If you run a business harbouring sensitive information within a database – anything from intellectual property, to digital cash, to your customers’ data – you need to secure it.
It sounds like such a basic piece of advice, but it’s one that many businesses neglect to follow, says Josh Shaul, director of product management at Trustwave Holdings Inc. He’s scheduled to be at the RSA conference at the end of February to demonstrate how many businesses remember to secure their networks and their servers, but how they sometimes skip that step when it comes to databases.
For the last 15 years, Trustwave has been researching all the ways hackers can break into databases to steal valuable data – and one thing researchers keep finding is that businesses believe there’s no need to secure their databases, as long as they already have other protections in place, like network and
application security controls.
“It’s definitely a big misconception,” Shaul says. “The idea that hey, I’ve got a secure network, I’ve encrypted things, I’ve put up my security protections, so my database must be protected, is really similar to the idea of a bank opening up with a guard at the door and video cameras and alarm systems. But instead of having a vault, they put all the cash in the middle of the floor.”
Databases need to have specific security controls around them because they often contain an organization’s most sensitive information, he adds. And hackers are very aware of this, devising a number of ways to get into businesses’ databases through vulnerabilities and exploits.
For example, one way a hacker can get in is to steal an employee’s password. Hackers accomplish this through installing malware, phishing schemes, and other ways of gaining access. Once they’re in, they can start sending the information stored in a database to their own servers.
Another way doesn’t require any inside knowledge – instead, hackers can attack from the outside using SQL injections, SQL being the kind of code used in databases. Basically, a hacker can type in SQL code into an input field on a website – for example, a place where the website asks someone to enter their username and password. If the SQL code executes, the hacker may be able to get access to a site’s database.
And unfortunately, doing a SQL injection is easy, even for script kiddies who have just a basic knowledge of hacking, Shaul says.
“There are three critical skills to execute attacks. You’ve got to be able to Google, copy, and paste,” he says, adding many hackers have posted examples of SQL code online for others to try. Even security researchers may post SQL code online after explaining the company with the vulnerability has already patched it – but that doesn’t mean hackers won’t try using it anyway.
And it isn’t just outside attackers who pose a threat. Internal theft is always a possibility, with an employee potentially stealing company data and selling it to a competitor. That’s why it’s important to only grant database access to the employees who need it, Shaul says.
Businesses should also ensure they layer security around their databases, he adds. For example, they should check to make sure they are aware of all of the databases in their environments, checking for vulnerabilities and misconfigurations in each one. They should also deploy firewalls, protect their web applications from attacks, and constantly monitor their databases in case they are attacked.
Some red flags include queries running on very large data sets, or queries coming from Web applications, resulting in errors – something that doesn’t usually happen for production applications, Shaul says. Or, attackers can try to connect to a database from an unusual source, like from a PC that doesn’t usually connect to it.