Security Issues with Databases
1. Current state of database security
A database is a system that is specialized to manage data in a computer application system. Data has many forms, such as text, digital, symbols, graphics, images and sound. The database systems are integral components of current and future command, communication, control and intelligence information systems. (Lunt, 1992, p. 253) Databases are used widely in our life. Because of databases, vast amounts of data have become easier to use and manage. Government, finance, operators, public security, energy, taxation, business, social security, transportation, health, education, e-commerce and corporate sectors have all set up their own database application systems in order to keep tremendous amounts of data in the database to manage and use, leading society into the information era. Meanwhile, with the development of the internet, databases play an even more import role, as they are invoked in website design and network marketing, including inquiries or information gathering of products, Press Releases, etc. However, information technology is a double-edged sword. While bringing about social progress and development, it also brings a lot of potential safety hazards. For databases, the potential safety hazards are great, due to its ubiquity, as can be seen in the various situations where database security incidents happen. Examples are: a systems development engineer invades the mobile central database via the Internet to steal prepaid cards; a hospital database system is illegally invaded, resulting in tens of thousands of patients’ privacy information being stolen; a DBA in a game-design company modifies the data illegally in the database to steal game cards; hackers use SQL injection attacks, invading a database center of anti-virus software to steal a large amount of confidential information, leading to tremendous losses for the anti-virus software company; an internal database on a stock exchange market is invaded by stock hackers and loses many internal reports of the Securities and Exchange Commission, etc. How to protect database information effectively becomes the most interesting issue in the Information Security industry. According to the latest database security report, ESG says confidential data breaches often occur. (Oltsik, 2009, p.2) A survey shows that an alarming 56% of large organizations suffered data breaches over the past 12 months, with 15% experiencing multiple data breaches and 40% claiming to have a single data breach (see Figure 1). [pic]
(Figure 1) the percent of confidential data breach within the last 12 months (Oltsik, 2009, p.2)
What are the ways that database security can be compromised? How do we protect against them?
2. Issues affecting database security
There are many potential routes for database vulnerabilities. We will concentrate on only four: 1. Insider attack. 2. Application security (including SQL Injection). 3. Mis-configured and/or unpatched database. 4. Database mis-labeled.
The first major concern in database security is an insider attack. Especially in an era of economic uncertainty, such as today, the possibility of a trusted employee using proprietary company data as an asset to be sold is increasing. This form of industrial espionage probably cannot be eliminated, but it probably can be reduced. The first way to combat this issue is to limit access to the database to only those who need access to the database. First, the proper users and permissions need to be set up in the database. Only users who need to have view access should be given that access. Only users who actually need to write to a database should be given that permission. Plus, table level, and even row-level (Natan, 2005, p.185), permissions can be used to further restrict what users can and cannot see....