Databases are perhaps the most attacked and vulnerable elements in the online environment when it comes to organizations. It is not hard to understand why: databases contain the most important information of an organization and its confidential data, along with that of its clients. However, only 5% of the expenses dedicated to security are actually allocated to protecting data centers.
After these sensitive information are accessed by hackers, a series of very serious problems can arise: confidential data can be stolen, deleted – causing major losses – or certain actions can be canceled, with disastrous consequences. On the other hand, such a breach in data security negatively affects the image of the respective company, even leading to legal problems.
The good news provided by the Online Trust Alliance (OTA) in 2013 shows that over 97% of incidents of this kind can be eliminated by following simple steps, good practice rules, and control.
The 10 database threats presented below are the strongest and most common, as identified by the Imperva Application Defense Center. The ranking is made for the year 2014, but it is identical to that of 2013. There is only one difference, in the renaming of SQL Injection (in 2013) to Input Injection in 2014, to also include Big Data.
Top 10 threats
1. Excessive and unused privileges (rights)
2. Privilege abuse
3. Input Injection
4. Malware
5. Incorrect audit
6. Exposure of storage media
7. Exploitation of vulnerabilities and misconfigurations of databases
8. Unmanaged sensitive data
9. Denial of Service (DoS)
10. Limited expertise and education in security matters.
Let's take them one by one.
1. Excessive and unused privileges (rights).
When installing in a new role or position, a person also receives the right to use or access the database. If they receive rights greater than they need, many unpleasant events can happen. For example, someone working in a bank who has the right to modify clients' contact details might, by mistake, also have the right to modify account balances, and might decide to add something to a relative's savings account. Or, if they are fired, they might take revenge by deleting crucial information or even worse.
In general, this problem of granting rights greater than necessary arises from the lack of a very well-established plan for the position and the tasks of the respective employee.
2. Privilege abuse
Problems can also arise if the rights to operate on databases are well defined. Without bad intent, it is possible that these privileges are used abusively. People who have access to a certain database may download it – theoretically without permission or possibility – to their laptop, to access it more easily or perhaps to work from home. Without intending to do so, the employee creates a security breach in the database that interested parties can immediately exploit.
3. Input Injection
There are two major types of such attacks on databases: SQL Injection targeting traditional database systems and NoSQL Injection targeting Big Data platforms. SQL Injection attacks usually involve inserting (or "injecting") unauthorized or malicious statements into the input fields of web applications. On the other hand, NoSQL injection attacks involve inserting dangerous elements into Big Data components. Such an attack can give an attacker unrestricted access to an entire database.
Although many claim that new Big Data technologies cannot be attacked through these points, the truth is that they are not immune to this type of attack either.
4. Malware
Malicious software or Malware (derived from the phrase malicious software) is a type of software intentionally created to infiltrate a computer or a network of computers and attack it, causing damage deliberately. The term is generally used to designate all types of programs or pieces of code. Once installed on a computer, they infiltrate all elements that come into contact with that device. Thus, users, without knowing they are infected, normally access the database, opening the way for these software to act.
5. Incorrect audit
Automatic recording of transactions on databases involving sensitive data should be a mandatory condition for all organizations. The inability to collect a detailed record of database activity represents a major organizational risk.
Many enterprises use audit tools offered by database vendors or rely on ad-hoc solutions or solutions manually implemented by the database administrator. These solutions do not record the necessary details to support an audit and do not detect attacks.
Moreover, native audit mechanisms are known for high CPU and disk resource consumption, forcing many organizations to limit or even eliminate auditing.
Finally, users with administrative access to the database, obtained either legitimately or with bad intent, can stop audit systems on databases to hide fraudulent activities.
6. Exposure of storage media
All organizations perform backups for databases. Most of the time, however, these copies are not properly protected, especially because of the media on which they are stored. Whether a copy is made on a computer or on external disks, databases can be easily stolen or copied.
7. Exploitation of vulnerabilities and misconfigurations of databases
It is common among organizations to use vulnerable and unsecured databases, just as there are databases with default users and configuration parameters.
Attackers know how to exploit these vulnerabilities and launch attacks against the respective organization. Unfortunately, organizations often struggle to maintain database configurations even when updates are available. Generally, it takes several months for some companies to apply updates to databases, during which time they are vulnerable.
8. Unmanaged sensitive data
Many companies try to maintain an accurate inventory of their databases and the critical data contained within them. Forgotten databases may contain sensitive information, and new databases may appear – for example, in application testing environments – without being visible to the security team. Sensitive data in these databases will be exposed to threats if necessary controls and permissions are not implemented.
9. Denial of Service
Denial of Service (DoS) is a general attack in which access to network applications or databases is denied to users. Conditions for such an attack can be created through several techniques. The most common technique used is overloading server resources, such as memory and CPU, by flooding the network with database queries that eventually cause the server to crash. Motivations behind DoS attacks are often related to scams and extortion. Thus, a hacker will repeatedly attack servers remotely, bringing them down to force the victim to meet their demands.
10. Limited expertise and education in security matters
Internal security controls do not keep pace with data growth, and many organizations are poorly equipped to handle a security breach. Often, this is due to a lack of the necessary experience to implement security measures, policies, and training. Most firms have not implemented an information and training system to educate staff to at least comply with basic data security concepts.
Unfortunately, these threats are very common, although relatively simple measures can be taken to counter and avoid them.
Follow us further to learn some of the solutions offered by specialists in the field.
