Posted by: Robert Westervelt
New vulnerabilities list outlines the most common database problems that could lead to a costly data breach.
Database administrators are all too familiar with the issues outlined in Application Security Inc.’s new Top 10 database vulnerabilities list. From the use of default passwords to patching issues, database management systems have been known to be plagued with issues making them vulnerable to attack.
When I reported on database management issues, DBAs told me they were well aware of the common security issues that can lead to a data breach. But, they often said the DBMSs containing sensitive data typically are surrounded by a number of different security systems, reducing the threat of an attack.
Top 10 Database Vulnerabilities
- Default, Blank & Weak Username/Password
- SQL Injections
- Extensive User & Group Privilege
- Unnecessary Enabled DB Feature
- Broken Configuration Management
- Buffer Overflows
- Privilege Escalation
- Denial of Service Attack DoS
- Unpatched Databases
- Unencrypted sensitive data – at rest and in motion
Common security practices
I’m reminded of an interview I conducted in 2003 with Oracle database expert and consultant Don Burleson. A well-known Oracle database consultant, much of Burleson’s advice can be applied to just about any database management system. The most common security mistakes are made because DBAs fail to read the installation instructions, he said. Default passwords and user IDs can be easily left in place, he said. DBAs can also fail to limit access to the database, increasing the risk of intrusion.
The internal threat
One area that has come to light is database activity monitoring (DAM). Adrian Lane, chief technology officer of Securosis recently outlined some of the problems enterprises can face when deploying DAM software. Security expert David Mortman of Echelon One wrote an expert tip outlining steps companies can take to mitigate the threat from insiders.