Thanks to modern technology, it’s getting easier to access precious data on databases. The loss of consumer information in high-profile data breaches underscores the need for safe practices.
I’ve identified some common unsafe practices that have led to a number of such data loss incidents.
Take a look at these 15 major security flaws:
1. Unencrypted sensitive data, particularly personally identifiable information (PII). The impact of a data breach can be lessened if sensitive data stored in databases is encrypted. Most of the time it isn’t. When data is encrypted, hackers can’t locate encryption keys on the server or extract information from running memory on a server.
2. Improper data retention on databases. In the Epsilon breach, for example, hackers accessed sensitive information from consumers who opted out of services. That data should have been deleted. Be sure to establish a protocol for the removal of unnecessary data on a regular basis.
3. Using sensitive data in nonproduction databases for testing. This practice, particularly the use of whole tables with real data, should be avoided at all costs. Testing datasets that do not relate to real data are the best way to limit your exposure.
4. Improper deletion of data backups and database dumps from server. Administrators often dump tables from the database on the same server, and then they simply delete them, instead of executing a secure deletion. Hackers have discovered that those dumps actually provide decrypted, sensitive consumer data that’s easy to recover.
5. Unlimited credentials for database accounts. It’s a problem when database accounts with the highest administrator access are part of a central domain. Hacking these accounts can open all doors to the whole network. Limiting credentials, especially on critical systems, adds another layer of protection.
6. Install proper access controls. Ensure proper integration of databases and resources that require access. Not having proper access controls in place often leads to a breach.
7. Database access privileges are granted to too many people. It can be a problem when database access with the highest privilege is granted to all team members. Make sure there is a proper separation or stratification of access privileges.
8. Improperly set access control to database tables. When this happens, users have access to more databases or tables as needed. Ensure proper access control to your data and also to applications that provide direct communication.
9. Unprotected passwords. Passwords to access databases can be found in the history of certain types commands, especially on the UNIX platform. How many stories have you heard about hackers viewing your shell history file?
10. Improper authentication. Applications can bypass authentication. Ensure that all applications require proper authentication.
11. Insecure data dumping. Database backups can be found online when there are improper settings on a web server directory. Administrators often dump databases on the Internet web server and leave them in the folder, where Google finds them, indexs them, and data are exposed. Hackers like Google dorking. Ensure secure deletion after dumping database data on publicly available Internet server.
12. Untested databases that are part of an Internet web portal. It’s essential to test these databases for vulnerabilities. SQL injection and Cross Site Scripting are the most common exposure on many systems, and they are most likely leveraged by hackers.
13. Vulnerable foundational system. In many cases, the underlying system is vulnerable to attacks. Make sure that the system running the database server is secure with the latest updates, not only database applications.
14. Unmonitored data base servers. Database servers often aren’t monitored for intrusion activities from system and application requests.
15. Faulty firewall protection. Implemented firewall and perimeter protection doesn’t filter any web attacks such as SQL injection and XSS.
Database security is an essential element of overall security maturity at enterprise level. Underestimating its value and not dedicating sufficient attention to developing a comprehensive data security plan can, in many instances, lead to data compromise.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.