Home / Blogs

Do Your Analytics Efforts Expose Your SQL Data Sources to Attacks?

Structured Query Language (SQL) continues to be quite relevant today. Many organizations still use SQL database systems, and it still ranks as the top in-demand language in tech job postings — even in 2020. Companies are also increasing their analytics and business intelligence efforts, where SQL skills come in as quite handy. SQL queries allow you to pull key information from databases quickly. For example, you can find out the average volume of transactions per month on your eCommerce channel by executing an SQL query to find the median in your sales table. You can even perform revenue projections by using more advanced queries across your historical data.

These days, however, knowing how to use queries is only one part of proper database use and management. Considering the current cybersecurity landscape, SQL users also need to know how to work with data securely. Opening up SQL servers and databases for analytics can introduce certain risks. Lax access management and security practices can make these data sources vulnerable to internal incidents and external hacks.

As such, it's essential to ensure that your data and analytics efforts abide by best practices for security, helping to prevent issues from arising over time.

Security Risks in Data Efforts

Analytics activity, just like anything involving data and computers, entails risks. For instance, you may want to put up a dashboard that visualizes your live business data. These are quite handy when it comes to providing stakeholders with real-time information on key performance indicators. To do this, you would have to tap into data sources such as SQL databases on production servers. Plenty can go wrong when allowing users or applications access to live data. If you inadvertently give someone administrator-level access to the data and that person happens to make a mistake when querying the data, the information can be altered or deleted, compromising your system's overall integrity.

Your data team can also contribute to your exposure. Anyone may fall victim to phishing attacks and leak sensitive information. Disgruntled staff can also exploit their access to information and steal or destroy the data.

There's also the problem of external threats. Hackers are actively probing networks for databases that they can attack. Most enterprise systems contain sensitive personal and financial information that they could sell or use for future attacks. Hackers have access to methods and tools specifically designed to compromise SQL systems. They can perform credential-based attacks by using stolen usernames and passwords or exploit weak credentials to log in to databases. Gaining control of administrator accounts permits them to do basically just anything with the entire database. They can also use SQL injection techniques. Certain vulnerabilities in web apps can allow them to run SQL queries through form fields or even URL bars in order to retrieve or manipulate data. Data can also be compromised through the third-party tools and services that you use in your business intelligence initiatives. If you are using an analytics platform with access to these data sources, hackers can target these platforms and gain control over much more than just your SQL database.

Ways to Secure SQL Data Sources

Fortunately, there are ways to make sure you keep your data sources secure while working on your analytics efforts. Key to this is drawing up clear measures on who gets access to data, how they can access it, and what they can do with it. This may involve:

  • Abiding by best SQL practices. SQL practitioners can use parameterized queries and stored procedures to prevent SQL injection attacks. Both techniques can limit the ways input can trigger functions, thus preventing malicious user input from making changes to the database. Developers can also employ input or form validation to prevent SQL queries from being executed through the front end of the web app.
  • Managing access properly. It's also important to manage your data team's access to the database. You can provision distinct user accounts that are assigned "least privilege." Users are only given permissions essential to the work they need to do. For instance, if all they need to have is visibility to the database values, then you can simply provide them with read-only user credentials. Requiring strong and unique passwords is also a must.
  • Anonymizing data. Since data privacy is mandated by law today, you may want to ensure that all sensitive information stored in your databases is kept secure. Your data teams may not have to know your customers' identifiable information, so you have the option to anonymize data before giving your team access. There are various methods to do this including encrypting or masking the data.
  • Securing your infrastructure. You should also consider your network's security. For instance, it's advisable to keep your SQL servers and instances isolated from other applications. You can also have web application firewalls and breach prevention services guard your SQL servers and the web apps that connect to them. Recently, Microsoft SQL servers were reported to be targeted by the KingMiner botnet in a campaign that aims to install cryptocurrency miners on these servers. Having security measures in place prevents malicious traffic from interacting with these critical components.
  • Backing up your data. It's also important to have backup processes in place. It isn't rare for anyone who has access to the database to mess it up in some form. Some resort to taking daily or hourly snapshots of their database. Those that deal with high-volume and critical transactions may use server mirroring to achieve real-time back up of their data virtually.
  • Keeping components updated. SQL Server software does get periodic updates to address vulnerabilities, bugs, and performance issues that may be discovered over time. Keeping your servers updated can minimize your exposure to potential exploits. Check security advisories from your analytics platforms and their flaws, which may become the weak links to your security.

Better Safe Than Sorry

SQL databases should serve as a gold mine for your data efforts, but keep in mind that tapping into them carries certain risks. It's crucial to plan a comprehensive strategy on how your efforts will tap into and use your SQL databases. Having measures in place that ensure their security as data sources before embarking on your projects would help mitigate security issues that may prove disastrous to your organization.

By Evan Morris, Network Security Manager

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex

IP Addressing

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign