Good hackers today are businesspeople, assessing each target for
the simplest and most profitable attack scenarios. These days,
there are probably no plumper targets than enterprise
databases.
Databases house companies' easiest-to-sell confidential data:
customer lists, payroll records, and many other structured
inventories of sensitive information. Database administrators tend
not to be steeped in security practices, and the databases
themselves are frequently tied to Web applications that have turned
out to be easy to hack.
In its annual breach study, Verizon Business' computer forensics
team reported that databases made up 30 percent of data compromises
in 2008. Worse, database breaches accounted for 75 percent of all
records reported breached. Because sensitive information is often
found in a single database, a single breach can lead to major
damage.
"When you get down to it, a large percentage of the security
threats potentially go after the database," says Rich Mogull,
analyst and founder of Securosis, an enterprise security consulting
firm. Most information security practitioners grow up on the
networking side of IT and know little about database technology,
adds Mogull. And a recent Forrester Research study found that
database administrators spend less than 5 percent of their time on
database security.
"I'd say that of the calls I take on this subject, at least
two-thirds of the time, the database folks aren't involved," says
Jeffrey Wheatman, Gartner's research director of information
security and privacy. "I think that's a problem, because when
you're monitoring or securing something you don't really
understand, you need to bring in a subject-matter expert to help
you."
Many database security vulnerabilities are caused by simple
lapses in security. In a 2008 poll, the Independent Oracle Users
Group found that 26 percent of organizations take more than six
months to install security patches on Oracle databases; 11 percent
have never patched them. "Production databases don't get patched
nearly often enough, because they're busy database servers and
people will say, 'If it isn't broken, don't fix it,'" says Adam
Muntner, a partner at QuietMove, a vulnerability assessment
firm.
Companies often make mistakes that leave databases vulnerable,
such as leaving test databases on production servers or linking
sensitive data to easily hacked Web-facing applications. "I think
that the biggest threat to databases is Web applications and the
business logic vulnerabilities within them," Muntner says.
Close ties with Web applications can make databases vulnerable
to SQL injection attacks, whereby attackers input strings of SQL
code into weak Web applications fields. They can then raid the
database linked to a specific Web application, and also use the
link between the Web application and the database to launch more
expansive attacks on entire database servers. According to IBM's
ISS X-Force security research unit, SQL injection flaws last year
were the Internet's most commonly exploited Web application
vulnerability, growing by 134 percent over 2007.