Databases often hold the backbone of an organization; Its’ transactions, customers, employee info, financial data for both the company and its customers, and much more. are all held in databases, often left to the power of a database administrator with no security training. Database security and integrity are essential aspects of an organization’s security posture.
Yet where data used to be secured in fire-proof, ax-proof, well-locked filing cabinets, databases offer just a few more risks, and due to their size nowadays, database security issues include a bigger attack surface to a larger number of potentially dangerous users.
The sad truth of it is that an organization can spend lots of time, money, and manpower trying to secure its’ online assets, yet one weak spot and the database can go down. According to a Dark Reading article, it takes the average hacker under 10 seconds to get in and out of a database with a goldmine of data. And in Verizon’s 2009 Data Breach Investigation Report, they found that while when PoS system breaches see an average of 6% of records compromised, and 19% when the application server is compromised, database breaches see an average of 75% of the organization’s records compromised in an attack.
So it should be of no surprise that company databases are a highly sought after prize for hackers. For just a glimpse of the damage hackers have done to database, this great visualization offers a taste of the number of records stolen from databases through security breaches.
Databases are complex, and database administrators don’t always know the implications of not ensuring database security and integrity. Yet, it’s because they’re so complex that databases represent a goldmine for hackers, because the attacks most commonly used against databases don’t have to be particularly complex themselves.
Let’s take a look at what database security entails, common database security issues, and how organizations can help maintain database security and integrity.
What Is Database Security?
Database security, under the umbrella of information security, protects the confidentiality, integrity and availability of an organization’s databases.
CIA: Confidentiality, Integrity, and Availability in Database Security
The triad of confidentiality, integrity and availability is the foundation of information security, and database security, as an extension of InfoSec, also requires utmost attention to the CIA triad.
Confidentiality is the most important aspect of database security, and is most commonly enforced through encryption. Encryption should be done both for data-in-transit and data-at-rest.
Integrity is yet another crucial aspect of database security, because it ensures that only the correct people will be able to see privileged company information. The integrity of a database is enforced through a User Access Control system that defines permissions for who can access which data.
The integrity aspect extends beyond simply permissions, however. Security implementations like authentication protocols, strong password policies, and ensuring unused accounts (like of employees that have left the company) are locked or deleted, further strengthen the integrity of a database.
Availability relates to the need for databases to be up and available for use. Databases need to be dependable in order to be functional, which requires they be up and running whenever the organization is. This means downtimes should be planned on weekends and servers kept up-to-date.
Database Security Threats: The Most Common Attacks
The risks involved with databases vary from organization to organization, depending on the type of information and the amount of importance it holds for the company itself. While credit card and social security numbers are certainly dangerous, so are company plans, finances, sensitive employee info.
In short – most of the databases active in company directories are in some way important to company activity. And it’s crucial to maintain solid security practices and defenses to combat attacks on your databases. First, let’s look at what attacks databases can be subject to if not properly secured – then we’ll go into making sure these don’t happen to your organization.
SQL Injections are one of the biggest threats to databases, much like web apps. They can be launched on either the database or the web app that acts as a front-end to the database, yet due to the prevalence of SQL injection flaws in web apps and how easy they are to exploit, they’re more common than attacking the database.
SQLi occurs when input in unsanitized before being executed in the database, or web app hosting the database, and attackers crafting a malicious input would allow them access to sensitive data, give them escalated privileges, and in especially dangerous exploits, give them access over the databases operating system commands and the database itself.
Many organizations have large databases hackers would love to get their hands on – staying secure is essential to prevent embarrassing and costly incidents.
In Ponemon’s SQL Injection Threat Survey, 65% of the organizations surveyed had experienced a successful SQL injection attack in the past year alone. 47% of the respondents either didn’t scan for active databases or scanned irregularly, and 49% of respondents rated the threat level of an SQL injection occurring in their organization a 9-10 rating.
The numbers extend to real life, no doubt. In 2008, for example, the Oklahoma Sexual & Violent Offender Registry had to shut down after discovering that over 10,000 sex offenders’ had had their social security numbers downloaded from the database by SQL injection, and one of the most infamous database attacks of all time – the theft of 170 million card and ATM numbers from corporations including TJ Maxx, Heartland Payment Systems, and J.C. Penney – was accomplished using a sniffer program and SQL injection techniques.
Buffer Overflow vulnerabilities, the most common security problem for databases, occur when a program tries to copy too much data in a memory buffer, causing the buffer to ‘overflow’ and overwriting the data currently in memory. Buffer overflow vulnerabilities pose an especially dangerous threat to databases holding particularly sensitive info, as it could allow an attacker exploiting the vulnerability to set unknown values to known values or mess with the program’s logic.
Denial of Service, or DoS, attacks happen most through buffer overflows, data corruption or other kinds of consumption of the servers resources. DoS attacks crash the server, making the database unreachable for however long the attack can be sustained.
Privilege Escalation is a dangerous threat that can lead to malicious addition, modification or deletion of data that, depending on its’ sensitivity, can wreak havoc on an organization.
Finally, Weak Authentication is another common threat to database security and integrity. When a malicious user can steal the identity of a legitimate user, gaining access to confidential data, the risks abound.
Database Security Best Practices: Protecting Your Confidentiality, Integrity & Availability
- Ensure your database administrators both understand the business value and importance of ensuring your databases are secured and extending them the resources to do so properly.
- Protect against SQL injections by using parameterized queries to keep malicious queries out of your database.
- Static Code Analysis is an essential tool for organizations developing applications as portals to databases to slash SQL injection, buffer overflow, and mis-configuration issues.
- Maintain CIA by keeping your databases up to date, removing any unknown components, and enforcing least privilege parameters to ensure the confidentiality, integrity and availability of your databases.
- To maintain availability, employ an Uninterruptible Power Supply, or UPS, to ensure any forced shutdown doesn’t cause data loss.
- Keep features and services only to what is essential for the company to work smoothly with the databases – the more extras you have, the more you need to stay up-to-date with, the more holes hackers have a chance to poke through.
- Data masking, or allowing users to access certain info without being able to view it – credit card processing or during database testing and development, for example, helps maintain the confidentiality of the database.