2. DATABASES
• Enterprise database and information storage infrastructures, holding the crown
jewels of an organisation, are subject to a wide range of abuses and attacks,
particularly when left vulnerable by poor system design or configuration.
• Databases are a key target for cybercriminals due to the often valuable nature of
sensitive information locked away inside.
• Whether the data is financial or holds intellectual property and corporate secrets,
hackers worldwide can profit from breaching a businesses' servers and
plundering databases.
3. TOP 10 VULNERABILITIES – 1)DEPLOYMENT FAILURES
• The most common cause of database vulnerabilities is a lack of due care at the
moment they are deployed.
• Although any given database is tested for functionality and to make sure it is
doing what the databases is designed to do, very few checks are made to check
the database is not doing things it should not be doing.
4. TOP 10 VULNERABILITIES – 2) BROKEN DATABASES
• The SQL Slammer worm of 2003 was able to infect more than 90 percent of vulnerable
computers within 10 minutes of deployment, taking down thousands of databases in
minutes. This worm took advantage of a bug that was discovered in Microsoft's SQL
Server database software the previous year, but few system administrators installed a fix,
leaving computers vulnerable.
• By exploiting a buffer-overflow vulnerability, the worm's success demonstrates how
critical installing security patches and fixes are.
• However, whether lacking time or resources, not enough businesses keep their systems
regularly patched, leaving databases vulnerable.
QL Slammer is a worm that targets unpatched Microsoft SQL 2000 servers. The worm spreads
between servers, increasing traffic on UDP port 1434 and causing heavy network traffic that can
slow down network performance and lead to denial of service. SQL slammer does not carry a
destructive payload.
5. TOP 10 VULNERABILITIES -3)DATA LEAKS
• Databases may be considered a "back end" part of the office and secure from Internet-
based threats (and so data doesn't have to be encrypted), but this is not the case.
• Databases also contain a networking interface, and so hackers are able to capture this type
of traffic to exploit it.
• To avoid such a pitfall, administrators should use SSL- or TLS-encrypted communication
platforms.
6. TOP 10 VULNERABILITIES – 4) STOLEN DATABASE
BACKUPS
• External attackers who infiltrate systems to steal data are one threat, but what
about those inside the corporation?
• The report suggests that insiders are also likely to steal archives — including
database backups — whether for money, profit or revenge.
• This is a common problem for the modern enterprise, and businesses should
consider encrypting archives to mitigate the insider-risk.
7. TOP 10 VULNERABILITIES – 5) THE ABUSE OF
DATABASE FEATURES
• The research team says that over the past three years, every database exploit
they've seen has been based on the misuse of a standard database feature. For
example, a hacker can gain access through legitimate credentials before forcing
the service to run arbitrary code.
• Although complex, in many cases, this access was gained through simple flaws
that allow such systems to be taken advantage of or bypassed completely.
• Future abuse can be limited by removing unnecessary tools — not by destroying
the possibility of zero-day exploits, but by at least shrinking the surface area
hackers can study to launch an attack.
8. TOP 10 VULNERABILITIES – 6) A LACK OF
SEGREGATION
• The separation of administrator and user powers, as well as the segregation of
duties, can make it more difficult for fraud or theft undertaken by internal staff.
• In addition, limiting the power of user accounts may give a hacker a harder time
in taking complete control of a database.
9. TOP 10 VULNERABILITIES – 7) HOPSCOTCH
• Rather than taking advantage of buffer overflow and gaining complete access to
a database in the first stage, cybercriminals often play a game of Hopscotch:
finding a weakness within the infrastructure that can be used as leverage for
more serious attacks until they reach the back-end database system. For example,
a hacker may worm their way through your accounts department before hitting
the credit card processing area.
• Unless every department has the same standard of control, creating separate
administrator accounts and segregating systems can help mitigate the risk
10. TOP 10 VULNERABILITIES – 8) SQL INJECTIONS
• A popular method for hackers to take, SQL injections remain a critical problem in the
protection of enterprise databases.
• In a SQL injection attack, an attacker typically inserts (or “injects”) unauthorized SQL
statements into a vulnerable SQL data channel.
• Targeted data channels include stored procedures and Web application input
parameters.
• These injected statements are then passed to the database where they are executed.
For example in a web application the user inserts a query instead of his name. Using
SQL injection, attackers may gain unrestricted access to an entire database .
• Applications are attacked by injections by unclean variables and malicious code which
is inserted into strings, later passed to an instance of SQL server for parsing and
execution.
11. TOP 10 VULNERABILITIES – 8) SQL INJECTIONS
(CONTINUE)
1. Avoid the use of dynamic queries within applications. Use of prepared
statements with parametrized queries will stop SQL injection.
2. Implement user input validation before that input is passed to the application.
This is a very worthwhile additional defence which also helps towards many
other attacks.
3. The best ways to protect against these threats are to protect web-facing
databases with firewalls and to test input variables for SQL injection during
development.
12. MYSQL PHP API-PREPARED STATEMENT
• The MySQL database supports prepared statements.
• A prepared statement or a parameterized statement is used to execute the same statement
repeatedly with high efficiency. The database parses, compiles, and performs query
optimization on the SQL statement template, and stores the result without executing it.
• The prepared statement execution consists of two stages: prepare and execute.
• At the prepare stage a statement template is sent to the database server.
• The server performs a syntax check and initializes server internal resources for later use.
• The MySQL server supports using anonymous, positional placeholder with ?.
• Prepare is followed by execute. During execute the client binds parameter values and sends
them to the server. The server creates a statement from the statement template and the
bound values to execute it using the previously created internal resources.
15. PREPARED STATEMENTS AND BOUND PARAMETERS
Prepared statements basically work like this:
• Prepare:
• An SQL statement template is created and sent to the database.
• Certain values are left unspecified, called parameters (labeled "?"). Example: INSERT INTO MyGuests
VALUES(?, ?, ?)
• The database parses, compiles, and performs query optimization on the SQL statement template,
and stores the result without executing it
• Execute:
• At a later time, the application binds the values to the parameters, and the database executes the
statement.
• The application may execute the statement as many times as it wants with different values
16. PREPARED STATEMENT VS SQL STATEMENT
Compared to executing SQL statements directly, prepared statements have three main advantages:
• Prepared statements reduce parsing time as the preparation on the query is done only once
(although the statement is executed multiple times)
• Bound parameters minimize bandwidth to the server as you need send only the parameters each
time, and not the whole query
• Prepared statements are very useful against SQL injections, because parameter values, which are
transmitted later using a different protocol, need not be correctly escaped. If the original
statement template is not derived from external input, SQL injection cannot occur.
17. TOP 10 VULNERABILITIES – 9) SUB-STANDARD KEY
MANAGEMENT
• Key management systems are meant to keep keys safe, but the research team
often found encryption keys stored on company disk drives.
• Database administrators sometimes falsely believe these keys have to be left on
the disk because of database failures, but this isn't true — and placing such keys
in an unprotected state can leave systems vulnerable to attack.
18. TOP 10 VULNERABILITIES – 10) DATABASE
INCONSISTENCIES
• The researchers found that the common threat which brings all of these
vulnerabilities together is a lack of consistency, which is an administrative rather
than database technology problem.
• System administrators and database developers need to develop a consistent
practice in looking after their databases, staying aware of threats and making sure
that vulnerabilities are taken care of.
• This isn't an easy task, but documentation and automation to track and make
changes can ensure that the information contained in enterprise networks is kept
secure.
19. AN ATTACKER CAN BE CATEGORIZED INTO THREE
CLASSES
An attacker can be categorized into three classes :
• Intruder
An intruder is a person who is an unauthorized user means illegally accessing a computer system and tries
to extract valuable information.
• Insider
An insider is a person who belongs to the group of trusted users and makes abuse of her privileges and
tries to get information beyond his own access rights.
• Administrator
An administrator is a person who has privileges to administer a computer system, but uses her
administration privileges illegally according to organization’s security policy to spy on DBMS behavior and
to get valuable information
