What Internet vulnerabilities do we face in an environment where there are applications on our Intranet (behind...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
a firewall and IPS)? Most of these applications use Oracle database on the back end.
Before I answer this question, I should clarify a few IT security terms. In IT security, a vulnerability is, according to the National Institute of Standards and Technology (NIST), "a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy." What your Intranet applications face are threats -- unwanted, deliberate or accidental, events that may result in damage -- often caused by exploiting one or more vulnerabilities. That said, if your Intranet is connected to the Internet, you have a right to be concerned about the risks involved with the combination of a threat exploiting a vulnerability to attack your applications.
Unless your network security can maintain confidentiality, integrity and availability, if you have applications that are Internet accessible, your databases are at high risk. Hackers are using application-layer attacks to gain access to networks and databases, often with a privileged system-level account. To mitigate this risk, protect your databases by layering your defenses and use firewalls and routers to segment resources with different security requirements. It is also important to install any security patches or updates that have been released by your application vendors. For example, the Critical Patch Update released by Oracle in January 2005, addressed 23 vulnerabilities ranging from SQL injection to denial-of-service issues.
On the other hand, if your Intranet-based applications are not Internet-accessible, as long as your firewall is configured to prevent Internet access to your Intranet, your risk of attack is greatly reduced. However, don't overlook the fact that people working within your organization have extra knowledge about the databases' structures and your security policy. Their knowledge makes databases and other applications susceptible to an insider attack. For this reason, I recommend reviewing your database security policies. For example, ask yourself the following: "Do I properly enforce segregation of staff duties?" "Do I grant users the lowest level of permissions required to complete their tasks (the least privilege principle)?" If the database contains sensitive information, I would consider encrypting stored data. It adds an important layer of protection -- any user that tries to access the data not only needs the right password, but the encryption key as well. Another advantage of encryption is people who do not have database privileges cannot read your sensitive information. On a final note, I would ensure that you have an auditing strategy to highlight security issues.
- Visit our resource center for news, tips and expert advice on ways to reduce risks posed by application attacks such as cross-site scripting, buffer overflows, botnets and more.
- Attend Web Security School and learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.