Q
Problem solve Get help with specific problems with your technologies, process and projects.

How did thousands of MongoDB databases get hijacked?

Thousands of MongoDB configurations were hijacked due to poor authentication practices. Expert Nick Lewis explains how organizations can properly configure their implementations.

Researchers found a huge increase in MongoDB databases being hijacked due to poor authentication, escalating from...

hundreds of attacks to over 28,000. Researchers estimate there are anywhere from 48,000 to 99,000 MongoDB configurations at risk for attack. What was the issue with these MongoDB instances? How can organizations properly configure their databases to protect them from these attacks?

Relational databases have a long history of security risks and challenges, and they have matured to include significant security-related capabilities. There are detailed guides for how to secure these databases, but many are still insecurely configured by default.

Relational databases have decreased in popular attention because of the cost and complexity involved, as well as the growing development of NoSQL databases.

One of the newer NoSQL databases, MongoDB has been in the news for poor security practices. The default configuration for MongoDB databases is insecure, as no authentication is required to access the database, enabling anyone to establish a connection as a privileged user.

The MongoDB developers made the same mistake the Redis NoSQL database developers made in 2016. Reviewing the Shoulders of Infosec Project may help them learn a little about how security has developed over the last 40 years to minimize the chance they repeat the same mistakes from 40 years ago, much less mistakes similar projects made.

MongoDB responded to the attacks in a blog post outlining the steps to take during a security incident.

Organizations can minimally secure their MongoDB databases by using the security documentation and checklist. The effectiveness of MongoDB's Security Technical Implementation Guide is limited, as developers need to manually request access to it. The documentation and checklist are very high level and must be configured manually, since the default configuration of MongoDB is not something that should be used outside of closed trusted networks. The company even says in a security webinar that it is dereliction of duty to not use their security checklist.

It is unclear why MongoDB databases can be configured so insecurely. It is also unclear how security requirements are included in software development for the MongoDB project. 

Next Steps

Learn how a MongoDB database misconfiguration led to the exposure of millions of accounts

Compare the benefits of SQL and NoSQL database designs

Find out how to select the best operational database management system for your enterprise

This was last published in June 2017

Dig Deeper on Data security breaches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise maintain the security of database programs such as MongoDB?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close