July 2, 2018
In a world that is completely consumed by technology where everything is now stored in the Worldwide Web there is nothing more important than database security. This is important because people are always blind to the dangers of trusting all their information in the cyber space. It is up to the creators of the different databases and social media pages to make sure that their clients’ information is fully safe because once they are gained access to they can easily cause major troubles for the owners of the information. Therefore, it is important to know the importance of database security and the consequences that come from the lack of, it is also important to educate one’s self about the common attacks that occur and the best ways to avoid them.
Database security is defined as the collective measures taken to protect and secure a database or database management software from illegitimate use of malicious threats (Techopedia, n.d.). Over they years, the world has passed the analog stage and how now become completely digital, there are hardly any companies in the world that are still storing their information on paper, with the exception if some third world countries that are slowly catching up. If a person goes to a store now and buys something, it is all stored online. Same goes for banks, people trust their banks with their money and their information which is all also stored digitally. The author of Database Design, Application Development and Administration summarizes it well when he says that “our lives are surrounded by those that use computerized databases” (Manino, 2015).
Database security is extremely important because as more organizations and companies increase their use of database systems and important data management technology for everyday operations, the more they are making themselves vulnerable to breaches. And the more important the information they’re keeping the more fatal the damage will be once their security is breached. This is because it will not be just affecting one person but many people who have a lot to lose, in some occasions it may even result in the fall of an entire organization because they will lose all credibility. When thinking about data breach and how to protect it, it is important to remember that external hackers are not the only threats to protect against but also the internal threats. It is popular belief that hackers are the ones that cause most security breached but in actuality, 80% of data loss is to insiders in the organization (Thakur, n.d.).
For example, a few years back Wells Fargo went through investigation because they had a security breach that released personal information of seven thousand of their clients. That is a major breach of security that affected many people and their funds. While investigating the investigators found out that the person responsible must have used an employee’s card to get access to all the information (McGlasson, 2008). While that should have been a big red flag for Wells Fargo and resulted in them making their data breach proof, they clearly did not do their best because nine years later they were faced with a similar problem. In 2017, they had a breach in their database security when employees were creating fake accounts and wiring money from other accounts into them resulting in many clients losing their money. This is a perfect example of how organizations should take their security serious and also how important to also protect themselves from internal breaches because as it turns out, those are the ones that can cause the most damage. Because of the two security breaches Wells Fargo has suffered a loss of customers because they cannot trust a bank that can easily lose their information and money twice.
Database security also includes the security of non-computer based threats, it includes hardware, software infrastructure, people and the data of the organization. Because database security is the concern of organizations, organizations should be aware of the risks factors and the weak spots in their system in order to be ready and know how to prevent data breach. A threat is a situation, event or personnel that will adversely affect the database security and the smooth and efficient functioning of the organization (Thakur, n.d.).
There are several common database threats, theses are the ones that are seen repeatedly over the years. Some of the threats include excessive privileges, this is when employees are granted access to information that exceed their job requirement they can decide to exploit it. An example would be the Wells Fargo incident that was mentioned earlier. Because an employee had access to other clients’ bank accounts they decided to create fake accounts and transfer themselves money. In addition to that, some companies fail to change access information for the employees that no longer work in the same department Another common threat are Database Injection attacks, there are two main types of this kind of attack which are SQL injections that target traditional database Systems and NoSQL injections that target big data platforms (Maurer, 2015).
SQL injection attack can be better defined as a computer attack in which malicious code is embedded in a poorly designed application and then passed to the backed database. It works when the malicious data produces database query results that should never have been executed (Techopedia, n.d.). SQL is a programming language that is used to manage data in a database. SQL injections attacks are not always about getting information from the target site, depending on the people hacking it can include bypass logins to access data, it can be to modify content in the database or it can be simply to shut the sever down. The first step hackers take before attacking is finding where the vulnerability exists, and then use that as a way to get in (Menegaz, 2012). There have been several SQL injection attacks in the past few years targeted towards big companies such as Sony, Yahoo, Microsoft, PBS, and even the CIA. Therefore, organizations should do their best to prevent it from happening again.
Protection form SQL injection attacks is completely doable. The first step to take is to check and see whether there are any vulnerabilities in the database that can be used to attack. The best way to accomplish that is to launch an attack to test the database and if successful in breaching then there is a clear picture of what and where to fix. There is also an alternative option of just running an automated SQL injection attack tool that helps pinpoint where the issue is. Another step to take is to be cautious of everyone, this can be done by using input validation via a function to ensure that dangerous characters are not passed to a SQL query in the data. A person can also prevent attacks by not using dynamic SQL, meaning not constructing queries with user input and use things such as prepared statements, parameterized queries, or stored procedures. Another important step is remembering continuously update and patch, this is because vulnerabilities in databases that hackers can exploit are discovered regularly therefore it is important to apply patches and updated as soon as possible. A person can also consider putting up a firewall, it can either be software based or appliance based. This will help with filtering out malicious data. Another important step to take is reducing attack surfaces in the database, this can be done by getting rid of any database functionality that is not needed in order to prevent hackers from taking advantage of it. Taking appropriate privileges is also important, this means not connecting to the database using an account with admin level privileges unless there is a good reason to do so. This is because using a limited access account is better and can limit what the hacker can do. Encrypting information in the database can also be helpful and a person should never divulge more information than they need to because error messages can act as a tool for hackers to learn more about the database. Last but not least, a person should continuously monitor their SQL statements from database connected applications. This helps with identifying roque SQL statements and vulnerabilities (Rubens, 2018).
Another common database threat is Malware, this is because malware is used to steal sensitive data through legitimate users using infected devices and it is quite common. Storage media exposure is also a common database threat. This is because backed up storage media is almost never protected from attacks making them very easy targets. Vulnerable databases is the most common threat because it can sometime take organizations months to fix their database and in those months they will be target to many attacks. Attackers seem to be especially knowledgeable when it comes to exploit unpatched databases that still have original accounts and configuration parameters. In addition to those, there is a threat that is sometime overlooked and that is the human factor, this also happens to be the root cause of 30% of data breach incidents (Maurer, 2015).
There are several ways to prevent database security threats, though they may sound similar to the ones mentioned on protecting from SQL injection attacks they are still worth mentioning. The first thing to be done is ensure physical database security, this means keeping the database servers in a secure locked environment with access controls to keep unauthorized people from going in. It also means keeping the database on a separate machine away from the machines running applications or web servers. This is because web servers are more likely to be attacked since they located in a DMZ making them accessible to the public and if compromised, and the server still runs in the same machine the attacker would have access as a root user to the database and data (Rubens, 2016).
A person should also make sure that they are running the most up to date version of database software with all the security patches installed to remove all known vulnerabilities because those can become fatal. It is also important to uninstall or disable any features or services that are not being used and make sure that the passwords are changed on the original account. Also ensure that all databases security controls are enabled. For extra caution, it is also smart to encrypt all data, including the back up data and store them separately from the decryption. Another step to take to prevent database threats is to minimize the value of the database, this is because attackers can only get access to information that is stored in the database, therefore if information isn’t there it is safe. in order to make this effective a person can actively manage the data so that any unneeded information can just be deleted from the database. The data that has to be retained for compliance or other purposes can be moved to more secure storages maybe even offline where is less susceptible to database security threats (Rubens, 2016).
The people who have access to the database are also a concern, therefore database access must be managed tightly. A very small amount of people should be grated access to the database, only enough access to do their jobs and only for the amount of time needed to do the job. This may be impractical for smaller organizations, but permissions should at least be managed as groups rather than granted individually. Strong passwords should also be enforced, preferably encrypted and often changed. Accounts should have a limit of how many tries a person gets to login before being locked out, and a procedure should be enforced to ensure that all accounts are deactivated when the staff leave or switch roles.
Data security is the most important role for database owners and organizations because there is an enormous amount of information that is trusted upon them to keep safe and if breached may cause irreversible damage. Not only that but, losing peoples data results in lack of credibility for companies. Even though keeping up with database security may seem tiresome and hard it is the owner’s responsibility to make sure that their organization is trustworthy and has integrity. For Exodus 22 :7-8 says “If anyone gives a neighbor silver or goods for safekeeping and they are stolen from the neighbor’s house, the thief, if caught, must pay back double. 8 But if the thief is not found, the owner of the house must appear before the judges, and they must determine whether the owner of the house has laid hands on the other person’s property.” This says that it is solely the owner’s responsibility to find the stolen data and if not it is the owner that will go under investigation. Therefore, take responsibility for the database and make sure that the security is up to date in order to be successful.
Mannino, M. (2015). Database design, application development, and administration (6th ed.). Boston: McGraw-Hill Irwin.
Maurer, R. (2018, April 11). Top Database Security Threats and How to Mitigate Them. Retrieved July 2, 2018, from https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-threats.aspx
Mcglasson, L. (2008, August 20). Wells Fargo Reveals Data Breach. Retrieved July 3, 2018, from https://www.bankinfosecurity.com/wells-fargo-reveals-data-breach-a-944
Menegaz, G. (2015, December 04). SQL Injection Attack: What is it, and how to prevent it. Retrieved July 3, 2018, from https://www.zdnet.com/article/sql-injection-attack-what-is-it-and-how-to-prevent-it/
Mullins, C. S. (2013, August 07). Bad Database Standards Can Cause Performance Problems. Retrieved July 2, 2018, from http://www.dbta.com/Columns/DBA-Corner/Bad-Database-Standards-Can-Cause-Performance-Problems-91192.aspx
Ragan, S. (2017, September 13). 17 penetration testing tools the pros use. Retrieved July 3, 2018, from https://www.csoonline.com/article/2943524/network-security/17-penetration-testing-tools-the-pros-use.html
Rich, K. (2012, July 20). Database Security Guide. Retrieved July 2, 2018, from https://docs.oracle.com/cd/B19306_01/network.102/b14266/reqthret.htm#DBSEG1000
Ruebens, P. (2016, August 23). 7 Database Security Best Practices. Retrieved July 2, 2018, from https://www.esecurityplanet.com/network-security/6-database-security-best-practices.html
Ruebens, P. (2018, May 2). How to Prevent SQL Injection Attacks. Retrieved July 3, 2018, from https://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
Thakur, D. (n.d.). Dinesh Thakur. Retrieved July 2, 2018, from http://ecomputernotes.com/database-system/adv-database/security-in-database-environment
What is Database Security? – Definition from Techopedia. (n.d.). Retrieved July 3, 2018, from https://www.techopedia.com/definition/29841/database-security