Dig yourself out of the data crater – database security isn't new, so why can't we get it right?

Abstract

For attackers intent on stealing information, it is unlikely that what they are after is lying around in flat files stored on Internet facing servers. More likely it is located in a database, tucked away on the corporate network. Whether operating externally, or a temporary contractor with network access, or even a disgruntled employee hoping to get even before resigning, the database will most likely house the data the attacker needs, and may also supply the access required to take over the domain or network environment. ''Whether you want payroll records or to own the Windows domain - you should be pleased so few people know about database security,'' as the author, formerly a network vulnerability analyst for the British Ministry of Defence says. He describes why databases are not subject to equal scrutiny within a network environment by administrators compared with, say, operating systems, and presents remedies. You're an attacker on the Internet and you've identified a company that has something you want. It could be the customer's credit card numbers, banking details, order information - or even payroll records for the company itself. Are these things simply lying around in flat files stored on Internet facing servers? It's unlikely this is the case because it would make the data difficult to manage and organize, and expose it to unnecessary risk. It's more likely that the information you seek is located in a database, hopefully tucked away safely on the corporate network.