7.4: Databases and Security Issues

Last updated
Save as PDF

Page ID: 57270

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Why Data Security is Important

It is the confidentiality, integrity, and availability (CIA) of the data in a database that need to be protected. Confidentiality can be lost if an unauthorized person gains entry or access to a database, or if a person who is authorized to view selected records in a database accesses other records he or she should not be able to view. If the data is altered by someone who is unauthorized to do so, the result is a loss of data integrity. And if those who need to have access to the database and its services are blocked from doing so, there is a resulting loss of availability. Security of any database is significantly impacted by any one or more of these basic components of CIA being violated (Nuramn, 2011).

There are various reasons for spending money, time, and effort on data protection. The main reason is reducing financial loss, followed by compliance with regulatory requirements, maintaining high levels of productivity, and meeting customer expectations (Petrocelli, 2005).

Both businesses and home computer users should be concerned about data security. The information stored in databases—client information, payment information, personal files, bank account details, and more—can be hard to replace, whether the loss results from

physical threats such as a fire or a significant power outage
human error that results in errors in the processing of information or unintended deletion of data, or from erroneous input
corporate espionage, theft, or malicious activity.

Loss of this data is potentially dangerous if it falls into the wrong hands (Why Data Security, n.d.).

It is in these three areas that a risk assessment of the database’s security and protection of the data should focus. Is there a backup procedure that would allow access to the data if the primary database is destroyed by a physical threat? That same backup procedure might be important in case the CIA of the database is inadvertently affected by human error. And what safeguards can/should be put in place to prevent incidents of espionage, theft, or other malicious activity? We will look again at risk assessments later on this page.

How Common Are Database Breaches?

Just how prevalent are the threats against databases? Is it worth the time, money, and personnel effort to ensure that the database is safeguarded? Remember the Target and Neiman Marcus problems that surfaced in late 2013? And the continuing saga of Edward Snowden and the NSA leaks? These may have been the most widely publicized data breaches of 2013. But they were definitely just two of many such database breaches. Database breaches are the exposure of database records containing personally identifiable information (PII) or other sensitive information to unauthorized viewers. Risk-Based Security (RBS), a group of consultants and founders of the Open Security Foundation (OSF), report that 2013 saw a record number of data records exposed via data breaches. Over 822 million such records were made available to persons who had no authority to view these records (Risk Based Security, 2014). But remember, the number of reported database breaches does not reflect the total number of breaches that occurred. Some companies do not report breaches in order to protect their reputations or to prevent customers from abandoning the company. The following is a shortlist of what RBS discovered.

The business sector accounted for 53.4% of reported incidents, followed by government (19.3%), medical (11.5%), education (8.2%), and unknown (7.6%).
Hacking was the cause of 59.8% of reported incidents, accounting for 72.0% of exposed records.
Of the reported incidents, 4.8% were the result of web-related attacks, which amounted to 16.9% of exposed records.
Four incidents in 2013 alone secured a place on the Top 10 All-Time Breaches list:
- Adobe—152 million records. Customer IDs, encrypted passwords, debit or credit card numbers, and other information relating to customer orders was compromised.
- Unknown organizations—140 million records. North Korean hackers exposed e-mail addresses and identification numbers of South Korean individuals.
- Target—110 million records. The information included customer names, addresses, phone numbers, e-mail addresses, credit/debit card numbers, PINs, and security codes.
- Pinterest—70 million records. A flaw in the site’s application programming interface (API) exposed users' e-mail addresses.

Even if you were not impacted by any of the above data breaches, if you have used a credit card, made an airline reservation, subscribed to a magazine, been a patient in a hospital, or shopped at a chain store (supermarket or department store), or if you are a member of an online social media site, your personally identifiable information (PII) is stored in a database. How vulnerable is your PII?

What Are the Most Common Causes of Database Breaches?

As evidenced by the NSA Snowden leaks and the Target breach, no database, and no government agency, company, or business is as secure as the owners of that database think. It is difficult for database administrators and security managers to keep pace with the new threats and vulnerabilities that continually emerge. And to compound the issues, every company/business/government has different security issues, making it a particularly hard challenge to standardize any one solution that fits all. However, there are some common threats and vulnerabilities that seem to occur repeatedly.

Threats

Unauthorized Access by Insiders

The malicious insider with approved access to the system is one of the greatest threats to database security.

People attack computers because that's where the information is, and in our hyper-competitive, hi-tech business and international environment, information increasingly has great value. Some alienated individuals also gain a sense of power, control, and self-importance through successful penetration of computer systems to steal or destroy the information or disrupt an organization's activities. (Threats to Computer Systems, n.d.)

Another scenario might involve employees affected by a workforce reduction who take customer account lists, financial data, or strategic plans with them when they leave. Proprietary information could end up in the hands of competitors or be widely disseminated online (Data Loss Prevention, n.d.).

Insiders may also be a threat to database security if they are granted database access privileges that go beyond the requirements of their job function, abuse legitimate database privileges for unauthorized purposes, or convert access privileges from those of an ordinary user to those of an administrator.

Accidental Breaches Resulting from Incorrect—but Not Malicious—Usage

The data breach is not always the result of a deliberate attempt to subvert data security; sometimes it is an unintended consequence. For example, employees might export data from the parent database system at work and send it, typically unencrypted, to personal e-mail addresses so they can work from home. The data then might be subsequently compromised on someone’s home computer. Or a data mining application might contain flaws that allow a user without the correct access credentials to stumble upon database records inadvertently. (Note: If the user deliberately continues to access the data without permission, this situation becomes a malicious insider threat.)

Unprotected Personal Hardware Collection

It is becoming increasingly common for data to be transferred to other personal mobile devices—USB flash drives, smartphones, tablets, and the like. It is rare now to find an employee who never uses a mobile device—personal or company-supplied—for business purposes. However, mobile devices continue to be a significant source of data breaches, stemming from a range of circumstances, including loss or theft of the devices, failure to install antimalware tools on the devices, or failing to password-protect a device being used for business purposes. Data is at risk if an employee stores any proprietary information on such a device or if that device is used to access a company's network and/or database (Bruemmer, 2014).

Stolen Laptops

Forgetful or careless laptop owners whose equipment is taken expose data on that laptop to persons not authorized to have access to the data. This can also happen if a laptop is replaced and the hard drive on the original machine is not properly erased or destroyed.

Weak Authentication

A legitimate database user typically is required to submit an ID and password in order to gain access to a protected database. Authentication is the process (internal to the database program itself) by which the credentials of the user are verified and access may be granted. If the process of authentication is weak, an attacker can assume the identity of a legitimate user by stealing or obtaining login credentials. Credentials may be illegitimately obtained by various means:

Credential theft. The attacker accesses password files or finds a paper on which the legitimate user has written down the ID and password.
Social engineering. The attacker deceives someone into providing the login ID and password by posing as a supervisor, IT maintenance personnel, or other authority.
Brute-force attacks. Have you ever been locked out of an account after attempting to log in more than three times with an incorrect password? If so, this is the simplest (and perhaps least effective) means of blocking a brute force attack, whether it is an attempt to access files on your machine or to access a database. However, not all password-protected systems, databases, or files block you from access after three attempts. For example, if you have put a lock on a file on your computer, you most likely have not set a limit on the number of attempts on that file. A brute-force attack is a password-guessing approach in which the attacker attempts to discover a password by systematically testing every combination of letters, numbers, and symbols until the correct combination is found. Depending upon the password's length and complexity, this can be a very difficult task to complete. However, there are widely available tools that hackers can use to find the password, and it can be difficult to block all the means by which hacker will try to find the password (Blocking Brute Force Attacks, 2007).

Exploiting Weaknesses in an Operating System or Network

Worms, viruses, or Trojan horses could be introduced into an unprotected or poorly protected operating system or computer network that supports the database, leading to potential unauthorized database access (loss of confidentiality), data corruption (loss of integrity), or denial of service (DOS), a loss of access to legitimate users. A DOS may be achieved by causing a server to stop functioning, or “crash,” flooding a network with message traffic or overloading resources on the computer, forcing it to stop handling additional tasks or processing.

Theft of Database Backup Tapes or Hard Drives

Database backups typically do not have the same security measures in place that the primary database employs. These backups may not be encrypted, and the media on which backups are stored are also unprotected. Theft of the backup media may allow the attacker full access to the data stored within the backup (Schulman, 2007).

Vulnerabilities

There are other means by which databases are exposed to security breaches, and these are considered vulnerabilities that may subject a database to a security breach. These are more passive, but they can do as much harm as direct threats:

Data at rest (unencrypted information) that is passively residing in storage within the boundaries of company computers, perhaps waiting to be moved to a secure database. Data at rest typically is not as well protected as data that has been entered into the database and enjoys the database security measures.
Data in motion is information that is being electronically transmitted outside the company’s protected network via e-mail or other communication mediums. For example, the data might be transferred to a backup facility that is not part of the internal storage media used for daily work. Or if the company uses the cloud for data storage backups, the transfer might take place outside of the company’s protected network. This can lead to a loss of sensitive data if there is a malicious attack via malware during the transfer process or during the execution of a flawed business process that allows unauthorized persons to view or obtain the data. (This is not the same as the accidental breach resulting from incorrect but not malicious usage noted above, where the home computer to which the data has been transferred is attacked or breached. That accidental breach occurred without any intention of harm by the employee.)
Poor architecture, in which security was not adequately factored into the design and development of the database structure. This vulnerability may not be discovered until there is an attempted or successful data breach.
Vendor bugs, particularly programming flaws that allow actions to take place within the database and with the data that were not intended or planned. Much like poor application architecture, this vulnerability may not be uncovered until there is an attempted or successful data breach.
An unlocked database is one that has no security measures in place to control access or auditing. This seems counterintuitive, but many home users employing a database for personal needs, or even for working on company data while at home, maybe working with an unlocked database (Nichols, n.d.;Data Loss Prevention, n.d.)

Risk Assessments

In the business environment, it is critical that a thorough risk assessment takes place and be periodically reviewed. The assessment should address:

who has access to what data
the circumstances under which access to the database may need to change
who maintains the passwords needed to access the database
who uses the company's computers for access to the internet, e-mail programs, etc., and how employees access those resources
what type of firewalls and anti-malware solutions to put in place
the training of the staff
who has responsibility for enforcement procedures related to data security (Why Data Security, n.d.)

There are identified solutions for each of the threats and vulnerabilities discussed here, including well-defined and enforced access policies, use of strong data encryption, vulnerability assessments, policies related to strong passwords, and installation of firewalls. There are companies that specialize in designing plans, procedures, and software to prevent data loss or data leakage. With data loss, the data is lost forever, either by deletion, theft, or data corruption. Data leakage allows unauthorized people to get access to the data, either by intentional action or by mistake. So data loss and data leakage can be intentional or unintentional, and both can be malicious or just human errors (VJ, 2013).

How Can You Protect Your PII?

Protecting databases and the data contained within can be a costly and all-consuming activity. But what does this mean for you, the individual who uses that credit card, makes airline reservations, files taxes online, subscribes to a magazine, has been a patient in a hospital, shops at a chain store, or is a member of an online social media site? Your PII is out there, stored in multiple databases. Obviously, you cannot implement security measures for the company, business, or government agency that holds your PII. But are there many measures you can take to better protect yourself? Here are a few rules of thumb that you can implement:

Keep your passwords to yourself.	Do not leave a slip with a list of passwords under your computer, or anywhere where it can be viewed or taken by someone. Just giving your password to a friend is not a good idea, either.
Use different passwords for different accounts.	Remembering multiple passwords can be a challenge, and it’s often convenient to use the same password for multiple accounts, ranging from Facebook and your bank account to your Twitter page. The danger here is that a compromise of any one of these accounts could also result in the compromise of others if the same password is used for multiple accounts.
Use strong passwords.	Many of your user IDs must have strong passwords to gain entry into one or more systems. In those instances when you can choose any password configuration, pick a strong password to protect your information.
Check your credit reports annually.	Sometimes people don’t learn that they’re victims of identity theft until their credit rating and identity are destroyed. It’s proactive to get copies of your credit reports from the credit bureaus and carefully review them for any errors. Be sure to follow-up with the credit bureaus to make any corrections to your reports, if needed. By law, you can get one free credit report from each of the three credit bureaus every year.
Google yourself.	Enter your own name in Google, Yahoo or other search engine and see what data comes up. Investigate any postings about yourself in the information that you find. Look for any suggestions that your PII may be compromised.
Remember that people can be a very weak link in security.	No matter how secure you make your passwords and how careful you are with your technology, there is always a human element to protecting your information.
Control physical access to your devices.	It’s important not leave laptops and other mobile devices unattended in public locations, like a coffee shop or other location with free WiFi. An unattended machine is at risk, for both theft and other security threats. When you aren't controlling physical access to your machine, you shouldn’t let it out of your sight.
Remember to logout of a website when you are finished using it.	Whether it’s your email, bank account, retail store shopping account or library account, always remember to logout when you leave the website.
Remember to lock your computer with a password when you are finished using it.	By requiring a password to access your computer (or other electronic device) you are protecting your information. You are also making your computer useless to a thief who cannot break password locks.

References

Blocking Brute Force Attacks. (2007). Retrieved March 17, 2014, from System Administration Database UVA Computer Science: http://www.cs.virginia.edu/~csadmin/...rute_force.php.
Bruemmer, M. (2014, January 21). How Mobile Devices Can Imperil Your Organization's Cyber Security. Retrieved March 17, 2014, from Experian Information Solutions.com: http://www.experian.com/blogs/data-b...yber-security/.
Dartnell, J. (2014, April 20). EMC: Digital universe data to grow tenfold by 2020. Retrieved from cnme: computer news middle east: http://www.cnmeonline.com/news/emc-d...nfold-by-2020/.
Data Loss Prevention: Keeping sensitive data out of the wrong hands. (n.d.). Retrieved March 17, 2014, from Price Waterhouse Cooper Advisory Services/security: http://www.pwc.com/en_US/us/increasi...prevention.pdf.
Nichols, E. (n.d.). Eleven specific solutions to today's most common database security threats and vulnerabilities.Retrieved March 16, 2014, from University of Oregon: http://aimdegree.com/research/ebrief...eb-nichols.php.
Nuramn, A. (2011, August 10). Database Security. (L. Stonecypher, Editor) Retrieved April 29, 2014, from Bright Hub: http://www.brighthub.com/computing/s...les/61400.aspx.
Risk Based Security. (2014, February 18). Data Breach QuickView. Retrieved from Risk Based Security: https://www.riskbasedsecurity.com/re...hQuickView.pdf.
Threats to Computer Systems. (n.d.). Retrieved March 16, 2014, from USDA.gov: http://www.dm.usda.gov/ocpm/Security...ut/Threats.htm.
Vishen, N. (2013, April 20). Largest Databases of the World. Retrieved from Neeraj0dba.blogspot: http://neeraj-dba.blogspot.com/2013/...-of-world.html.
VJ (2013, April 2). Is There a Difference Between Data LOSS and Data LEAKAGE Prevention?. Retrieved March 28, 2014, from Rational Survivability: http://www.rationalsurvivability.com...ge-prevention/.
Why Data Security is of Paramount Importance. (n.d.). Retrieved March 21, 2014, from SpamLaws.com: http://www.spamlaws.com/data-security-importance.html.
Petrocelli, T. (2005). "The Changing Face of Data Protection." InformIT. Retrieved May 1, 2019, from http://www.informit.com/articles/art...22303&seqNum=3.