Database Vulnerabilities

I. Introduction

Computer crime has been defined as, "Criminal activity directly related to the use of computers, specifically illegal trespass into the computer system or database of another, manipulation or theft of stored or on-line data, or sabotage of equipment and data."

The purpose of this work is to examine breaches in computer security. As a future IT professional, with the possibility of being in charge of protecting the security of a database, it is relevant to take a "hacker approach" to security. Effective security is no matter where one goes fundamentally the same. Successful fundamental security practices are universal, crossing all arenas of computer usage whether it is in the nonprofit sector, government, or for personal use. Times change, technology moves forward, cultures vary from place yet there is no magic bullet that will protect ones system from every possible hack. The road to effective security can take many different paths, not one right path. Organizations with different missions, different hardware and different software remain secure not because of a particular version of a firewall or practices is superior, but because they use a strategy involving a defense in depth and are prepared for an ever changing computer attack. Any business or individual that uses the Internet is attaching its computer system to an immense network. This exposes hard drives to intruders and peoples personal behavior to snoopers. Security threats increase as computers become more connected with one another and tools that automate attacks make hacking easier. In addition, as businesses become more dependent on e-commerce, there is more to lose.

II. Problem Definition

Organizations are falling victim to intrusion through vulnerabilities that exist in their infrastructures and through security holes in software. Some common examples involving security breaches as stated by Hack Proofing Your Network:

* Denial-of-Service

* Information Leakage

* File Creation, Reading, Modification, Removal

* Misinformation

* Special File/Database Access

* Elevation of Privileges

* Sniffing

* Spoofing

* Session Hijacking

* Diffing

* Buffer Overflow

* Viruses

* Worms

* Macro Virus

* Trojan Horses

* Melissa and I Love You

III. Background Statement

A global survey of 4,900 Information Technology professionals across 30 nations, conducted by InformationWeek Research and fielded by PricewaterhouseCoopers LLP, released on July 10th of last year, estimates that some 50,000 firms in the U.S. are sufficiently large enough to be impacted by and accurately tally up the cost of a software virus. In total, the bill to these U.S. firms this year for viruses and computer hacking will amount to $266 billion, or more than 2.5% of the nation's Gross Domestic Product (GDP). The price tag worldwide soars to $1.6 trillion.

According to John DiStefano, principal researcher on the study at Reality Research& Consulting, which assisted InformationWeek Research on the project, the $266 billion figure represents the impact of viruses on U.S. businesses with more than 1,000 employees, or about 50,000 firms. "These are companies with infrastructures of IT professionals who, because of the dollar impact, are increasingly tracking the problem and can provide an accurate assessment of the scope of the issue. In reality, the true impact of viruses on U.S. business, including medium-sized companies and small businesses, is much greater," DiStefano explained.

DiStefano went on to explain that the key costs involved in correcting IT systems infected by a virus are found in lost productivity as a result of downtime for the computer systems, as well as lost sales opportunities. In North America technology professionals this year will suffer system downtime of 3.24%, while downtime rises to 3.28% on a worldwide basis. To look at the impact another way, the study found that this year alone 6,882 and 39,363 person years of productivity will be lost in North America and Worldwide, respectively.

Continuing with the theme of organizational vulnerabilities, the American Society for Industrial Security states, in 1999 Fortune 1000 companies sustained losses of more than $45 billion from thefts of their proprietary information. Just how much of that theft is "Netspionage," or corporate-sponsored hacking, is unclear. Nevertheless, in another survey conducted by the Computer Security Institute, over half of 600 companies surveyed said they felt their competitors were a likely source of cyber attack; and the group claimed over $60 million in losses to cyber-espionage.

IV. Scope

The scope of this effort involves looking at some simple security measures an organization can take to address some common technical security issues and protect its databases from misuse.

V. Discussion

The most-successful attempts to break into databases often exploit two common areas in which data is held unsecured: backups and development databases. If an attacker can acquire a copy of an organizations backups, then an attacker can recreate the organizations database on their servers, and any security measures the organization has in place will be worthless. To prevent such security breaches, one needs to control access to each copy of the organizations production data.

Checking out tapes from the tape library or storage facility should include steps for authorizing tape requests and documenting each request, where the tape was sent, and when it was returned. If one calls the data center to request a tape only to be told that it cannot be found, then an organization does not have adequate control over its production-database environment.

If an organization backs up the database by using disk-to-disk backups, then it must protect the back-up disk locations from unauthorized reads.

...