Database Attacks: A Study of the Cumulative Effects of Database Attacks
One of the first large-scale data breaches occurred in 2005 by American Online, better known as AOL. From that breach over 92 million records were stolen. Since then, the news has been peppered with more and more stories about bigger and bigger data breaches. In 2007, hackers stole 94 million records that contained the customer information from stores such as TJ Max, Marshalls, and Ross. In 2009 76 million records were stolen from a laptop that had an unencrypted hard drive that belonged to the Department of Veterans Affairs. More recently in 2014, Target was the target, no pun intended, of hacker that stole 70 million records. In 2012 the U.S. CERT conducted an analysis of 47,000 incidents and 621 confirmed data breaches and found that finance (37%) and retail companies (15%) led the way in data breaches (Keanini, 2014). Most recently the U.S Office of Personnel Management lost over 25 million records of individuals that had applied for security clearances over the last 20 years. Obviously, data breaches are a large problem, and they are only getting worst. Not worst in the sense in numbers but worst in the type of data that is being stolen.
Since businesses started using computers and mainly since they started conducting their affairs online, there has been an exponential increase of data being collected. This data runs anywhere from car dealerships collecting the financial data and credit histories of car buyers, lawyers collecting information about cases, and the government collecting information about its employees. The type of information being collected will usually help determine who the likely hacker’s motivations will be in trying to get that information. For example if the government is collecting and storing all of the information gathers from an SF86 form, state-sponsored hackers would most likely be the ones trying to steal that information so that they can build dossiers on high-value targets to exploit. Having past drug convictions or credit histories would be very helpful when attempting to turn an individual into a spy for that country. Law firms that collect data and store notes about cases would be helpful for the other party to that they could build counter arguments during the trial. Any of these reasons and more are likely motivations for hackers to steal information from businesses and offices.
One problem that is not being addressed is the cumulative effects that these breaches can have. The government and most businesses seem to think that these breaches occur in a vacuum and have no other outside effect other than what can be gathered from that data breach. The problem, however, is that the data collection is so prolific that the normal users use the same answers for security questions, the same passwords, and the same contact information. Think about it, how many passwords could I reset if I knew a user’s name and just a little information like their mother’s maiden name? Likely quite a few. The problem can be even worse for the small to medium companies that don’t have enough money to hire proper information security employees. If a user were to use the same information from an account with a small company as an account with a larger company thing could quickly get out of hand. There have been more than a few cases of users having terrible security practices. These individuals use the same passwords, same usernames, and easy to remember passwords for all of their accounts. So, when one account is breached the hacker can quickly go to additional accounts and gain unauthorized access to those as well. We are failing to understand the cumulative effects of the information released from database attacks.
The easiest way for hackers to gain access to the valuable information that companies collect are to attack its databases. According to a white paper written by Imperva the top three types of attacks on databases for 2015, are excessive and unused privileges, privilege abuse, and input injections (Imperva, 2015). Input injections replaced SQL injection in 2015 due to the increased use of “big data”, technologies that use NoSQL type technologies. NoSQL languages like MongoDB (Imperva, 2015), are still susceptible to injection type attacks similar to SQL injection.
Excessive use and unused privileges are the number one vulnerability for databases. The reasons for this are numerous. Often, when an employee is hired, they are set up with a new employee account with the permissions that they need to do their job. As their experience grows, and they get promoted they often keep their older permissions and acquire new permissions for their increased responsibilities. After some years, these employees may end up having permissions and access to everything the company has. This happens mostly because of a weak network security policies. If that employee falls victim to malware and has their account compromised that hacker that has access to that account has access to everything that the employee has. They may not even have to exploit a vulnerability. On the other end of the spectrum, if an employee gets fired that employee still has access to everything specified in their permissions. They may be encouraged to download or delete sensitive data belonging to the company on the databases. The best practices to mitigate these problems are to routinely audit employee accounts to determine whether or not the employees have the correct permissions. This would follow a common best practice of “least privilege” (Oriyano, 2010).
Privilege Abuse is the second highest vulnerability to databases. This can be related to an employee stealing company information in an insider attack. However, this is also because employees may know how to get around the company policies and abuse the privileges they have, or they can find a workaround to get the permissions they don’t have. For example, if an employee has permissions to view files but no to overwrite them, they could find a workaround by accessing the file with a different type of program that allows them to change to the information. This may not always be malicious, but it still can put the company’s assets in jeopardy if a hacker can exploit the same vulnerability. The best way to mitigate this threat is to ensure that employees have to correct, and necessary rights granted to their accounts. If employees need extra rights, they can have them granted with some limitations on the time those permissions are granted (Oriyano, 2010).
The third vulnerability to databases are injection attacks. Better known as SQL injection attacks. However, as stated previously injection attacks are no longer focused only on SQL database type languages anymore. With the proliferation of “big data”, NoSQL type languages like MongoDB are now vulnerable to injection attacks. One of the reasons databases are so vulnerable to injection attacks are that very little money is invested in making them secure. In 2015, IDC reported that less than 5% of the $27 billion spent on security products directly addressed data center security (Imperva, 2015). This either shows a lack of knowledge of how vulnerable databases are or that companies fail to assess risks appropriately and after having spent most of their money on development, have little left to devote to secure testing and development. The best way to mitigate injection attacks are to keep networks and application updated with patches. Constantly scan for vulnerabilities and if any are found patch them or sandbox them (Smith, 2013). Malicious web request should be denied by properly configuring firewalls. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) should also be installed to monitor all database activity (Oriyano, 2010). If any unusual activity is detected, account should be locked out or denied access until the IT department is notified. This could stop many of the problems.
So why are databases so targeted by hackers? Mostly, it is because of the information that is contained in them. Depending on the hacker’s motivations, a company can understand a lot about the hacker’s motivation and intentions when they steal information from a company. All of these attacks on company resources are usually to steal information. If a hacker steals information about future projects, you could deduce that they want the information to sell to a company’s competitors. Doxing is another recent phenomenon that hackers have started using. Short for dropping, doxing is the collecting of private information about a company or individual and then releasing it to the public (C.S-W, 2014). Doxing a target is used to shame them or to extort money from them. A hacker group called Anonymous was famous for Doxing several companies or organizations (Zetter, 2014). In fact, the recent attack on Sony Corporation in 2014 was a prime example of a doxing attack on a company. North Korea decided to hack into Sony’s networks because of a movie that was to be released about the killing of their leader Kim Jong Un. The hackers broke into Sony’s networks and stole hundreds of gigs of data and then release them onto the Internet. This was an embarrassment to Sony because to the information that was released on emails. These emails contained several negative remarks about actors and actresses on upcoming movies. Amy Pascal, a Sony Co-chairman was fired because of the information released in this attack.
The recent data breach on the U.S. government’s Office of Personnel Management (OPM) found that over 25 million records were copied and stolen. This information included all the information on the notorious SF86 form. This is the form that someone needs to fill out that is used for background checks. All drug histories, convictions, and citations, and employment history is included. The U.S. government is pretty sure that the attack came from China. Espionage, in this case, would probably be the motivation. Almost any country would love to obtain this type of information so as to build dossiers on individuals to attempt to blackmail them for information or to turn them into spies (Austin, 2015).
The most common motivations for hackers to steal information on databases is identity theft. Most identity theft if focused on stealing money. If hackers steal health insurance information, it is likely to steal money by charging for false insurance claims. If the hackers steal information from an e-commerce site, it likely is to make purchases with stolen identities. In 2012, identity theft cost the U.S. 24.7 billion dollars (Rotter, 2014).
In 2015, the Internal Revenue Service (IRS), disclosed that they discovered that 104,000 transcripts were released of individuals that did not request them (Harney, 2015). The IRS has since pulled the “Get transcript” button from their website. It seems that the hackers were able to obtain the transcripts by following the normal procedure needed to get a transcript. To get a transcript, an individual needs to have their Social Security Number (SSN), email address, and some other personal information. None of this information would be difficult to get considering the millions of different records that have been stolen in recent years. Even more information can be purchased online on the black market website that sell stolen information. A document from Dell SecureWorks found that you could get reliable account information to include the account number of credit cards for as little as nine dollars each (Dell, 2014). You could also buy Distributed Denial of Service (DDoS) attacks or Dox attacks for just as little (Dell, 2014). The information could have also been stolen from mortgage companies by stealing a form called 4506-T from mortgage companies. This form is what the mortgage companies’ use when going thru a third party vendor to have access to IRS transcripts via Income Verification Express Service (IVES). The IRS was only able to discover this breach because over 35,000 account holders have already filed their taxes. An attempt was made on over 200,000 accounts, but only 104,000 were successful (Warren, 2015).
This breach shows an easily exploitable weakness in the way website verify identity online. Plus with almost every single website requiring someone to sign up or register for an account, users are having difficulties remembering their account passwords and usernames. This leads to users recycling the same usernames and passwords over and over again. Massive Data breaches do not leak data in isolation. Each time personal data is leaked it makes users more vulnerable to these types of information theft. The solutions to help mitigate these problems are two-fold. On the user side, users need to learn and understand the threats and risks of how they operate online. On the development side, developers need to learn and use secure coding practices to avoid injection attacks and other exploits. System Administrators and network operators need to stay vigilant and constantly update and scan networks for vulnerabilities to patch anything that is discovered. Most of these solutions do not cost much, are mostly knowledge based, and can make for a much more secure online environment.
References
Warren, Z. (2015). IRS a data breach victim, 104,000 taxpayers’ records stolen. Inside Counsel. Breaking News, Retrieved from http://search.proquest.com/docview/1683739992?accountid=8289
Keanini, T. K. (2014). Security: Beyond Target and Neiman Marcus More of the Same Everywhere Else. Database and Network Journal, 44(2), 6.
C.S-W (2014). What doxing is, and why it matters: The Economist explains. London: The Economist Newspaper NA, Inc.
Rotter, Kimberly. (2014). The staggering cost of identity theft in America. Credit Sesame. Retrieved from http://www.creditsesame.com/blog/staggering-costs-of-identity-theft/
Dell Secureworks (2014). Underground Hacker Markets. Dell Secureworks. Retrieved from http://www.secureworks.com/assets/pdf-store/white-papers/wp-underground-hacking-report.pdf
Harney, Kenneth. (2015). IRS data breach may prove worrisome for those seeking a mortgage. The Washington Post. Retrieved from https://www.washingtonpost.com/realestate/irs-was-told-in-2011-that-its-security-and-privacy-controls-were-inadequate/2015/06/01/de42884a-0886-11e5-95fd-d580f1c5d44e_story.html
Zetter, Kim. (2014). Sony got hacked hard: Here’s what we know and don’t know so far. Wired. Retrieved from http://www.wired.com/2014/12/sony-hack-what-we-know/
Oriyano, S. (2010). Hacker Techniques, Tools, and Incident Handling. Sudbury, MA: Jones & Bartlett Learning.
Smith, R. (2013). Elementary Information Security. Burlington, MA: Jones & Bartlett Learning.
Austin, Ernie. (2015). Stolen Security Clearance Information Has Potential for Blackmail. Rockaway: Advantage Business Media.