Database Security

Posted on Nov 27, 2017

Database Security

Purpose of writing this blog is to enlighten all the points which we must follow while we are developing any product within an organization.

Security of database is a major concern for any organization. If anything that has some value that is data. Database security is more than just important: it is an absolutely essential part of any organization. Each and every piece of data that has some value must be confidential and secure. Now let’s cover some of the basics but essential part that must be taken care of in regard to secure data, database, and stored function and procedure also.

Let’s first discuss what Database Security is.

What is Database Security

It refers to securing our store where we put our informative data. We secure our database store from illegitimate use and malicious threats and attacks.

It is similar as we secure our house or our assets by putting a lock on it so that the only person having the key can open it. This ensures that only authorized personnel have access to their respective data. 

Before discussing more on database security, let’s discuss some security threats to the database.

Threats to database security

Definition:  A threat, in the context of computer security, refers to anything that has the potential to cause serious harm to a computer system.

In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.

                                      

Following are some threats that harm our database security:

Excessive privileges

The privilege of the database can be misused in many ways. If a user has privilege then he/she can either remove the data or can update some wrong data to a particular field. The user may abuse privilege for an unauthorized purpose.

Misuse of privileges can be done in any of the following ways:

  •  Excessive privilege abuse:  When you have permissions more than required is called excessive privilege abuse. For example, suppose you have right to view only your data, but somehow you have access to view your colleague data too, and you use it maliciously, then this is called excessive privilege abuse.
  • Legitimate privilege abuse:  If an employee which can view data of his junior employees and he/she has right to alter their data. If for any reason he/she alters any employee data that is not required then this refers to the legitimate privilege abuse.

This type of threat is very crucial, as an authorized person is misusing data. This type of threats harms an organization very much because once an employee got the privilege, he can abuse his colleague or junior data for any personal issue.

SQL Injection

 Every time when we want to access data from the database we execute some statements or queries. These queries are dynamically generated by the web page input.

When these queries are modified or replaced by some malicious statements then this type of threat refers to SQL Injection.

These malicious statements are used to destroy the database. SQL injection is one of the most common web hacking techniques.

SQL Injection is of two types

  • SQL Injection: Targets the tradition database system. It attacks usually involve injecting unauthorized statements into the input fields of applications.

Example:  Suppose you want to view a user which user id is 105 then below written query execute each time you make a request using the web.

Original query

SELECT * FROM Users WHERE UserId = 105;

Above query can be replaced by malicious statements that always gives true condition to the database and returns entire data of the user, whose user id is 105.

Malicious statement

SELECT * FROM Users WHERE UserId = 105 OR 1=1;

This query will always evaluate to true and will return entire record of the user whose user id is 105.

  • NoSQL Injection: Targets big data platforms. This type involves inserting malicious statements into big data components like Hive, MapReduce.

Example

{
  "username": "admin",

  "password": {$gt: ""}

}

Here ‘$gt’ is an operator of MongoDB that means fetch record which is greater than null string. It will give access to the admin user account.

Loss of Data Integrity

 Includes data corruption and invalid data. Compromised data harms the organization in many ways.

  • Entering, creating and/or acquiring data
  • Processing and/or deriving data
  • Storing, replicating and distributing data
  • Archiving and recalling data
  • Backing up and restoring data
  • Deleting, removing and destroying data

Loss of Data availability

 It can be possible if network security has been compromised and data is stolen before reaching the actual user.

These are the causes that can compromise database security. Security must be the primary concern for any organization. It must follow through all the level of organization to build a strong security zone for database storage.

Now let’s discuss some points which must be followed by developers before working with the database.

Database security methods which must be followed by every developer are discussed below

  

 

Isolation of Database from Server

Always keep database server separate from the web server. Many times database is deployed on the same server on which project is running. This is a bad practice and we must put our database on the different server.  

Putting the database on the same server makes easy for an attacker to access it. They only have to crack administrator account on one server to have access to everything.

So we should avoid this situation by putting our database on a different server which has a firewall associated in front.

Keep your Files and backups Encrypted

 We keep our files and other confidential information in our database. We generally keep our data in simple text format. This simple text is easily readable by any others. It is not necessary that every time an attacker steals information sometimes a person who interacts with the database and trustworthy also steals or destroy information. So we should avoid these situations by encrypting files and backups too. We must encrypt important or confidential data that has some value.

Use a Web Application Firewall

 We must use a firewall in our web application. It does not only secure our website from cross-site scripting vulnerabilities and website vandalism but a good firewall can restrict SQL injection problem.

DBA plays a key role in DB Security

 We must have a DBA for our DB. DBA play important role in maintaining database security and other required operation. They keep track of all the operations that take place in the database.

Minimize use of third-party apps

 Use of third-party libraries makes attackers task easy to get access to the database. If any these types of app that pulls data from our database then these can harm our data. We should avoid using these types of libraries. If you are using any third party library to your project then make sure this is verified by valid sources.

  • Mongoose is an example of third party library which is verified and trustworthy.

Create Temporary tables or Views

 To increase security in our database we should create multiple views or temporary tables which are frequently accessed by web applications. Using these methods we keep web application away from our original database tables. Any modification or alteration does not directly affect our original database. This also helps to speed up our queries as the query has to process less number of records which will not create process overhead.

Conclusion

 To summarize, access protection begins with who can access data and what type of data attackers want to access. There is a lot of scopes to improve the techniques used for database security.

According to the survey following report has been generated.

  • 84% companies feel that database security is adequate.
  • 73% of companies that predict database attack is increasing day by day.
  • 48% of attackers are authorized users.
  • 48% of users have done misuse of their privileges.

So it is important that we should be aware of the basic guidelines for database security. Not only professional attackers harm our data but authorized user can also harm database.

References

[ 1 ]  Semantic Scholar PDF file.

[ 2 ] Tech Republic

[ 3 ] Imperva