SQL Database Vulnerabilities
With more and more information being accessed on line through publicly visible web applications as well as API’s, both mobile and web, finding ways to protect a company’s data isn’t getting any easier. The top 4 databases are Oracle, MS SQL Server and PostgreSQL. Most companies are using some flavor of this to retrieve their information, (ServerWatch, 2015). Each of these servers has specific vulnerabilities however we can look at the broader categories of vulnerabilities that they share when exposed to the public internet. The top 2 vulnerabilities to web based databases are default and or blank passwords, SQL injection (DarkReading, 2012).
Default and blank accounts are very common. Keeping up with thousands of blank accounts with weak passwords seems almost impossible in a large company and has exposed many databases. There are a variety of reasons of why this may happen. (SANS Technology Institute, n.d.) states, “Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so.” But ultimately the administrators need to know that many of these default accounts are publicly accessible on the internet. Many viruses and malware have the default accounts programmed in their code to test these multiple accounts. The Voyager Alpha for instance scans the internet for port 1433 which is the port for MS SQL server and upon discovery will attempt to login with the blank password to gain access, (SANS Technology Institute, n.d.). Removing default, blank and weak log-in credentials is an important first step for filling chinks in your database armor, (DarkReading, 2012).
SQL Injection is another top vulnerability which tops on almost every list which includes DarkReadings top 10 and also OWASP top 10. (DarkReading, 2012) defines it best by stating, “When your database platform fails to sanitize inputs, attackers are able to execute SQL injections similar to the way they do in Web-based attacks.” In a recent study 65 percent of companies experienced SQL injection in a 12-month period which evaded their web based defenses, (Ponemon Institute, 2014). The defenses for SQL injection can be prepared statements instead of the dynamic statements which allow user input directly in the query. Use of stored procedures in a safe way which means the stored procedures does not contain any unsafe dynamic SQL can also benefit the defenses of SQL Injection.
DarkReading. (2012, November 1). The 10 most common database vulnerabilities. Retrieved from http://www.darkreading.com/vulnerabilities—threats/the-10-most-common-database-vulnerabilities/d/d-id/1134676
OWASP. (n.d.). sql injection prevention cheat sheet – owasp. Retrieved from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Ponemon Institute. (2014, April 12). The sql injection threat study. Retrieved from http://www.ponemon.org/local/upload/file/DB%20Networks%20Research%20Report%20FINAL5.pdf
SANS Technology Institute. (n.d.). The risk of default passwords. Retrieved from http://www.sans.edu/research/security-laboratory/article/default-psswd
ServerWatch. (2015, September 8). Top 10 enterprise database systems in 2015. Retrieved from http://www.serverwatch.com/server-trends/slideshows/top-10-enterprise-database-systems-to-consider-2015.html