An organization's database contains intellectual property, information on clients, product development, personal information on its workers, and in many cases, critical information on consumers. Therefore, it not only makes sense to fully understand how an attacker can threaten a database, but how to best defend against such an attack.
So, what are those dangers? In no particular order, the most significant threats facing databases today are system, privilege, and credential threats.
Let's take a quick look at a few methods an attacker might use to gain access to a database.
SQL injections: a perennially top attack type that exploits vulnerabilities in web applications to control their database. SQL injection is an old and well-known attack methodology that still plagues applications of all calibers. It remains a popular form of attack against websites because there are very few conditions that need to be satisfied for the flaw to appear.
Those requirements are using relational databases by a web application, using user input to construct an SQL query within the application, and helping the attacker if vulnerabilities exist in the application.
During an SQL injection, an attacker manipulates an input string - such as a login page - to insert an SQL snippet directly into the query to be executed. This access can be achieved, for example, when an application developer feeds "unsanitized" user input directly into constructing an SQL query.
Patching Problems: Maintaining an up-to-date patching program is not a simple task. Patch releases are not relegated just to Patch Tuesday, so an organization must ensure their software is properly maintained and ready to implement at any time.
The biggest issue with patching is the time gap between when the vulnerability is made public and when your organization can put the patch in place. Once a vulnerability is known, threat actors immediately begin attempting to utilize the vulnerability. So, it's imperative to either keep up to date or partner with a company that can do this heavy lifting for you.
Weak password management and authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks and social engineering, namely phishing.
When it comes to data access, more is never better. Limit privilege access to databases and information to only those who need it to do their day-to-day jobs. If too many people have access, the odds increase that an attacker might compromise one account, then gain access to the network and database.
Most often, organizations extend privilege by mistake. For example, in some cases, an IT person may not realize the individual does not require access to an area. In other cases, the person no longer needs access. The best way to ensure that people only have access necessary data is by doing an assessment
The Database Threat Landscape
Organizations leave themselves open to attacks and breaches by not focusing on database security. The move to a remote workforce during the COVID-19 pandemic compounded this problem as more operations were moved to the cloud.
Risks and Responsibilities in the Cloud
Data assessment is key. It's easy for an organization to lose track of where its data lies, particularly in a world where different departments increasingly work within multi-cloud environments, cloud-based services, and applications. This setup makes it easy to lose sight of how many separate databases your organization controls, making it all but impossible to protect the data.
Those who, pre-COVID, kept their data on-premises might not realize that they remain responsible for the data's security when moving it to a cloud service. While cloud infrastructure providers are accountable for their security, there's no liability on the part of the cloud provider to protect your data. Your organization still has the responsibility of ensuring the database is secured. Including basic functions such as making sure the database is properly locked down.
Once you have a good baseline of your database assets, performing regular vulnerability scans to database misconfigurations is next. Many of the most headline-grabbing breaches of 2019 were due to misconfigurations.
Some databases may not have any security or use "default passwords or exploitable settings." If a company is lucky, a security researcher will find, flag, and fix a misconfiguration before an attacker comes across this particular opening.
User Rights and Permissions
Without complete visibility of your database infrastructure, it's hard to maintain user rights and permissions. That means unauthorized users may access your database, whether they are former employees, contractors, or vendors. Data doesn't walk off by itself. It takes a compromised, careless or malicious human with elevated access to leak, alter or exfiltrate it. You need to regularly assess the relationships of users and applications and the data objects they have access rights to, so you can limit access to your most sensitive data.
The term "patch gap" refers to the time between when a security patch is issued by the manufacturer and applied by the user. Databases, like software, require upkeep and constant updating. If you miss a patch or update, you might be missing out on a critical fix for a known vulnerability. But with researchers discovering thousands of vulnerabilities every year, patching can become an overwhelming security challenge. Companies can reduce risks by continuously assessing their databases for vulnerabilities and monitoring the assets with unapplied patches for anomalies.
How organizations can reduce database risk
Security leaders should take an inventory of and classify your organization's databases based on risk, determine what security measures are needed, leverage permission and access settings, and ensure databases are properly configured, patched, and have the right encryption.
As you build a process to tackle database security, remember that above all things, visibility is key. Once an organization attains good visibility, it can prioritize which databases require stricter security measures depending on what sensitive assets they hold. From there, one can build out processes for ensuring no databases are connected to the network without your knowledge.
Obtaining this level of visibility is easier said than done, and smaller organizations or those with a less mature security posture will be challenged implementing all these changes. However, using a purpose-built database security tool or solution will help you detect, identify, and classify all your databases, so you know the risk associated with each one.
Partnering with Trustwave
A purpose-built database assessment and monitoring solution will help automate these resource-intensive tasks, such as detecting and identifying your landscape database, and save the time and expense of purchasing and installing costly plug-ins to make a network scanning tool provide the necessary database insights. This will help you easily spot your patch gaps and misconfigurations.
Here is where Trustwave can step in and make all the difference. Our security teams Vulnerability Assessment policies:
We have 78 different policies that we check. These are custom checklists with specific target audiences in mind. Through these policies, we support various compliance regulations such as:
- Basel II
- Australian Government ISM and Australian Signals Directorate's ACSC
- Center for Internet Security (CIS) – Database Security Benchmarks for MySQL, Oracle Database, PostgreSQL, MongoDB, Microsoft SQL Server, IBM DB2 LUW and Sybase ASE
- DoD DISA Security Technical Implementation Guides (STIGs) for MySQL, Oracle Database, PostgreSQL, MongoDB, Microsoft SQL Server and IBM DB2 LUW
- EU Data Protection Directive
Trustwave also supports best practices through our policies for:
- General Best Practices
- Application Integrity
- Big Data
- Operating Systems
- Sensitive Data Discovery
- User and Account Profile
- Zero Trust (this one is new and was included in Trustwave's May 2022 release)
The types of checks we conduct help database administrators and security staff ensure that their data is well protected, and the databases are up to date on patches, preventing attackers from exploiting publicly disclosed vulnerabilities. This activity is cybersecurity 101, but security teams often ignore it, saying, 'but my database is in a separate network segment, etc.' However, an adversary or insider threat that has already infiltrated the network can easily circumvent that segmentation.
Trustwave can also ensure permissions to access data are granular and follow best practices to minimize the impact of malicious insider activities and that database and operating systems are configured to minimize their attack surface and the impact a malicious user can have if successful.
Finally, Trustwave ensures database accounts are protected to follow best practices as implemented by the database system vendor and that logging is configured properly to allow for monitoring of database activities and forensic analysis.