Forewarned is forearmed: 6 of the most common database security vulnerabilities


There’s a huge number of creative hackers out there finding new and infuriatingly clever ways to compromise data. Then there’s an even more massive number of not-so creative hackers using the same old strategies because the same old vulnerabilities keep popping up in organizations the world over.

Either way, a data breach is devastating, but one route is far worse when it comes to explaining to affected users, investors and the Securities and Exchange Commission how the personal data of 1.2 million of a company’s users ended up for sale on the dark web. Now is the time to get to know six of the most common database security vulnerabilities -- before the FBI start asking some pretty tough questions.

SEE ALSO: One for the history books: 2016's year in DDoS attacks

The growing importance of database security

For organizations that store any kind of personal data of anyone, be it users or employees, database security has always been essential. However, as the black market demand for data grows and the pay days associated with a successful breach grow right alongside it, database security solutions are now more important than ever. Especially considering 2016 was a record-breaking year for breaches.

Per the Identity Theft Resource Center, in the United States in 2016 there was a 40 percent increase in data breaches from the previous year, totaling up to a whopping 1,093 breaches. The business sector was the most targeted, followed closely by healthcare. Government and education institutions also made for hefty targets.

Common database vulnerability #1: deployment issues

This is the database security equivalent of a runner tripping over his shoelaces as he comes out of the starting blocks. Databases are extensively tested to ensure they can do everything they’re supposed to, but how many companies take the time to make sure they’re not doing what they shouldn’t be doing?

The fix: The fix for this may seem obvious, because it is: more testing prior to deployment to find unexpected operations that could be exploited by attackers.

Common database vulnerability #2: data leaks from an offline server

A company’s database might sit on a server that isn’t connected to the internet, but that doesn’t mean it’s safe from internet-based threats. Regardless of internet connectivity, databases have network interfaces that can be traversed by hackers.

The fix: Firstly, treat database servers as though they are online and secure them accordingly. Secondly, encrypt the data on them using SSL or TSL-encrypted communication platforms.

Common database vulnerability #3: broken or misconfigured databases

Far too many databases are exploited using old, unpatched vulnerabilities or default account and configuration parameters. This could be because database administrators have a lot on their plates, or it could be because there rarely seems to be a good time to take down and work on a database as it is a business-critical system. Whatever the reason, the outcome is truly unfortunate.

The fix: By making database security a priority throughout the entire organization, database administrators will feel empowered to take the time to fix, patch and properly configure databases.

Common database vulnerability #4: SQL injections

SQL injections are not only one of the most common database vulnerabilities, but it’s also the reigning number one on the Open Web Application Security Project application security threat list. This vulnerability allows attackers to inject SQL queries into databases in order to read sensitive data, modify it, execute administrative operations and potentially even issue commands to the operating system.

The fix: During development, input variables need to be tested for SQL injection. After development, web-facing databases need to be protected using firewalls.

Common database vulnerability #5: privilege issues

There are two main issues when it comes to the problems with access privileges: employees may either be granted excessive privileges, giving them access beyond what they need in order to do their jobs, or legitimate privileges can be misused for unauthorized or malicious purposes.

The fix: Database access privileges need to be strictly controlled with employees only getting the privileges they require, and database access being carefully monitored to ensure employees are using their privileges for authorized purposes. Privileges also need to be immediately revoked when an employee leaves an organization.

Common database vulnerability #6: archived data

Related to the point above, whether for revenge or profit, employees have been known to gain huge amounts of personal data by stealing database backups.

The fix: Encrypting archived data and keeping a close watch on who is accessing it and how it’s being used will go a long way towards cutting down on the insider risk.

Common consequences

The full impact of 2016’s busy year of data breaches has yet to truly be seen. The initial damage has been done to the affected organizations, with PR disasters, negative headlines and undermined user and employee trust aplenty. It will be a while longer before all the fines are levied and the class action lawsuits are settled, though. In the end, organizations will lose millions of dollars in fines and payments and even more in lost revenue, all because of the most common database security vulnerabilities. It’s about time the common became uncommon, and the first step is awareness.

Debbie FletcherDebbie Fletcher is an enthusiastic, experienced writer who has written for a range of different magazines and news publications over the years. Graduating from City University London specializing in English Literature, Debbie's passion for writing has since grown. She loves anything and everything technology, and exploring different cultures across the world. She's currently looking towards starting her Masters in Comparative Literature in the next few years.

One Response to Forewarned is forearmed: 6 of the most common database security vulnerabilities

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.