Top Six Database AttacksMay 8, 2008 – 5:31 PM
It takes the average attacker less than 10 seconds to hack in and out of a database — hardly enough time for the database administrator even notice the intruder. So it’s no surprise that many database attacks go unnoticed by organizations until long after the data has been compromised.
And surprisingly, according to many experts, the database — home of the enterprise’s crown jewels — is still not secured properly in many enterprises. Malicious hackers are using shockingly simple attack methods to break into databases, such as exploiting weak passwords and lax configuration, and capitalizing on known vulnerabilities that go unpatched.
And don’t even get us started on the epidemic of missing backup tapes: If the lost or stolen tapes are unencrypted, you’re toast if a bad guy gets hold of them. No hack required.
“One of the biggest problems is that many database attacks are not even known” about, says Noel Yuhanna, principal analyst with The Forrester Group. “The typical database may have 15,000 to 20,000 connections per second. It’s not humanly possible to know what all of these [connections] are doing.”
Hackers are well aware of enterprises’ database patch dilemma — in fact, they’re banking on a backlog. Gone are the days when companies could lock down a handful of databases in the data center: Most organizations today have hundreds, even thousands of databases to configure, secure, and monitor — and remote users, customers, and business partners all need access to them.
“The big thing that bothers me is when I go to a customer’s site, usually their [database] configuration is so weak that it’s easy to exploit. You usually don’t need buffer overflow or SQL injection [attacks] because the initial setup of the database is totally insecure,” says Slavik Markovich, CTO of Sentrigo, a database security vendor.
Database attacks don’t have to be complicated with all of this low-lying fruit hanging around. “Those are basic configuration problems, so a hacker doesn’t have to do something really sophisticated because these easy things work,” Markovich says.