The Soft Underbelly? – Database Security

The New Acunetix V12 Engine

It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.

Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses.

But only 15 percent said that extending security best practices to the database is a “critical priority” for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent).

The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.

What’s in corporate databases? Lots of valuable data. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property — the most highly-guarded data in our survey — resides in 38 percent of respondents’ databases.

Respondents’ database environments are of substantial scale and complexity — a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies.

The moral is, when pen-testing go after the database and applications and if you are into securing your network..Please don’t just concentrate on the firewall and IDS also look at overall architecture, security stance, information management, database and application security.

Source: Dark Reading

Posted in: Database Hacking

, , ,

Latest Posts:

Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.

9 Responses to The Soft Underbelly? – Database Security

  1. SN July 16, 2007 at 2:23 pm #

    very interesting .. security is important, but I guess data is even more important for security purposes ($$$)

  2. backbone July 16, 2007 at 5:40 pm #

    the thing is that I didn’t see any tips on how to secure your database… of course it’s a stupid think to leave not passworded your database, but beyond that never seen quite good tips =))))

  3. Cyanide July 16, 2007 at 8:02 pm #

    Some of the things you can do for databases are simple things like row permissions and just finer grained controls including what a user can and cant do on certain rows or a db.

    Other examples are putting your db servers at the center of a “Onion” security model where the databases are the most protected asset to a company and putting firewalls in front of certain database servers that only allow certain hosts to access to the server. You should look at the overall network design though when doing this and do it conjunction with other methods like network segmentation.

  4. Ful Stomach July 16, 2007 at 11:09 pm #

    It’s interesting that this article is posted today, cause it was only yesterday I was thinking “WoW another SQL injection HaX”. I haven’t been back to look at the related articles, but from memory, this site seems to reflect the fact that there are allot of techniques/tools for compromising insecure databases.

    Just a thought, if it’s databases today, then what will be tomorrow?

  5. backbone July 16, 2007 at 11:42 pm #

    i think that the db’s will be even tomorrow… they are the biggest step in data storying systems… can’t see something better that databases… just improvements…

  6. Sandeep Nain July 17, 2007 at 12:53 am #

    Corporates still believe that their business critical data is very secure if they have a firewall infront of their DB server and I have also seen many DBAs assuring the management that DB is safe as they have put fine grained controls for database access.

    But (as We all know) the hackers are now moving towards the application layer from network layer. therefore corporates must put some efforts in making their s/w applications secure (applications which are interacting with those corporate databases). Special consideration should be given to authentication and access control mechanisms…

    e.g. If there is a flaw in authentication system of a web application, a hacker may be able to log in as administrator and destory the business critical data.

  7. TheRealDonQuixote July 17, 2007 at 1:12 am #

    Here’s a tip for all you MBA’s out there running corporate America. Hire some pentesters to remain on your IT staff purely to keep testing your companies’ security, including your actual data in your DB’s. Pay them well, not just cause they deserve it, but so they don’t have wandering thoughts of more money. Then, talk to them, learn about the basics of information security.

    Oh, and stop leaving huge printouts of reports all over the place. Not EVERYONE in the company needs a printed copy of all your sensitive info for your weekly team update or whatever. Remember, social engineering and dumpster diving is a large part of data gathering and subsequently hacking your company into non-existence or just costing you and yours a buttload of money and time.

    There, now America is safe. XD

  8. Slavik July 17, 2007 at 11:19 pm #

    There a lots of things a company can do to secure its databases, and many people (including myself) make a living out of doing exactly that. Some of the main things are:
    1. Only install what you need – DBMSs are full of features, not all of them required for every kind of installation. The more optional features you install, the larger the possible attack surface for hackers. You can get attacked through a vulnerability in a component you weren’t even using – completely unnecessary.
    2. Change all default passwords and users and regularly check for default/weak passwords – sounds simple, but you’ll be amazed how many companies still have those lying around.
    3. Grant least privileges – even seemingly innocent VIEW privileges can be an opening for exploits.
    4. Use secure coding practices – for example, using bind variables will greatly help in preventing vulnerability to SQL injection
    5. Encrypt sensitive data – it’s another security layer, in case some of the other measures fail, and it’s also a requirement for some regulatory compliance audits
    6. Use security monitoring and auditing tools – this is not necessarily a huge investment, and will provide you with visibility into what’s going on in the database – who’s doing what, where and when.

    Just my 2 cents…

  9. Sandeep Nain July 18, 2007 at 4:47 am #

    Nice post Slavik…

    Keep it up…