Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:45 PM

Database Servers: Candy For Hackers

Sensitive information and poor security administration make tempting targets.

Dark Reading AnalyticsGood hackers today are businesspeople, assessing each target for the simplest and most profitable attack scenarios. These days, there are probably no plumper targets than enterprise databases.

Databases house companies' easiest-to-sell confidential data: customer lists, payroll records, and many other structured inventories of sensitive information. Database administrators tend not to be steeped in security practices, and the databases themselves are frequently tied to Web applications that have turned out to be easy to hack.

In its annual breach study, Verizon Business' computer forensics team reported that databases made up 30% of data compromises in 2008. Worse, database breaches accounted for 75% of all records reported breached. Because sensitive information is often found in a single database, a single breach can lead to major damage.

InformationWeek Reports

"When you get down to it, a large percentage of the security threats potentially go after the database," says Rich Mogull, analyst and founder of Securosis, an enterprise security consulting firm. Most information security practitioners grow up on the networking side of IT and know little about database technology, adds Mogull. And a recent Forrester Research study found that database administrators spend less than 5% of their time on database security.

"I'd say that of the calls I take on this subject, at least two-thirds of the time, the database folks aren't involved," says Jeffrey Wheatman, Gartner's research director of information security and privacy. "I think that's a problem, because when you're monitoring or securing something you don't really understand, you need to bring in a subject-matter expert to help you."

Many database security vulnerabilities are caused by simple lapses in security. In a 2008 poll, the Independent Oracle Users Group found that 26% of organizations take more than six months to install security patches on Oracle databases; 11% have never patched them. "Production databases don't get patched nearly often enough, because they're busy database servers and people will say, 'If it isn't broken, don't fix it,'" says Adam Muntner, a partner at QuietMove, a vulnerability assessment firm.

Companies often make mistakes that leave databases vulnerable, such as leaving test databases on production servers or linking sensitive data to easily hacked Web-facing applications. "I think that the biggest threat to databases is Web applications and the business logic vulnerabilities within them," Muntner says.

Close ties with Web applications can make databases vulnerable to SQL injection attacks, whereby attackers input strings of SQL code into weak Web applications fields. They can then raid the database linked to a specific Web application, and also use the link between the Web application and the database to launch more expansive attacks on entire database servers. According to IBM's ISS X-Force security research unit, SQL injection flaws last year were the Internet's most commonly exploited Web application vulnerability, growing by 134% over 2007.

chart: Watch That Database Server

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).