Leaving username and password combos at their default settings is like rolling out the welcome mat to data thieves. But many organizations do that just for expediency's sake because many applications that tap into database information are designed to sync in with default accounts, and changing passwords might break something.
"The worst offender we see is the DBSNMP account in Oracle," Shaul says. "It's such a problem, we joke that to the DBA community, DBSNMP stands for DataBase Security Not My Problem."
5. Failing To Self-Examine
Sticking your head in the sand with regard to what users are doing, how the databases are being used, and what kinds of attacks the database is vulnerable to only emboldens thieves to do their dirty business without fear of getting caught.
And yet most security experts agree that the majority of organizations fail to monitor users or audit database activity because they're afraid of taking a performance hit.
"It's a constant struggle -- security professionals wanting to turn on an audit, and DBAs, on the other hand, crying for better performance. When it comes to serving customers, performance usually wins or the teams decide to compromise," Imperva's Bar Yosef says. "But at the end of the day, or rather -- breach -- what is crucial for discovery, recovery, and accountability is missing."
According to Rajesh Goel, chief technology officer of security consultancy Brainlink International, many organizations will also deny security assessors or penetration testers the authority to include the database in their attacks, even though that's the first place a malicious attacker will target.
"We know of a number of firms that told us to not attack their databases, or only perform limited attacks, because if the database went down, some folks might get fired," Goel says.
6. Allowing Arbitrary Internet Connections And Input
When databases are connected to the Internet, free to be accessed by any arbitrary client without any restrictions, bad things happen.
"This means that SQL injection attacks have a devastating impact, exposing arbitrary data," says Jose Nazario, senior manager of security research for Arbor Networks. "Splitting rights and roles goes a long way. Read-only roles should be used to serve Web content."
Similarly, user input needs to be scrubbed to prevent injection and denial-of-service attacks, and untrusted users should never be able to query tables directly or database object names like tables, functions, or views, Nazario says.
7. Failing To Encrypt
According to Alan Wlasuk, CEO of 403 Web Security, the single dumbest database security mistake organizations make is leaving their databases unencrypted.
"It is a given that hackers will eventually get into your database. An encrypted database gets the hackers very little, [while] a clear text database could be a deadly embarrassment to your company," he says. "Encryption is free, fast, and easy to use."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.