Database InfoSec: Data Leaks (W10)

Within the past few years, data leaks have become so common that even hundreds of thousands of records leaking seems like a typical day. But what’s one of the main causes for the breaches and leaks? Poorly protected databases. Even when enforced regulations and policies, training and data leak prevention tools are in place, data leakage still frequently occurs because of poor database design, suspicious employees, and lack of security. Below is a list of attacks that result into database leaks.

SQL injection attacks

“A common mistake is to allow applications to display a detailed error message when errors occur. Hackers typically can test for SQL injection vulnerabilities by sending inappropriate input into a site’s Web forms to try and generate an invalid SQL query. If the server returns an error message containing information about the structure of the application, network or database, the attacker can use those details to stage further attacks” (Cobb, 2009).

Internal know-how

This attack is often carried out by an employee within the organization or a former employee that is no longer with the organization. Due to lack of database security, like access control and physical security options, employees can easily gain access to sensitive information within the database and leak all information. It’s vital to identify vulnerabilities in databases, because intruders are always looking for more information, and unfortunately, more and more attacks are done internally.

datasecurity

Data inference methods

According to Cobb (2009) “a less obvious leak occurs when sensitive information can be inferred from answers to valid queries. For example, date of birth, gender and town may provide useful information for an advertising campaign, but together they could potentially enable a salesperson to re-associate a customer with his or her purchase records (a re-identification disclosure). Even if the dataset used by the sales department has had individual customer names and email addresses removed, research shows that about half the population can be identified from three pieces of information: date of birth, gender and town.

If, in our example, the sales department was part of a pharmaceutical company and the sales being analyzed were for prescription drugs, the salesperson could possibly deduce that a customer had a particular disease (a predictive disclosure) resulting in a serious breach of his or her privacy. Because of this kind of data inference problem, it is important to give careful consideration when including any sensitive data in an analysis. Where possible, you should take steps to anonymize the information; instead of providing date of birth, for example, you should use age groups.”

 

References

Cobb, M. (2009). Data leak prevention: Mistakes in database design, business processes. Retrieved from ComputerWeekly.com: http://www.computerweekly.com/tip/Data-leak-prevention-Mistakes-in-database-design-business-processes

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s