The fact is that today's data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.
1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet -- and where do these apps lead their users? Why, to back-end databases, of course.
Progress in narrowing the vulnerability gap is slow, says David Litchfield, chief security architect for Accuvant LABS and a well-known database security researcher.
"It’s quite disheartening, actually, to see that the same toolkit I started using years ago still works quite well doing penetration tests today," Litchfield says.
The worst part about it, according to Litchfield, is that developers are still rolling out new apps featuring the same mistakes of yesteryear -- failing to validate input, for example. He says that higher education institutions are still failing to teach students secure coding principles that have been developed for years now.
"You’d think these developers coming out of university would understand these fundamentals, but they haven't been taught these things," he says.
2. Overprivileged System Accounts
Even within organizations that have implemented high-powered identity and access management tools and processes across IT infrastructure, databases tend to get left behind in no-man's-land.
"All too often, organizations forget to tie identity life-cycle management of database users, especially shared accounts and service accounts, to their IAM core," says Nishant Kaushik, chief architect of Identropy. "Database access must be tied to provisioning, strong authentication, and privileged account management tools."
The sad reality, though, is that for the sake of expediency, IT tends to allow developers and other IT system administrators to tap into the database through system accounts with nearly unlimited permissions enabled. These accounts are often operated outside the bounds of access control or monitoring systems and are ripe for abuse by knowledgeable insiders or outside attackers who find these useful vehicles for unmitigated access to the database.
3. Misconfigured Network Segmentation
Security best practices and regulations have heavily touted network segmentation as a critical way to limit the scope of risk mitigation efforts on high-value database assets. But when misconfigurations, particularly in firewall rule sets, poke holes in the security of those network segments, databases are left vulnerable.
Kevin Beaver, founder of security consultancy Principle Logic, spends much of his time performing network security and Web application security assessments for clients. His examinations frequently show how poorly organizations are doing at properly segmenting networks and keeping databases tucked into protected DMZs.
"I could go look at the firewall rule base [at many organizations] and point out all sorts of flaws, misconfigurations, network segments that shouldn't be talking to one another, ports open, and so on. I often see database servers that are sitting out on the public Internet, wide open for attack," he says. "I've actually been involved in a case not too long ago as an expert witness that involved a situation where somebody had to put a SQL Server database out on the Internet because a business partner required it, and they forgot about it. They poked a hole in the firewall, forgot about it, went back, and realized they had had a data breach. It turned really ugly."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.