Top 10 Database Security Vulnerabilities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.efytimes.com/e1/fullnews.asp?edid=151836



Databases are the primary targets of cyber-criminals as most of the
valuable and sensitive data are kept on databases only. Hence, database
security is a necessity. There have been several incidents when users'
personal data have been compromised through database hacking. Security
measures for databases are taken for data protection and these measures
don't allow hackers get access to any document available on online
databases. Though several security measures are adopted in databases, but
still there are some failures which occur repetitively. These gaps can be
present at any development stage, during integration of applications and
updating the database system. Here we have listed ten most common
vulnerabilities which are found in database driven systems:

1. Failure in Deploying:

The biggest weakness lies in a database is carelessness during the
deploying process. Search engine optimisation is valued for success of
businesses and when database is sorted, SEO can be successfully completed.
A functionality test is a must to make sure about the performance level but
these tests cannot make sure if the database is doing something which it's
not expected to do. Hence, before deploying the database, its advantages
and disadvantages should be thoroughly checked.

2. Broken databases:

If there is any bug in the server database software then most of the
vulnerable computers are attacked as soon as the database is deployed.
These bugs exploit through buffer-overflow vulnerability and these bugs
demonstrate the difficulties in security patches and fixes. Due to lack of
time and resources, businesses are always not able to maintain regular
patches on their systems. That's the reason why databases are left
vulnerable.

3. Excessive permissions:

Most of the databases have users who are configured with excessive
permissions. User accounts mostly have unnecessary default advantages and
excessive access to functionalities.

4. Leaked Data:

Network security is mostly not in focus while deploying a database system.
Databases are usually thought to be in back office which is mostly kept
away from Internet access, and there is no encryption in data
communications in databases. But the networking interface of the database
should not be ignored. If the network traffic is accessed by any
cyber-attacker, then it's very easy to get access to user data. Transport
Layer Security should always be enabled. Network performance is not very
affected by Secure Sockets Layer but it makes very difficult to collect any
data from the database system.

5. Insider risks:

Databases face two kinds of threats including external and internal. There
are some people inside an organisation who can steal information for
personal profits. This is one of the most common issues in large
organisations. In order to encounter this problem, data archives should be
encrypted so that insider risk is reduced.

6. Abuse of database features:

In last few years, database exploits have been done mostly from misuse of
standard database feature. Hackers are able to gain access through
legitimate credentials which can be caused through simple flaws. These
flaws allow bypassing of the systems. Some unnecessary tools need to be
removed to stop or limit abuse of database features. The surface area,
which hackers usually study before attacking, should also be shrinked for
the purpose.

7. Weak passwords:

Users on databases use weak and sometimes default passwords. If systems
don't enforce stronger passwords then databases can easily be compromised.
If there are weak passwords, it also proves that other systems inside the
network must have weak credentials. These passwords are easily assumed and
hacked and attackers get access to the database,

8. SQL Injections:

This problem is a major one when it comes to protection of databases. SQL
injections attack applications and database administrators clean up all the
mess which are created by malware, inserted into the strings. Web facing
databases are best secured by enabled firewalls.

9. Sub-standard key management:

Key management systems are aimed to keep keys safe but encryption keys are
commonly stored on company disk drives. These keys are sometimes believed
to be left on the disk which is caused by database failures and if the keys
are left in such locations, then databases are left vulnerable to attacks.

10. Database irregularities:

The most important thing is lack of consistency in databases, which is both
a administrative and database technology problem. System administrators and
database developers should maintain consistency in databases, always stay
aware of threats and make sure that vulnerabilities are taken care of.
Proper documentation and automation are needed to track and make changes so
that all information in enterprise databases are secure.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!