As developers, we see a lot of data passing through our hands – according to multiple sources on the web (Statista and others), the total amount of data on the web is counted in tens of zettabytes – one zettabyte is a thousand petabytes (PB), and 1 petabyte amounts to a 1000 terabytes (TB.)
Some of the data is data we presently work with, while some of the data amounts to our older projects – projects we have most likely reworked, buried, learned from, and projects that never saw the light of day. All of that data is very important – partly because we‘ve learned how to build more powerful applications, but it‘s also very valuable for an attacker that‘s interested in stealing everything we‘ve worked so hard for. In this blog, we will take you through the darker alley of your data – from an attacker‘s perspective.
What‘s Important For the Attacker?
No matter what kind of project you find yourself working on, always keep in mind that attackers are after a couple of things:
All attackers are interested in the data that the company owns, as well as the data that has been „left behind“, so to speak. That‘s why we should always strive not only to protect our application but protect our database from upcoming threats as well.
What‘s Important for Us?
Just as there are things that are vital for an attacker to focus on, there are things developers and data analysts should focus on as well. Some of the things we should focus on should obviously include the security of our application and databases, not storing unnecessary data inside of the databases, and, if deemed necessary, taking care of certifying the application with ISO 27001, HIPAA, or other certificates, depending on the industry that the product is operating in.
However, as time goes on we will probably notice that some things are of more importance than others – one of the most crucial things for us to focus on would be databases and the data within them.
The Data Left Behind in Your Databases
There‘s a good reason security and privacy experts advise us to follow security regulations like GDPR, ISO 27001 and the like – such security regulations put stringent requirements on how should a company deal with data and secure it and some of the regulations (especially GDPR) are especially strict about storing unnecessary data - the more unnecessary data we leave behind unattended, the easier it is for an attacker to cause harm to our systems.
There’s no need to worry, though - a little bit of knowledge about application security and knowing your way around SQL clients will come a long way. Proper SQL clients come with the following features to help us deal with data:
SQL clients provide us with everything necessary to ensure the availability, security, and performance of our database instances – no matter what kind of DBMS we‘re running, a good SQL client supports them all and then some. All good SQL clients will provide us with the ability to view the data types specific to our tables, and some will even let us edit the data within our tables like a spreadsheet.
We should be very careful with data, though – while on one front it can be useful for certain operations, we can rest assured that any data left behind in a database can be re-used to target another application once a data breach occurs. That‘s why unattended data left behind serves another purpose for an attacker – the more such data a company possesses, the bigger the possibility of a successful credential-stuffing attack.
Credential stuffing attacks are often a direct result of attackers abusing the data stolen from other systems – it‘s an attack where credentials stolen from one service are used to access another, often unrelated, service as well.
To avoid such attacks, make sure that an application you‘re working with follows stringent security standards, and if you find yourself using SQL clients like DbVisualizer, keep an eye out for their ability to provide you with other things that help you identify possible indicators of compromise or prevent a compromise from occurring altogether. These things might contain one or more of the following:
If a certain type of query is set to „Ask“ or „Confirm“, DbVisualizer will ask for confirmation in the environment that was defined:
Combining these three options will help you defend from potential credential stuffing attacks – of course, simply using a SQL client will not cut the chase, so additionally, please make sure that your web application follows all of the necessary web security standards (GDPR, ISO 27001, HIPAA if the company you work at is in the healthcare business, etc.) and you should be good to go.
We hope that you‘ve learned something useful from this blog and that you will come back to the blog of DbVisualizer, and until next time!