There has been a lot of buzz in the past few weeks regarding database attacks occurring via SQL injection. Truth is that many (or even most) of the database attacks occur through a completely different channel - via compromised insiders.
In one of Imperva's whitepapers published a couple of years ago, "Top Ten Database Hacks and How to Stop Them" we stated the internal threat as the leading database threat. We gave the example of a university administrator being able to change grades. Ironically enough, last year this example turned into a real-life scenario when employees of
A few days ago, Kevin Beaver wrote a Microsoft SQL Server tip on how insiders hack databases. Kevin raises a couple of issues - the first, that the Internet contains a large resource of free hacking and database assessment tools for the attacker's use and the second - that the small, "unkept" databases are a vulnerable target and should not be overlooked.
Kevin is correct to declare that free database hacking tools are available, but I'd like to go further and say that there is no need to search the Internet for such (and sometimes, obscure) tools when they're already available at the fingertips of the hacker, sometimes even appearing as standard desktop tools. Take for example "Query Analyzer" by Microsoft, "SQL Plus" by Oracle. Even Microsoft Excel can be used as hacking tool. I detail the steps taken to perform such a successful attack (and of course, safeguarding against one) in the ADC paper "An Anatomy of a Database Attack".
Regarding those servers that do not receive all the maintenance and upgrading attention that is required - it is precisely for this reason that database security assessments are necessary and require a good automation tool that could help in enterprise server discovery and enterprise data discovery which assess which servers are those that appear in the organization, and furthermore what is that data stored in these servers.
Leave a comment