We regularly hear about
cyberattacks involving brute-forcing secure logins or exploiting
software flaws, but there’s a new segment of the cybercriminal economy
that’s growing fast: attackers who target companies that have
unintentionally left data out in the open via misconfigured DBs. [Bressers (2021)]
But why not just leave DBs to DB Administrators (DBAs)?
At one level, having at least a grasp of the principles of DB
management systems (DBMS) security is as important to security
professionals as having a grasp of programming principles or of
telecommunications principles. We need to be able to speak a common
language with our colleagues as we discuss IA.
At another level, understanding how DBs are designed and
implemented speaks to our need as security professionals for a
supportive relationship to our users, because data requirements and data
relationships are at the heart of security requirements. As I’m sure
you’ve heard many times, it’s the rare organization where security is
the driving force; we serve the strategic goals of the organization and
that means we need to understand data requirements. On another level,
there are security implications to how programs and data structures
work; understanding how DBs work gives us insights into why the user
interfaces work as they do and, even more important for security
personnel, how systems can fail or be abused.
On a practical level, you may yourselves need to create a DB or
participate in reviewing the security requirements for a DB and having a
solid grasp of the principles will help you assimilate the details of
any specific points you need to learn.
