Running head: DATABASE SECURITY IN A HACKERS WORLD 1
DATABASE SECURITY IN A HACKERS WORLD 3
The database security in a hacker’s world
Student name:
Tutor:
Course:
Date:
The Outline
1. Introduction to Database Security hacking and threats
2. Top 5 Database Security Threats
i. Excessive and Unused Privileges
ii. Privilege Abuse
iii. Input Injection (Formerly SQL Injection)
iv. Exploitation of Vulnerable, Misconfigured Databases
v. Limited Security Expertise and Education
3. database breaches case studies:
a) Neiman Marcus
b) White Lodging
c) Sally Beauty
d) Albertsons & Supervalu
4. credits card number hacking
i. Shopadmin Hacking
ii. Hacking Through Scams
5. medical record misuse
6. solutions to Database insecurity and hacking
7. conclusion and summary
The Abstract
This study aims of the study is critically analyzing the major database security threats regarding the usage of data privileges, data abuse, input injection of databases configuration and the safety expertise concerning education implication. Additionally, various case studies of database breaches will be focused regarding the same. In the modern world, the credit card number hacking has also been on the rise. This platform will, therefore, shed light to study and bring an understanding of how the database security achievements through this significant technological advancement. The health sector also in recent past has been implicated with this hazard. On this note, the study will outline as well as explain how this menace has impacted to our hospitals regarding the data management systems. The work will focus on record misuse in the hospital such as the hospital emergency department. Towards the end of this discussion, various possible solutions and remedies will be recommended with a sole intent of solving this increasing insecurity trend. Indeed, this work is essential to any researcher with a genuine desire to study, learn and experience the exposure of how database hacking insecurity has fared at the advent of the technology growth.
KEYWORDS:
Database hacking, input injection, Privilege Abuse, cross-site request forgery, database integrity, data abuse, data integrity
1. Introduction to database securities and hacking threats
Database hacking is becoming a major global threat. This insecurity comes in various perspectives such as password and data sniffing through a network, opening database servers by default disks theft by other means. All these practices either solely or collectively could be defined as database hacking. The definition of database hacking is not exhaustive but in a nutshell, any illegal access to database information can be regarded as database hacking. If database networks systems remain unprotected, they can be hacked into and stolen. As such, a lot of money and other security will thus be accessed into and in the long run, cause negative implication to the entire business entity.
2. The Database security threats
i. Excessive and Unused Privileges
Their technology advancement is related to several database threats. A practical example is the extreme and additional rights and privileges. The ordeal occurred when an individual finds themselves offered database rights that are above what the job needs. Such privileges misuse is common today. If a person changes their roles in an organization or quit it altogether, their accessibility to their sensitive data is not altered (Mannino, 2015). In this regard, if they depart the entity on the unfortunate term, they may apply their existing privileges for stealing crucial data or cause damage. Excessive privileges start when privilege control system for work roles is not well defined or properly maintained (Carroll& Prickett, 1997).As such the users are provided with generic or unprecedented access to privileges that is over their job needs. In the long run, this generates regulatory risks (Klass, 2013).
ii. Privilege Abuse
Workers in an organization may abuse the legal database rights for reasons that are not authorized. For instance in health sectors, the web application usually denies users from using patient’s medical record. A user who is rogue may abuse their privileges by connecting database by use of different customer account such as Excel (Mannino, 2015).By application of Excel and feeding of the valid logins, the computer user can access and save all the records of the patients to their computers systems. This record information is further accessible to customer computer systems. The data turns susceptible and risks of various breach cases. The Bible teaches us the importance of using the privilege accorded to individuals. It advises us in any situation; we should be honest in whatever we do (Carroll & Prickett, 1997).
iii. Input Injection (Formerly SQL Injection)
There exist two primary database injection attack systems. The SQL injection implicates the traditional small database systems while the NoSQL injection concerns massive database systems. Under the SQL, attach unauthorized or different statement is either injected or inserted into the input sections of the web system (Mannino, 2015). In the NoSQL attack, malicious data are entered into the enormous data devices. In the two types of the insecurities, the successful input injection attack can provide the unacceptable attached accessibility to the whole database system.
iv. Exploitation of Vulnerable, Misconfigured Databases
Vulnerable and unpatched databases, databases possessing default account and configuration features are very common. The database attackers have means to exploit the vulnerabilities to generate attaches against an entity particular firm. Universal constraints that come along with this includes the enormous workloads and generation of the database administrators which are challenging and time wasting needs for patches testing (Mannino, 2015).The ordeal also involves the problem of maintaining the window to work on organizational and pivotal trials. In the long run, such firms take some periods for data patching over when they continue to be vulnerable (Klass, 2013).
v. Limited Security Expertise and Education
The database development does not always align with the internal security systems. The condition occurs because many entities do not possess the expertise that is needed to implement security systems. Additionally, the policies enforced and behavior action of an ordeal response process in a firm could generate this misalignment of security. Some leading causes of a data breach are the human cases where individuals assume employees and their designers.
3. Database breaches case studies
a) Neiman Marcus
Neiman Marcus is an example of significant known database case study violations that was known to occur. On early January somewhere at Neiman Marcus, hackers got accessed to both the debit and credit card data of the shopping customers for almost a period of 3 months. The stores clients were greater affected compared to the online customers (Mannino, 2015). The breach generation occurs when the different software which was inserted into Neiman Marcus database system for the purpose of making purchases in this particular period. The company revealed that million of clients were affected in this retail. They only came to learn regarding the breach soon after the card processor alerted them about the fraudulent ordeal. In this attack, the result was that of altering the debit and credit cards but not the Pins. This is because the company does not make use of the pin cards in its activities.
b) White Lodging
In February 2013, a hotel entity managing many hotels in some states experienced data breach that exposed many visitors debit and credit card data information. The white lodging services firm was concerning the hotel ordeals regarding the top accommodations (Perry, 2009).The data breach implicated the gift shops and the restaurants that were of the hotels owned by the White Lodging rather than the computer system where payments were being made.In this breach case, the credit card and debit card data of million guests dominating Marriott hotel were stolen. In March, the bank management realized fraud on altered cards. Few Marriott hotels were affected by the ordeal including those in Austin Denver and Los Angeles. The breach was not the first to change Marriot hotel. Previously in 2010; Marriot propriety data had been hacked.
c) Sally Beauty
The sally beauty stores operate many retails points in the US. They specialize in the sale of products to consumers and experts (Perry, 2009). In March, there was a case study where many debit cards and credit cards were hacked and sold on a beneath corrupt crime system. Some banks returned some clients cards in this store in the desire to access a shared purchasing place at Sally beauty shops. Sally Beauty Holdings Inc. has had two data breach cases for one year. In the last breach case, the company said it was investigating the awful ordeals regarding the payment cards applied in the premises. A data breach at this entity affected less than 25000 cards.this case incidences took place just a few weeks after voluminous data breaches at retailers occurred. In its report, the company said it would not be responsible for criminal cases reported immediately.
d) Albertsons & Supervalu
In late summer, Albertson and Supervalu had data breaches. The hackers broke into the card payments networks and stored the client’s card details. The parent companies of the two supermarkets alleged that they had noted another breach in their computer systems showing altered data of their consumers. In August, the suspicious software was put on networks that generated cards transactions in its various stores. The malware could have captured the account numbers and the date of expiry including the name of card holders. For Supervalu, less of its stores were affected by this ordeal. Supervalu offers information technology services to Albertson; Shaw’s Acme market shops (Perry, 2009). The stores were later sold to Cerberus enterprise in 2013.Supervalu suggests that the malware generated data emanating from payment cards applied to the various checkout lanes in the franchised clubs. In this case, changes in the enhanced protective technology were yet to be completed. The companies announced the breach in August and that the two cases were separate.
The credit card number hacking
i. Shop-admin Hacking
The incidences of credit card hacking as noted from above selected case study has from the time of memorial been on the rise in every state though regarded as illegal. There are two common types of credit cards used in making transactions. The debit card consists of the total sum of money available for use .The credit card on the other-other has some fixed amount of cash credited and debited to the bank at the end of a particular period. The following are examples of credit card hacking methods (Perry, 2009).
The shop-admin hacking strategy applies the knowledge of accessing the credit card for internet shopping and for making fun among other ways other than for cashing. This hacking method does not disclose the PIN-4 digit codes but only provides CC number, CC-2 and other relevant information regarding the credit card coupon. Shop-admins implicational use takes place in the leading companies such as VP-ASP, SCART among others (Klass, 2013).
ii. Hacking Through Scams
Hacking through scam involves illegal hacking access for winning money. In this strategy, the hacker creates a clone page. The targeted sites include the ebay.com and the paypal.com, which have many users around the world use doing financial transactions (Klass, 2013). Upon accessing the mail list; the hacker sends an alert message alleging a given user’s email account been hacked. The company responds back by some programming tools that are seen to the hackers working email. In this regard, the pin requirement is sent then cashing is proceeded to the hacker’s ATM (Mannino, 2015).
4. Medical record misuse
The health care providers are the prime hacker targets. The data held by the healthcare IT systems is lucrative in the accessibility of the attackers. Upon entering the hospital, personally relevant information such as name, contact information, and banking detail is harnessed. The cyber hackers can use this information to perform criminal identity acts. This fraud consists of diversified illegal acts where they act to be own user for the purpose of financial gains. The community health platform running over 200 hospitals in the United States reported that hackers blocked into their computers and accessed data of many patients (Trotter & Uhlman, 2013).They accessed their names, social security configurations, physical addresses, birth dates and cell phone numbers (Mannino, 2015). This greatest data breach exposes the patients to high risks of fraud. As a result of this, the criminals open the bank accounts where they credited all the cash for their benefit. They may take the loan and ruin personal history credit (Trotter & Uhlman, 2013).
5. Solutions to Database insecurity and hacking
The database hacker is coming up with new ways of gaining control of information data on the internet. There are many types of hacking as outlined previously from this study. This section will add other-other types of hacking as well as provide the possible remedy on how to prevent the menace of eradicating it to ultimate completion (Mannino, 2015). The cross-site scripting (XSS) is solved by escaping some unusual characters and denying the user to provide HTML or CSS via any data input field. Secondly, this menace can be prevented by using a whitelist before any data emanating from the user is accepted. They reject all database information that is not on the approved list of the database. Additionally; encoding can be done where the output information deters the script injection existing in the browser (McClure, Scambray & Kurtz, 1999).
As explained earlier, the Injection flaws occur when the user information is brought to the interpreter through a command/query that is in a form of an SQL list. Methods of prevention include avoiding the use of the interpreters (Rajarajan, 2012). On occasion they are used, the OWASP command on the safe use APLs ordeals. Also, expertise can apply the prepared statements, stored database procedures or the parameterized queries. In this regard, the dynamic SQL should be avoided as much as possible (McClure, Scambray & Kurtz,1999).As a precaution measure of reducing the hacking, the escape user input can be applied. Users should also practice the use of the less free account to access a database.
The malicious file execution involves hackers using remote file inclusion (RFI).The ordeal has an adverse impact to the PHP, XML including other frame networks of the original user. To prevent this database insecurity, avoid the use of filenames provided by users in any particular server based material that includes the images and script forms of inclusions of data information system (Mannino, 2015). Furthermore, one can set firewall parameters to prevent new connection to outside websites including the internal systems (Rajarajan, 2012).
The cross-site request forgery (CSRF) attack is the most devastating hack at present. The malicious practice remedying takes place by avoiding the direct automatic application of credentials and tokens provided by browsers. In this regard, the custom token is used where the browser fails to remember and writes some commands.
The insecure cryptographic communication and storage hacking is solved by avoiding writing diagnostic encryption algorithms. This is because it needs the application of enough expertise to do so efficiently (McClure, Scambray & Kurtz, 1999). Additionally, the users should also use only tried and accepted public encryption systems. An operator should negate themselves from using the keys generated while connected online. Additionally, users should avoid the exchange of private keys via the insecure channels.
The insecure direct object reference insecurity created when a program exposed by a reference to an internal implementation object and a particular URL or another form of the parameter. To remedy this; technicians should use an index, the indirect reference trace to prevent exposure of object regarded as a direct reference. Necessary authorization from the website made before displaying of the references (McClure, Scambray & Kurtz, 1999).
The failure to restrict URL Access malicious needs less skill to gain access to individual private files. (McClure, Scambray & Kurtz,1999). To prevent this, avoid the assumption that database hackers are unaware of the hidden URLs and also the particular collective URLs, and entities roles require password protection which verifies the user’s functions roles and their privileges.
6. Conclusion and summary
In conclusion, the problem of database insecurity can be associated with their fundamental aspects such as secrecy, data integrity, and availability. The exhaustive remedy to the data insecurity needs high assurances level systems. It is thus crucial to ensuring that just the high-quality software is applied, having a known origin used in our database systems. Moreover, the entity data security technicians must realize that substantial control of database high assurance multilevel systems does not necessarily prevent any possible database system secrecy. Database hacking in web instances is by no means limited to dialogue login boxes. A genuine, little search, for example, is necessarily linked to the database. These can be applied to change the system details. As noted in this study, the application of the SQL command option can easily be used in accessing the usernames, passwords, and other necessary user credentials and altering them at the same time. When the database security system is weak, the hackers can access the database system to acquire the field name details and can later use some command to obtain further access to the user details, varying product price, Account settings, and the financial balances. Regardless of the security offered at the login, the poor security of data can cause user data exploitation by hackers. The access to the databases raises varying possibilities. The database structure can be traced and mapped by experienced, skilled hackers thought to be the ill-conceived view of error messages. This knowledge, in the long run, can be used to access the additional data systems. The modern day technology is devising new strategy measure to remedy the problem of database insecurity and hacking on the internet.
Major credit card entities are working hard to crack down and solve the credit card theft. For instance, the application of EMV technology makes use of cards containing a microchip with data kept on cards magnetic strip. Payments and transactions can, therefore, be made securely through encryption. The cheap reduces fraud since it contains the cryptographic key. The key authenticates the card as a valid bank card and also produces one-time code for every transaction made. Hackers, therefore, may not take the account numbers which has been stolen by fraud and endorse them in the magnetic strip or a card and program the cards into the chip card to generate illegal purchases at stores or unacceptable ATM withdraws.
References
Carroll, R., & Prickett, S. (1997). The Bible. Oxford: Oxford University Press.
Klass, R. (2013). Successfully Defending Credit Card Lawsuit. Cork: BookBaby.
Mannino, M. (2015). Database design, application development, and administration. Chicago: Chicago Business Press,.
McClure, S., Scambray, J., & Kurtz, G. (1999). Hacking exposed. Berkeley, Calif.: Osborne/McGraw-Hill.
Perry, B. (2009). Ajax Hacks. Sebastopol: O’Reilly Media, Inc.
Rajarajan, M. (2012). Security and privacy in communication networks. Berlin: Springer.
Trotter, F., & Uhlman, D. (2013). Hacking Healthcare. Sebastopol, CA: O’Reilly Media.
