Databases Reference
In-Depth Information
While e-commerce has certainly added many indirect users on the data-
base, e-business has had a much bigger impact on security (or the lack of it).
Doing efficient business with suppliers, customers, and employees has cre-
ated new and wonderful ways in which the database is used and innovative
ways in which it is configured. Opening up the enterprise to improve pro-
cesses and streamline business was done quickly and without too much
analysis of security implications. Databases are deployed in many places
(physically and logically) and often with no significant protective layers.
New technologies are constantly being released by the vendors. These
technologies include Web services within the database, XML handling
within the database, tight integration with application servers, and the abil-
ity to run any application logic directly within the database (to the extent of
having an embedded Java virtual machine inside the database). This is great
for developers and for increasing productivity, but it creates a security
nightmare. More functionality means more (actually, many more) bugs that
can be exploited by hackers, and many of the leading vendor databases have
been plagued with bug-related vulnerabilities. Even if new functions have
no vulnerability, these features are usually risky because they open up the
database to more types of attacks. They increase not only the developer's
productivity but also the hacker's productivity.
While we're discussing hacker skills and effectiveness, let's move on to
hacker awareness. Hackers are always looking for new targets for their
attacks and new methods they can use. In the same way that you realize that
databases hold the crown jewels, so do the hackers. Furthermore, after mas-
tering attacks on networks and operating systems, hackers have turned to
applications and databases as new breeding ground. This is very visible in
hacker forums. It is interesting, for example, to track hacker conferences
such as BlackHat and Defcon. In 2001, both BlackHat and Defcon had
one presentation each devoted to database hacking. In 2002, BlackHat had
five such presentations and Defcon had four such presentations. In 2003,
BlackHat already had a full track dedicated to database hacking.
Last, but by no means least, is regulation. Bad accounting practices,
fraud, and various corporate scandals/crimes have prompted regulators to
define and enforce new regulations that have a direct impact on IT audit-
ing. Because financial, personal, and sensitive data is stored within data-
bases, these requirements usually imply database auditing requirements.
Because regulations such as Sarbanes-Oxley, GLBA, and HIPAA (all dis-
cussed in Chapter 11) have financial and criminal penalties associated
with noncompliance, database security and auditing have suddenly come
to the forefront.
Search WWH ::
Custom Search