What Internet vulnerabilities do we face in an environment where there are applications on our Intranet (behind a firewall and IPS)? Most of these applications use Oracle database on the back end.
Before I answer this question, I should clarify a few IT security terms. In IT security, a vulnerability is, according to the National Institute of Standards and Technology (NIST), "a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy." What your Intranet applications face are threats -- unwanted, deliberate or accidental, events that may result in damage -- often caused by exploiting one or more vulnerabilities. That said, if your Intranet is connected to the Internet, you have a right to be concerned about the risks involved with the combination of a threat exploiting a vulnerability to attack your applications.
Unless your network security can maintain confidentiality, integrity and availability, if you have applications that are Internet accessible, your databases are at high risk. Hackers are using application-layer attacks to gain access to networks and databases, often with a privileged system-level account. To mitigate this risk, protect your databases by layering your defenses and use firewalls and routers to segment resources with different security requirements. It is also important to install any security patches or updates that have been released by your application vendors. For example, the Critical Patch Update released by Oracle in January 2005, addressed 23 vulnerabilities ranging from SQL injection to denial-of-service issues.
On the other hand, if your Intranet-based applications are not Internet-accessible, as long as your firewall is configured to prevent Internet access to your Intranet, your risk of attack is greatly reduced. However, don't overlook the fact that people working within your organization have extra knowledge about the databases' structures and your security policy. Their knowledge makes databases and other applications susceptible to an insider attack. For this reason, I recommend reviewing your database security policies. For example, ask yourself the following: "Do I properly enforce segregation of staff duties?" "Do I grant users the lowest level of permissions required to complete their tasks (the least privilege principle)?" If the database contains sensitive information, I would consider encrypting stored data. It adds an important layer of protection -- any user that tries to access the data not only needs the right password, but the encryption key as well. Another advantage of encryption is people who do not have database privileges cannot read your sensitive information. On a final note, I would ensure that you have an auditing strategy to highlight security issues.
- Visit our resource center for news, tips and expert advice on ways to reduce risks posed by application attacks such as cross-site scripting, buffer overflows, botnets and more.
- Attend Web Security School and learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb ...continue reading
Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb ...continue reading
Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.