Databases are vitally crucial to modern businesses across all market sectors. They are the repository of an organization’s information resources, essential assets used to run its business and gain an edge over its competitors. Big data and the Internet of Things (IoT) have introduced new avenues for producing information that needs to be stored in databases for business purposes, such as predictive analytics and understanding customer trends.
The value attached to enterprise data must be balanced. Losing a single mission-critical database can spell disaster for a company. Sales or services can be crippled, resulting in the loss of customers and revenue. Having the information in a database compromised by falling into the wrong hands can ruin a business with financial repercussions and far-reaching impacts on its reputation. Keeping databases operational and protected is an essential component of modern business Strategy.
Unfortunately, the significance of these data stores makes them an inviting target for individuals and groups with malicious intentions. Sometimes, the goal may be to bring systems down and cause chaos to the associated organizations. Financial gain or industrial espionage is often at the root of other attempts to compromise or strike an organization’s databases. Hosting database instances with cloud providers and widespread use of IoT devices presents additional targets that hackers can threaten.
Protecting these valuable assets is complicated because an attack can be perpetrated by corporate insiders and unscrupulous third parties. Verizon’s most recent data breach investigation report published in May 2019 indicates that 69% of data breaches were committed by outsiders, with 34% involving internal actors. In some cases, insiders and outsiders worked together to compromise corporate data assets. Organized criminal groups were involved in 39% of incidents, with nation-states and affiliated entities responsible for 23% of breaches.
This blog will investigate security threats and policies that can impact a company’s databases. Knowing how your databases can be attacked is the first step in developing methods and adopting best practices that offer enhanced protection to these valuable information assets.
What Comprises Database Security?
There are three essential goals associated with database security. In broad terms, the concerns are the systems’ confidentiality, integrity, and availability, also known as the CIA triad. These aspects need to be the focus of security teams and defensive strategies.
- Confidentiality means that access to data is restricted to authorized personnel. Data privacy and confidentiality are closely linked, and the importance of keeping information confidential increases when it contains personal details which can be used to identify or compromise specific individuals.
- Integrity speaks to the accuracy of the information residing in a database. Measures must be taken to ensure that only authorized individuals or processes can modify the data when it is at rest and in transit. Inaccurate or redundant data can impact its quality and usefulness.
- Availability means that the data can be accessed by authorized entities whenever they need it. Unavailable databases or unexpected downtime can be very costly to an enterprise, making securing databases from attacks that impact their availability critically important.
Different types of database attacks may be directed at any or all of these general categories. In some cases, the goal may be to simply bring down the system, causing associated chaos to the enterprise. This type of attack is easily identifiable, though preventing it and recovering from its consequences are much more difficult objectives to accomplish.
Database integrity and confidentiality can be compromised using more subtle methods that can escape detection for an extended time. Security lapses of this type can entail extensive damage with ramifications far beyond correcting the problems that allowed the attack to be successful. Restitution may be required for entities whose confidential data has been compromised, and financial penalties can be imposed by regulatory agencies aimed at lax or incomplete security standards.
Types of Database Threats and Risks
The three components of the CIA triad can be attacked or compromised in many ways. They present different challenges for organizations to address successfully and can be conducted by internal or external entities.
Elevated privileges
Sensitive enterprise data should be protected by restricting access to all but essential personnel and procedures. This is usually accomplished by providing appropriate access levels for IT teams to perform their role concerning the data. Most users cannot access the data and have no justifiable need to try.
Unfortunately, elevated privileges are impossible to totally avoid in an IT environment. Someone needs root access to systems to perform daily activities such as installing software or creating user accounts. Credentials that enjoy elevated privileges need to be guarded against misuse or from being compromised and falling into the hands of cybercriminals.
Abuse of legitimate privileges
Abusing the legitimate privileges that a user possesses is the hallmark of an insider attack. These threats are hazardous due to the methods individuals can use to mask their activities. Heightened privileges can be used to initiate malware infections, directly steal data, and make it very difficult to track down the perpetrator.
This type of privilege abuse can come from current or former employees. Strict access management controls can minimize the risk by immediately removing elevated privileges from users who no longer need them, including those who have left the company.
Malware infection
Malware is the accepted term for malicious software. It refers to software whose purpose is to cause damage to computer systems and networks or gain unauthorized access to sensitive information. Several different forms of malware use various techniques to attack their victims. Malware can be categorized by how it spreads and what it does once it accesses a system.
Malware variants infect their targets in three distinct ways.
- Worms are standalone programs that spread by reproducing and distributing from one computer to another.
- Viruses are inserted into the code of another potentially harmless or helpful software application. The virus forces the carrier to perform malicious activity and spread itself to other systems.
- Trojans are not self-replicating but are disguised as practical software tools to entice users to download and use them. Once activated, the program performs its destructive actions and may be spread to other users and systems.
Malware is also classified by what it does to systems once it successfully gains access. Here are some of the significant types of malware that corporations are likely to encounter.
- Spyware does what its name implies. Once it gains access to a system, it secretly gathers information usually sent to a third party. Spyware strives to be undetected by affected users, and variations such as keyloggers are adept at stealing passwords and login credentials that enable perpetrators to access sensitive data secretly.
- A rootkit provides remote access and control over a compromised system by nefarious third parties. It is often a set of software tools that gains root or privileged access to its target and uses elevated capabilities to escape detection.
- Ransomware is a particularly vicious form of malware that encrypts data, making it unusable until financial demands are met. The economic damage of ransomware infections is increasing and now averages over $85,000 when considering the ransom, lost time, and associated costs of recovering from the attack.
Unsecured backup media
Numerous individuals from various companies often handle the storage media used for backups. Sending tapes offsite exposes the data on those tapes to individuals beyond the control of the corporation whose data is at risk. The primary defense against unauthorized access to this information is to encrypt the data before or during the backup procedure, making it impossible for nefarious actors to use it.
Faulty cloud configuration
As organizations continue to move more of their data to the public cloud, misconfigurations can disastrously impact security. Infrastructure as code (IaC) templates are becoming more prevalent as a method of streamlining cloud implementations and are often constructed without the appropriate security controls. By default, many cloud databases are not encrypted, exposing their information to anyone who obtains the necessary level of access.
Effectively Defending Corporate Databases
While at first glance, it appears to be a monumental task to protect an organization’s database, there are methods that, when properly implemented, can mitigate the risks. Failure to adhere to the following best practices will result in databases that can be compromised and attacked, inflicting severe damage to the enterprise.
- Perform a risk assessment to establish a database security baseline. This essential first step sets the stage for subsequent security initiatives. Developing baselines is the initial step in optimizing and improving aspects of an IT environment and is particularly pertinent from a security perspective. The assessment should address access, vulnerability, and policy management and provide an opportunity to uncover issues that can be immediately addressed for enhanced security.
- Establish database security and compliance policies. The need for well-defined policies results in reactive rather than proactive measures when a data breach or security incident occurs. Developing strong policies and implementing them across all enterprise databases will minimize the chances of data being compromised.
- Identify users with excessive or unnecessary privileges. This entails thoroughly reviewing who has access to sensitive data and privileges for unauthorized reasons. Periodic inspections are necessary to deal with evolving business requirements. Elevated privileges often need to be assigned for specific projects.
- Conduct regular internal audits to test database vulnerabilities and configuration issues. As systems and users are added to an IT environment, modifications must be made regarding access that can be uncovered during an audit. Security gaps can be closed before they can be used for malign purposes.
- Encrypt data when at rest and in transit. Suppose a data breach occurs and information is stolen. In that case, having it fully encrypted will make it useless to cybercriminals and protect the organization from the negative impacts on its finances and reputation. The underlying cause of the breach is still a major concern, but at least the sensitive data will not have been compromised. Sensitive data should be encrypted while resident in databases, and all data should be encrypted when backed up and sent offsite.
- Implement real-time database monitoring. Discovering suspicious database activity can be seen as the first line of defense against unauthorized access or malicious intruders. System administrators and security teams can quickly lock down access to systems showing signs of suspicious activity based on information gleaned from informative monitoring.
A viable database monitoring strategy should focus on specific security aspects such as critical databases, privileged accounts, policy violations, and objects containing sensitive information. Suspicious user activity identified through monitoring warrants a thorough investigation to determine if it may indicate an attack from internal or external sources.
How Malicious Entities Gain Access to Databases
Phishing with infected emails is a prevalent method of attempting to compromise organizational data security. C-Suite executives are tempting targets for these attacks, as they often have high-level privileges that make their credentials more valuable than those of the average employee. The use of artificial intelligence techniques to create deep fakes makes it even harder to distinguish the validity of electronic communication. They open the door to new methods to entice individuals to unwittingly compromise the data their organization needs to Survive.
No organization knowingly allows its databases to be compromised using previously discussed methods. Gaining access to sensitive databases or embedding malware into systems can be done in many ways. They all can be mitigated, if not eliminated, with proper training and diligence, strong security policies, and comprehensive monitoring. Organizations that value their data need to take risks seriously. They need to do everything in their power to thwart the efforts of cybercriminals to cause damage to them and their customers.
Idera provides robust solutions for SQL Server, Azure SQL Database, and Amazon RDS for SQL Server:
- SQL Compliance Manager protects your data by monitoring activity and changes with powerful alerting and tamper-proof audit tools
- SQL Secure allows you to discover security vulnerabilities and user permissions for SQL Server instances