For instance, the hacker may worm through your accounts departments from the outside until they reach the credit card processing unit. Except in cases where all departments have the same control standard, you can segregate your systems and create distinct administrator accounts to reduce your vulnerability.
8. SQL Injections
SQL injections are a popular method used by hackers to breach the security of enterprise databases. In this method, applications are targeted using injections of malicious code and/or unclean variables, leaving the database administrator to clean up the mess left in its wake. These codes and variables may be inserted into strings and later passed into SQL Server instances to be parsed and executed. The best way to guard against injection threats is to protect Internet-facing databases using firewalls, as well as testing input variables during development to ensure injection did not occur.
9. Suboptimal key management
Key management systems were created to ensure security of encryption keys, but research has shown that these keys are stored within company disk drives in many organizations. Database administrators may do so under the false belief that keys much be stored on disk in case of database failures. This isn’t true, and leaving such keys unprotected on disk can leave you vulnerable to attacks.
10. Database inconsistencies
Lastly, lack of consistency in the database brings all the other threats together, and can be categorized as a database management rather than technological problem. Database developers and system administrators should have a consistent way of ensuring the safety of their databases, as well as detecting threats and vulnerabilities for immediate action. This isn’t easy, but can be effectively done by using automation and documentation for tracking and to make changes that will keep enterprise information safe.