It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.
Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses.
But only 15 percent said that extending security best practices to the database is a “critical priority” for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent).
The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.
What’s in corporate databases? Lots of valuable data. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property — the most highly-guarded data in our survey — resides in 38 percent of respondents’ databases.
Respondents’ database environments are of substantial scale and complexity — a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies.
The moral is, when pen-testing go after the database and applications and if you are into securing your network..Please don’t just concentrate on the firewall and IDS also look at overall architecture, security stance, information management, database and application security.
Source: Dark Reading
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security
- Navy Sys Admin Hacks Into Databases From Aircraft Carrier
- aidSQL – PHP Application For SQL Injection Detection & Exploitation
- Metagoofil 1.2 – Metadata Extractor Tool
- ProxyStrike – Active Web Application Proxy
- Xplico – Network Forensic Analysis Tool
Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 73,758 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 53,886 views
- Absinthe Blind SQL Injection Tool/Software - 39,038 views