1 of 5
5/9/2008 2:49 PM
Hacker's Choice: Top Six Database
It doesn't take a database expert to break into one
MAY 8, 2008 | 6:20 PM
By Kelly Jackson Higgins
It takes the average attacker less than 10 seconds to hack in and out of a database -- hardly enough time for
the database administrator even notice the intruder. So it’s no surprise that many database attacks go
unnoticed by organizations until long after the data has been compromised.
And surprisingly, according to many experts, the database -- home of the enterprise’s crown jewels -- is still
not secured properly in many enterprises. Malicious hackers are using shockingly simple attack methods to
break into databases, such as exploiting weak passwords and lax configuration, and capitalizing on known
vulnerabilities that go unpatched.
And don’t even get us started on the epidemic of missing backup tapes: If the lost or stolen tapes are
unencrypted, you’re toast if a bad guy gets hold of them. No hack required.
“One of the biggest problems is that many database attacks are not even known” about, says Noel Yuhanna,
principal analyst with The Forrester Group. “The typical database may have 15,000 to 20,000 connections
per second. It’s not humanly possible to know what all of these [connections] are doing.”
Hackers are well aware of enterprises' database patch dilemma -- in fact, they’re banking on a backlog.
Gone are the days when companies could lock down a handful of databases in the data center: Most
organizations today have hundreds, even thousands of databases to configure, secure, and monitor -- and
remote users, customers, and business partners all need access to them.
“The big thing that bothers me is when I go to a customer’s site, usually their [database] configuration is so
weak that it’s easy to exploit. You usually don’t need buffer overflow or SQL injection [attacks] because the
initial setup of the database is totally insecure,” says Slavik Markovich, CTO of Sentrigo, a database security
Database attacks don’t have to be complicated with all of this low-lying fruit hanging around. “Those are
basic configuration problems, so a hacker doesn’t have to do something really sophisticated because these
easy things work,” Markovich says.
So what are these hacks, and how can enterprises stop them? Here’s a look at the top six database hacks
attackers are using today. Many of them take advantage of painfully obvious weaknesses in how
organizations set up their databases. Some are more useful to the malicious insider; others are used by bad
guys trying to get to valuable corporate data. Either way, the only way to lock down the database is to get to
know where the bad guys are getting in.
Hackers' top six database attacks: