Home » Data Protection » Network Security

Industry View

Database Crime Scene Prevention

Imperva's Amichai Shulman looks at database attack and defense.

By Amichai Shulman, CTO, Imperva

February 20, 2009 — CSO — A good detective understands the criminal mind, techniques, and tools of the trade. To protect your database and prevent it from becoming a crime scene, it is crucial to understand the common methods of attack, data theft, and cover up techniques. The suspect line-up can come from outside hackers and from within the ranks of trusted employees, contractors, and partners. Some threats are easily prevented or contained; while others more elusive. Fortunately, many of the security mechanisms and tools required to protect databases are readily available.

This article examines known attacks, methods, and tools used by criminals, as well as emerging exploit categories used to break into a database, establish control, compromise the system, steal the data, and cover up the tracks. We will also cover best practices for protecting databases against these attacks methods.

The database server as a target
Given the wealth of information stored in databases and its value on the open market, it is no surprise that databases are a primary target of criminals. The personal, identity, trade, and military data contained in many repositories can fetch top dollar. Meanwhile, employment instability, mergers, acquisitions, etc., can also contribute to insider data theft. In addition, data can leak out accidentally and though these acts are not criminal, they can result in severe data breaches.

It can be said that the database server provides an attacker with the perfect criminal opportunity, combining motive (the resale value of the information), means (easily available tools), and opportunity (direct access to the server through thick client-applications, lax internal network controls and ill written applications).

The Five-Step Program

Before attempting to implement effective database security, it is crucial to understand the processes that lead to a breach. These processes can be broken down into five basic steps:
1. Tools of the Trade
2. Initial Access
3. Privilege Abuse
4. Privilege Elevation
5. Covering the Tracks

1. Tools of the Trade
A perpetrator's first step toward attacking a database server is to obtain the right tools. These are surprisingly easy to obtain, even for internal users. Security officers often underestimate internal threats by making the following assumptions:

Internal users are not "hackers" with hacking tools and they are not equipped to produce "hacking tools" themselves.
Security policies on internal workstations will deny software installation by end-users.

While both assumptions are probably valid, they have nothing to do with the ability of end-users to get their hands on tools for database attacks. As is turns out, most types of attacks (SQL related) can be executed through standard database client software such as the one provided by default from the database vendor (e.g. Query Analyzer, SQL Plus, etc.). This software is usually part of the basic installation for any workstation in the enterprise.