The MJD electronics board has inquired into database security and would like to have more information on what would be the best methods for the company to implement. As the chief security and compliance officer, I have investigated several different threats and in the following I will explain these threats and what can be done to prevent them.
SQL Injection Attacks
SQL injection is an attack on databases through the use of websites. This is done through the insertion of malicious code that is then passed into an instance of SQL Server for execution. The SQL injection follows the path of user-input in order to access the system through the loopholes that have been inadvertently left by developers in the input validation areas of the database. SQL injection takes advantage of the lack of checks or validations and passes the commands to the database.
A SQL injection attack is a very serious threat because it allows the attacker to have access to an applications data. The attacker is then able to access the private data from the database and manipulate or even delete the entire database, causing the application to stop working and a loss of trust and revenue from our customers. The best way for a company to protect themselves from this type of attack is to implement validation checks in their databases. When a user inserts information, it should not run without having some sort of prior validation check in place to prevent malicious code from being entered (Ganapathy, 2012). The validation needs to check all SQL keywords such as SELECT or WHERE. Also, there needs to be database permissions that have been established for all users. XPath Injection
XPath is a type of attack that navigates through the structure of an XML document. This threat was designed in order to have a tool to exploit different parts of an XML document, while also providing functionality to manipulate data strings. XPath uses non-XML syntax in order to insert itself within URI’s and XML attribute values (Dwibedi, 2005). XPath carries out its attack by exploiting the queries from user-inputs in order to query XML documents. This attack is similar to SQL injection attacks in that if the database uses customer/user queries without having validations in place, the risk of XPath injection attacks increases. Also, the same preventative measures should be in place for XPath injection prevention as is needed for SQL injection prevention. Database Hardening
Database hardening is not an attack but is instead a term for the different configuration aspects in order to protect the database server. When deploying a database server it is necessary to configure the server to be as secure as possible (dbGreenSQL, n.d.). In order to configure the database server securely, the following guidelines should be followed: Server needs to kept up-to-date and run on the latest generation Do not use any default settings, always change the default password and username Keep a separate server for sensitive information/databases
Reduce access levels to a minimum, only give access levels depending on their job function Review logging system in order to discover intrusions before they become a problem
Ganapathy, L. (2012). How to Prevent SQL Injection Attack. Retrieved from,
http://www.thegeekstuff.com/2012/02/sql-injection-attacks/. Dwibedi, R. (2005). XPath Injection in XML Databases. Retrieved from,
dbGreenSQL (n.d.). MySQL Security Best Practices (Hardening MySQL Tips). Retrieved from,