Databases Reference
In-Depth Information
More important, many of the techniques you will see in this topic will
never be described in a manual or a topic that is devoted to a certain data-
base product. As you'll learn throughout this topic, good database security
cannot always be implemented solely within the database, and many of
the most serious security issues that you may face as the database owner
(or the server owner) have to do with the way applications use a database
and the way various interacting systems are configured. Addressing these
complex issues must take into account more than just the database, and
focusing on capabilities that are provided only by the database vendor is
not always enough.
At this point you may be asking yourself a few questions:
Doesn't the database have many security and auditing features? Isn't a
database merely a file system with a set of value-added services such as
transaction management and
security
? Isn't my database secure?
Why now? The database has been part of the IT environment for
many years (relational databases for at least 20 years); why should we
suddenly be overly concerned with security and auditing?
The answer to the first set of questions is that while such features exist,
they are not always used and are not always used correctly. Security issues
are often a matter of misconfiguration, and the fact that the database imple-
ments a rich security model does not mean that it is being used or that it is
being used correctly. If you are like 90% of database administrators or secu-
rity administrators, you are probably aware that your database has big gap-
ing holes—disasters waiting to happen. In fact, here are some examples that
made the headlines (and rest assured that for every incident that makes
headlines there are 100 that are kept quiet):
In early 2000, the online music retailer CD Universe was compro-
mised by a hacker known as “Maxus.” The hacker stole credit card
numbers from the retailer's database and tried to extort money from
the retailer. When his demands were refused, he posted thousands of
customers' credit card details to the Internet. (Go to http://data-
bases.about.com/gi/dynamic/offsite.htm?site=http://
www.pc%2Dradio.com/maxus.htm to see what Maxus' Web site
looked like.)
Search WWH ::
Custom Search