[ad]
It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.
Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses.
But only 15 percent said that extending security best practices to the database is a “critical priority” for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent).
The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.
What’s in corporate databases? Lots of valuable data. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property — the most highly-guarded data in our survey — resides in 38 percent of respondents’ databases.
Respondents’ database environments are of substantial scale and complexity — a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies.
The moral is, when pen-testing go after the database and applications and if you are into securing your network..Please don’t just concentrate on the firewall and IDS also look at overall architecture, security stance, information management, database and application security.
Source: Dark Reading
SN says
very interesting .. security is important, but I guess data is even more important for security purposes ($$$)
backbone says
the thing is that I didn’t see any tips on how to secure your database… of course it’s a stupid think to leave not passworded your database, but beyond that never seen quite good tips =))))
Cyanide says
Some of the things you can do for databases are simple things like row permissions and just finer grained controls including what a user can and cant do on certain rows or a db.
Other examples are putting your db servers at the center of a “Onion” security model where the databases are the most protected asset to a company and putting firewalls in front of certain database servers that only allow certain hosts to access to the server. You should look at the overall network design though when doing this and do it conjunction with other methods like network segmentation.
Ful Stomach says
It’s interesting that this article is posted today, cause it was only yesterday I was thinking “WoW another SQL injection HaX”. I haven’t been back to look at the related articles, but from memory, this site seems to reflect the fact that there are allot of techniques/tools for compromising insecure databases.
Just a thought, if it’s databases today, then what will be tomorrow?
backbone says
i think that the db’s will be even tomorrow… they are the biggest step in data storying systems… can’t see something better that databases… just improvements…
Sandeep Nain says
Corporates still believe that their business critical data is very secure if they have a firewall infront of their DB server and I have also seen many DBAs assuring the management that DB is safe as they have put fine grained controls for database access.
But (as We all know) the hackers are now moving towards the application layer from network layer. therefore corporates must put some efforts in making their s/w applications secure (applications which are interacting with those corporate databases). Special consideration should be given to authentication and access control mechanisms…
e.g. If there is a flaw in authentication system of a web application, a hacker may be able to log in as administrator and destory the business critical data.
TheRealDonQuixote says
Here’s a tip for all you MBA’s out there running corporate America. Hire some pentesters to remain on your IT staff purely to keep testing your companies’ security, including your actual data in your DB’s. Pay them well, not just cause they deserve it, but so they don’t have wandering thoughts of more money. Then, talk to them, learn about the basics of information security.
Oh, and stop leaving huge printouts of reports all over the place. Not EVERYONE in the company needs a printed copy of all your sensitive info for your weekly team update or whatever. Remember, social engineering and dumpster diving is a large part of data gathering and subsequently hacking your company into non-existence or just costing you and yours a buttload of money and time.
There, now America is safe. XD
Slavik says
There a lots of things a company can do to secure its databases, and many people (including myself) make a living out of doing exactly that. Some of the main things are:
1. Only install what you need – DBMSs are full of features, not all of them required for every kind of installation. The more optional features you install, the larger the possible attack surface for hackers. You can get attacked through a vulnerability in a component you weren’t even using – completely unnecessary.
2. Change all default passwords and users and regularly check for default/weak passwords – sounds simple, but you’ll be amazed how many companies still have those lying around.
3. Grant least privileges – even seemingly innocent VIEW privileges can be an opening for exploits.
4. Use secure coding practices – for example, using bind variables will greatly help in preventing vulnerability to SQL injection
5. Encrypt sensitive data – it’s another security layer, in case some of the other measures fail, and it’s also a requirement for some regulatory compliance audits
6. Use security monitoring and auditing tools – this is not necessarily a huge investment, and will provide you with visibility into what’s going on in the database – who’s doing what, where and when.
Just my 2 cents…
Sandeep Nain says
Nice post Slavik…
Keep it up…