Database Hacking: Attack Types & Defenses

Instructor: Beth Hendricks

Beth holds a master's degree in integrated marketing communications, and has worked in journalism and marketing throughout her career.

A database is a key tool for businesses that can cause serious headaches if breached. In this lesson, you'll learn more about database-specific attacks and methods of protecting infrastructure from those attacks.

eHacked

When eBay was first launched in 1995, it transformed not only the way people shopped but also how they got rid of treasures they no longer wanted. Today, eBay has more than 177 million active buyers, which constitutes a pretty sizable database for the auction site. A database is at the heart of a website like eBay's, storing information such as names and addresses in a structured and organized way.

Unfortunately, even the most successful companies are not immune to hacking attempts, which eBay itself experienced in mid-2014. That's when hackers breached eBay's database, causing the names, addresses and even passwords of 145 million users, to be compromised. Perhaps the worst of the news is that the hackers gained access to the database by using the log-in credentials of several eBay employees and had free rein inside the system for more than seven months before being discovered. Ouch.

There's no denying that a database is a critical piece of infrastructure behind a company's website or application. Imagine if a website like Amazon had its database compromised and millions of shoppers' details were hijacked by cybercriminals. The repercussions - to both consumer and company - could be aggravating at best, devastating at worst.

That's likely one of the reasons that cybercriminals target these treasure troves of information. Let's take a look at some database-specific attacks that can occur and then follow that up with some solutions for companies looking to safeguard their database infrastructure.

Database-Specific Attacks

Attacks on databases can occur with the simplest types of breaches and evolve into more complex encounters.

Password Cracking

It may seem hard to believe, but some databases can be hacked simply by a cybercriminal's lucky guess - or an employee's oversight. Many companies fail to change log-in credentials from the defaults provided by the service provider, which are often readily available through a Google search. Weak employee passwords that are easily guessed or passwords that are not changed frequently can also be exposed by cybercriminals.

Exploiting Software Vulnerabilities

Savvy cybercriminals keep their finger on the pulse of software vulnerabilities (information widely available online) and use these security loopholes as a way into a company's database. This can be easily accomplished by exploiting known software issues or by creating and using malware designed to take advantage of unsecured systems. This can also apply to add-on features of databases that are not being used or have security vulnerabilities of their own.

Privilege Escalation

Giving legitimate users access to more files than necessary can also be of concern. Imagine a low-level corporate employee who was mistakenly granted access to a highly-secured customer database of credit card numbers. Internal attacks or even external attacks waged through that employee's computer can then have far-reaching consequences if an unwarranted level of access is given to an employee who did not need it.

Packet Sniffing

Packet sniffers work by intercepting and reading traffic between two points of connection on a network, such as to and from a database server. That includes - you guessed it - log-in credentials such as user names and passwords. These packet sniffers make it possible for a cybercriminal to grab these credentials and come up with an easy way into the system.

SQL Injection

Although a SQL injection sounds like something you'd get at the doctor's office, it's actually a covert way for cybercriminals to get into a database. It works by inserting SQL query statements into website fields, which can overwhelm the web page, resulting in a false request being sent to the database. Once this happens, the cybercriminal is able to run additional queries to manipulate the database and expose its contents.

Protecting Databases

Understanding preventive measures for protecting a database is critical for businesses before an attack happens. Here are a few mitigation tactics to consider.

Strong, Unique Passwords

Perhaps the simplest step in protecting a database is ensuring that not only are default log-in credentials changed but that they are changed to complex passwords that will be difficult for cybercriminals to guess. Better yet, routine, mandatory password changes can further safeguard sensitive data.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account
Support