One of our main lines of business at DBAces is security and database security. Besides that, security is a very interesting topic and I love it. So I decided to start a series of posts about security in general (as an overview) and database security specifically.
This is the first part, and this one will be an introduction to security in general. I’ll try to cover some basic stuff, so I won’t need to explain it in the next posts. If you are familiar with security, I will probably not introduce anything new.
When thinking of security, we usually think about the evil hackers that try to get into our system, but this is not the only thing. Today, we talk about security as a general term of protecting the environment from unwanted actions. It can be from outside the organization, it can be from the inside, and it can be actions that happens by accident and not on purpose.
Security is not simple, it contains a lot of components, terms and technologies. Finding a way to get into a system is also not simple, as people need to be very creative and find these small and unique ways that nobody thought of before (and I have several nice examples that I will explain in the next posts). But the concept of security is important, we need to understand why we need it and how to do our best to protect our systems.
As I said, this is only an introduction, and because security is a whole world by itself, it has many terms. Let’s go over the important and relevant ones.
Vulnerability – a weakness of a system which can be exploited by an attacker
Zero Day – a vulnerability that was exploited before the developer was aware of it
Attack Surface – the sum of different access points that attacker can try to attack
This is a very partial list of techniques to break into a system or bring it down. I will give examples to some of these in the next posts.
Buffer Overrun (Overflow) – the attacker manages to write code on the program stack in memory. That way, the program itself changes in memory and start executing the attacker’s code. This is usually done when the original code has a limited length of input or variables, but doesn’t enforce or verify it, allowing the attacker to send more data than expected and overrun the memory.
Injection – allows the attacker to inject code to be executed (HTML, SQL, etc.). It sounds similar to buffer overrun but it’s different. The idea here is to simply write something that later on is translated into code. A simple example will be writing an HTML script in a comment of a blog. When a browser displays this comment it might execute the script itself.
Flood – exhausting a computer resources, usually in order to take it offline. The most simple example is sending a server a huge amount of traffic, exhausting its bandwidth to the internet and practically don’t allow it to communicate with the world.
Brute Force – when cracking passwords or encryption, brute force means trying all the possible options until you get the correct one.
Social Engineering – using the human factor as a vulnerability into the system. An example might be someone calling us from some “tech support” asking for our password in order to “solve some issue”.
These are some of the goals people try to achieve when attacking a system:
Remote Code Execution – running code on the remote system without authorization. For example, this can install a malicious software on computers
Privilege Escalation – someone that has a legitimate access to a system as a weak user might want to increase their privileges into a more powerful user or a super user.
Man In The Middle – the idea here is to place the attacker between two ends of the communication. For example, make all the communication between a user and the bank website go through the attacker computer.
Malware – malware is a malicious software and it can do anything from getting passwords, change or steal data, and more.
Denial of Service (DoS and DDoS) – Denial of Service (DoS) and Distributed Denial of Service (DDos) mean that the attack target is taken down. It can be done by flood, causing a component to crash or any other way.
What Can We Do?
That’s a complex issue and I’ll address it in this series of posts. in any case, our security can be divided into three layers:
- Prevent the attack
- If an attack does happen, reduce the damage it can do
- If an attack does happen, be able to know about it and trace it
I will discuss what we can do in each layer in one of the next posts.
This is the end of part 1 and the general introduction. In the next part I will start discussing database security specifically. See you soon.