Application Security // Database Security
01:17 PM
Connect Directly

Seven Ways You Give Thieves Dibs On Your Database

Bad database security habits make life easy for hackers and malicious insiders

Every new data breach that hits the headlines snowballs the embarrassment for the IT security community, especially because this constant follies show revolves around recurring themes.

Data breaches tend to happen because organizations are making the same mistakes over and over again. These poor practices usually start at the database. Here are some of the ways organizations make it easy for hackers and insiders to gain a one-way pass right into the database's crown jewels.

1. Leaving Database Unpatched
DBAs fear the functions that vendors will break with their latest security updates, but allowing that fear to put the patch cycle into indefinite delay gives even the most unskilled hackers a huge opportunity to steal truckloads of data.

"Some huge holes are getting fixed with each patch, and the exploit code is almost always posted on the Internet for any script kiddie to cut and paste into an attack," says Josh Shaul, chief technology officer for Application Security Inc.

2. Not Seeking Out Rogue Databases
You can't secure the databases you don't know about, says Patrick Bedwell, vice president product marketing for Fortinet. And yet he frequently runs across customers that don't maintain inventories of their databases or scan for rogue databases. It's a problem because those databases are out there.

"It is a common practice to install small footprint databases and populate them with production data for development and testing," Bedwell says.

Hackers love it when organizations don't keep track of rogue databases because these are the ones that are most likely to be unpatched, left wide open to attack since the security team hasn't had a pass at them.

3. Granting Excessive Privileges
When time is crunched and resources spread thin, it is very tempting to just blanket the user base with a ton of access privileges and move on, says Noa Bar Yosef, senior security strategist at Imperva. But all it takes is one user to abuse those privileges to cause a huge problem, she warns.

"Consider the case at Diablo Valley Community College. For three years they had the DBAs there modifying student grades," she says. "When the breach came to light, they found that out of the 100 users who were granted DBA privileges, only 11 really required them."

The problem with granting excessive privileges is that users can not only do things they aren't supposed to, but they are probably not going to be policed because the suspicious activity isn't expected there, says Alex Rothacker, manager of Application Security's research arm, Team SHATTER.

"As a side effect of having excessive privileges, users can perform functions on the database or OS that they aren't authorized or qualified to do so," he says. "For example, a user with excessive privileges in the accounts payable department can create a false company, send payments to the false company, and then delete any record of the company in order to cover their tracks."

NEXT PAGE: 'Database Security Not My Problem'

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.