Reason is the increase in access to data stored in databases. When the data is been accessed by many people, the chances of data theft increases.
it is often the staff of an enterprise — database developers, administrators and the like — who create the environment necessary for attacks to gain access to data.
Databases are a key target for cybercriminals due to the often-valuable nature of sensitive information in the database. Whether the data is financial or holds intellectual property and corporate secrets, hackers worldwide can profit from breaching a businesses’ servers and plundering databases.
Vulnerabilities often found in database-driven systems are:
1. Deployment Failures
The most common cause of database vulnerabilities is a lack of testing when they are deployed. Although any given database is tested for functionality and to make sure it is doing what the databases is designed to do, very few checks are made to check the database is not doing things it should not be doing.
Solution: Through testing to check if database is failing in some cases like putting excess load, making an artificial power failure or passing high voltage currents etc.
2. Data leaks
Databases may be considered a “back end” part of the office and secure from Internet-based threats (and so data doesn’t have to be encrypted), but this is not the case. Databases also contain a networking interface, and so hackers are able to capture this type of traffic to exploit it.
Solution: administrators should use SSL- or TLS-encrypted communication platforms.
3. Stolen database backups
insiders are also likely to steal archives, database backups for money, profit or revenge. This is a common problem for the modern enterprise,
solution: Businesses should consider encrypting archives and backups to mitigate the insider-risk.
4. A lack of segregation
An administrator can have full privilege to view all data’s in the database. Hackers can somehow gain access via administrator credentials and steal data.
Solution: The separation of administrator and user powers, as well as the segregation of duties, can make it more difficult for fraud or theft undertaken by internal staff. In addition, limiting the power of user accounts may give a hacker a harder time in taking complete control of a database.
Hackers find a weakness within the infrastructure that can be used as leverage for more serious attacks until they reach the back-end database system. For example, a hacker may worm their way through your accounts department before hitting the credit card processing arena.
Solution: Unless every department has the same standard of control, creating separate administrator accounts and segregating systems can help mitigate the risk.
6. SQL injections
SQL injections remain a critical problem in the protection of enterprise databases. Applications are attacked by injections, via the url from where the database can be accessed.
Hacker can pass this sql command via the url so that the condition always evaluate to be true and will then return the information.
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
Solution: protect web-facing databases with firewalls and to test input variables for SQL injection during development.
7. Front end OS vulnerabilities: Vulnerabilities in underlying operating systems like Windows, UNIX, Linux, sql express etc., and the services that are related to the databases could lead to unauthorized access. This may lead to a Denial of Service (DoS) attack.
Solution: This could be prevented by updating the operating system related security patches as and when they become available.