By Arpit Jain, Cyber Security Engineer at NetWeb Software,
SQL Stands for Structured Query Language. It’s a standard language to access, read & write databases. It is a simple language where a group of codes or table with data i.e. username, id, email id, password, etc. are stored.
How Databases are hacked?
It’s important to understand how a database is hacked. Knowing in detail about such techniques can help us prevent database hacking. Let’s find out about some attacks:
Passwords & Data sniffed over the Network: If encryption is not used, password and data can be easily sniffed.
Password Guessing/Brute-Forcing: If the hacker finds a valid user account with a weak password they can easily guess/brute force the password and completely compromise the database linked with the account.
Exploiting Misconfigurations: Some database servers are open by default, functionally enabled and most of the time insecurely configured. Some hosting companies provide PHP My Admin access directly via their hosting link without a secure IP. In such cases if the hacker gets the valid user id there are huge chances, that hacker can access your database and exploit it.
Delivering a Trojan: Trojan is the most common database server attack and yet it is fearsome. The trojan can come through an email, pen drive, CD, DVD or any other medium. Once connected to the computers it spreads in the system and can get access to your computer, activity or database servers. After successful login it begins to steal data, it could run and neutral all privileges to own the complete database server and install a database rootkit to hide its actions. It tries to hack each database server it finds. The trojan can send all stolen data to hackers via email, HTTP or any other medium which hacker provides.
Exploiting Known/Unknown Vulnerabilities: Attackers can exploit buffer overflows, SQL injection in order to own the database server. Hacker can go through SQL injection for web applications, so no authentication will be needed. In this way, databases can be hacked from the internet and firewalls become completely bypasses. This is one of the easiest methods that hackers prefer to steal sensitive data.
Stealing Disks & Backup Tapes: If the backup of database is not encrypted, then chances are data can be easily stolen.
Installing a Rootkit/Backdoor: A rootkit action and database objects can be hidden in files, so administrators won’t notice someone hacking the database and would continue using data. A database backdoor can be used and designed to steal data and send it to an attacker or give an attacker unrestricted access any time.
How to Protect Database Against Attacks
Set a Good Password Policy: Use strong passwords. Educate users to use passphrases, they are easy to remember and hard to crack. Implement a policy where password reuse is not allowed. Login lockdown after certain multiple wrong attempts must be done and password must be changed within every couple of days. A good example is of banking websites they ask for a strong password where one capital letter, one small letter, one number, and one special character is required. The request for password changes in 90 days or 180 days. And an old password can’t be used again.
Be Updated with Security Patches: Try to install patches as fast as you can. Database vulnerabilities are serious, sometimes your database server can be easily compromised with a simple query. Always test patches on non-production servers first and monitor for patch problems on mailing lists. Sometimes patches could open holes instead of fixing them.
Protect Database Server with Firewall: Allow connections only from trusted hosts. Block all non-used ports and block all outbound connections. You can set exceptions for replication, linked databases, etc.
Disable all Non-Used Functionalities: Some database servers have all the functionality enabled by default. We must disable those not used functionality. It is very essential to firstly test on a non-production server.
Use Encryption: At the network level, we must use SSL, database proprietary protocols. At file level, we must encrypt file and file system timely backups should be done. On the other hand, database level column encryption should be done to encrypt all data. We can use APIs to provide this sort of encryption.
Timely Check for Object & System Permissions: Always check views, stored procedures, tables of the database and their permissions. If you find any change in permission, then there may be high chances of compromise of misconfiguration.
Timely Check for New Database Installations: If we use third-party products to install database servers to another server (in short migration of database server to another server via third-party products) the server may have been installed with blank or weak passwords, unpatched, and it may be misconfigured. One must detect them and securely remove them from the server.
Timely Check for Database Configuration & Settings: If security configurations or settings are changed for instance by a system upgrade, patch, etc. your database could be open to attacks. If you still notice any change without any upgrade, then chances are data has been compromised.
Timely Check Database System Objects Against Changes: If you detect any sort of change in system object which hasn’t been applied by you, then there are high chances rootkit is present.
Timely Audit Web Applications: Audit your web applications for SQL injection, misconfiguration or weak permission. Also, remember to use low privileged users to connect to database servers. If vulnerable to SQL injection, attacks could be limited.
Log as much as You Can: Log as much as you can with wrong information with failed logins, incorrect SQL syntax, permission errors, etc. You can get the information like how secure your database is. You can also find out when an attack will be likely done and what errors can occur.
Build Database Server Honeypot: By using a database server Honeypot you can detect database attacks in your organizations at an early stage. It will help you to detect and prevent internal and external attacks, usually, attackers will go first for the low hanging fruit.
How to set Honeypot
• Isolate the server, all outbound connects should be blocked
• Set it to log everything, run traces and set alerts.
• Set up other services to create a realistic environment.
• Set blank or easily guessable passwords.
• Make the server looks interesting – link it from production servers, set name like credit card server or financial server. Create a database with names like Credit Cards, Customers Info, etc. Create tables with fake data that seems real.
Build Home-Made IDs: On sensitive database servers depending on available functionality, you can build a simple IDS by setting database alerts to get notifications or to perform some actions when some error occurs of failed login attempts, incorrect SQL syntax, UNION statement errors or permission errors.
Use Third Party Tools: If your company has few database servers then it is not a big deal to manually audit them or build some basic tools etc. But when you have dozens of database servers it gets complicated. So, it’s recommended that you use third party tools for encryption, vulnerability assessment, auditing, monitor and intrusion prevention.
• Only allow connections from IP addresses that require access to it. If you have a single application or location, restrict access to only the relevant IPs.
• Use complex passwords, include symbols.
• Always talk to it over a secured connection where possible (DB type dependant).
• Your database has its weakest link, and that link is humans. Be careful where you store credentials, don’t accidentally release the credentials into public source control, write it on post-its, send it over email, etc.
• Secure the rest of your infrastructure, app servers. These can be compromised to give up privileged access.
• Setup monitoring and alerting of high CPU and Network I/O – while it’s not a preventative measure, it might alert you to some unusual activity.
Provide Training to IT staff of Company: If your staff doesn’t know what database security is then all the tools and best protection in the worlds won’t help you much. Staff must be trained in order to get database security. Hire at least one security person who can access and find vulnerabilities and give suggestion to the company and train IT staff of the company.
Now a day’s data theft threat is real and stealing data is simple. Black hat hackers are involved in such activities and are investing their time and money on building tools to attack the server. Companies who don’t have knowledge about database hacking are the biggest targets and allowing the data to get hacked for free. One mistake can compromise the company’s huge data to hackers. Hackers won’t give another chance to secure your server. In some cases, companies lose their reputation with loss of database. A Company must protect its database by doing strong investments on security or hiring a white hat hacker.
Hackers are everywhere, hiring White Hat hacker in a company will secure your company, your database and protect you from Black Hat Hackers.