Misconfigured or unsecured databases exposed on the open web are a fact of life. We hear about some of them because security researchers tell us how they discovered them, pinpointed their owners and alerted them, but many others are found by attackers first.
Azure SQL Database is the right solution for cloud-designed applications when developer productivity and fast time-to-market for new solutions are critical. With programmatic DBA-like functionality, it is perfect for cloud architects and developers as it lowers the need for managing the underlying operating system and database.
Database, any collection of data, or information, that is specially organized for rapid search and retrieval by a computer. Databases are structured to facilitate the storage, retrieval, modification, and deletion of data in conjunction with various data-processing operations. A database (DB), in the most general sense, is an organized collection of data. More specifically, a database is an electronic system that allows data to be easily accessed, manipulated and updated. In other words, a database is used by an organization as a method of storing, managing and retrieving information. A database is a set of data stored in a computer. This data is usually structured in a way that makes the data easily accessible. What is a Relational Database? A relational database is a type of database. It uses a structure that allows us to identify and access data in relation to another piece of data in the database. Often, data in a.
It used to take months to scan the Internet looking for open systems, but attackers now have access to free and easy-to-use scanning tools that can find them in less than an hour.
“As one honeypot experiment showed, open databases are targeted hundreds of times within a few hours,” Josh Bressers, product security lead at Elastic, told Help Net Security.
“There’s no way to leave unsecured data online without opening the data up to attack. This is why it’s crucial to always enable security and authentication features when setting up databases, so that your organization avoids this risk altogether.”
What do attackers do with exposed databases?
Bressers has been involved in the security of products and projects – especially open-source – for a very long time. In the past two decades, he created the product security division at Progeny Linux Systems and worked as a manager of the Red Hat product security team and headed the security strategy in Red Hat’s Platform Business Unit.
He now manages bug bounties, penetration testing and security vulnerability programs for Elastic’s products, as well as the company’s efforts to improve application security, add new and improve existing security features as needed or requested by customers.
The problem with exposed Elasticsearch (MariaDB, MongoDB, etc.) databases, he says, is that they are often left unsecured by developers by mistake and companies don’t discover the exposure quickly.
“The scanning tools do most of the work, so it’s up to the attacker to decide if the database has any data worth stealing,” he noted, and pointed out that this isn’t hacking, exactly – it’s mining of open services.
Attackers can quickly exfiltrate the accessible data, hold it for ransom, sell it to the highest bidder, modify it or simply delete it all.
“Sometimes there’s no clear advantage or motive. For example, this summer saw a string of cyberattacks called the Meow Bot attacks that have affected at least 25,000 databases so far. The attacker replaced the contents of every afflicted database with the word ‘meow’ but has not been identified or revealed anything behind the purpose of the attack,” he explained.
Advice for organizations that use clustered databases
Open-source database platforms such as Elasticsearch have built-in security to prevent attacks of this nature, but developers often disable those features in haste or due to a lack of understanding that their actions can put customer data at risk, Bressers says.
“The most important thing to keep in mind when trying to secure data is having a clear understanding of what you are securing and what it means to your organization. How sensitive is the data? What level of security needs to be applied? Who should have access?” he explained.
“Sometimes working with a partner who is an expert at running a modern database is a more secure alternative than doing it yourself. Sometimes it’s not. Modern data management is a new problem for many organizations; make sure your people understand the opportunities and challenges. And most importantly, make sure they have the tools and training.”
Secondly, he says, companies should set up external scanning systems that continuously check for exposed databases.
“These may be the same tools used by attackers, but they immediately notify security teams when a developer has mistakenly left sensitive data unlocked. For example, a free scanner is available from Shadowserver.”
Elastic offers information and documentation on how to enable the security features of Elasticsearch databases and prevent exposure, he adds and points out that security is enabled by default in their Elasticsearch Service on Elastic Cloud and cannot be disabled.
Defense in depth
No organization will ever be 100% safe, but steps can be taken to decrease a company’s attack surface. “Defense in depth” is the name of the game, Bressers says, and in this case, it should include the following security layers:
- Discovery of data exposure (using the previously mentioned external scanning systems)
- Strong authentication (SSO or usernames/passwords)
- Prioritization of data access (e.g., HR may only need access to employee information and the accounting department may only need access to budget and tax data)
- Deployment of monitoring infrastructures and automated solutions that can quickly identify potential problems before they become emergencies, isolate infected databases, and flag to support and IT teams for next steps
He also advises organizations that don’t have the internal expertise to set security configurations and managing a clustered database to hire of service providers that can handle data management and have a strong security portfolio, and to always have a mitigation plan in place and rehearse it with their IT and security teams so that when something does happen, they can execute a swift and intentional response.
Database information is seldom provided in reference list entries. The reference provides readers with the details they will need to perform a search themselves if they want to read the work—in most cases, writers do not need to explain the path they personally used.
Database information in references is covered in Section 9.30 of the APA Publication Manual, Seventh Edition
Think of it this way: When you buy a book at a bookstore or order a copy off the internet, you do not write the name of the (online) bookstore in the reference. And when you go to the library and get a book off the shelf, you do not write the name of the library in the reference. It is understood that readers will go to their bookstore or library of choice to find it.
The same is true for database information in references. Most periodicals and books are available through a variety of databases or platforms as well as in print. Different readers will have different methods or points of access, such as university library subscriptions. Most of the time, it does not matter what database you used, so it is not necessary to provide database information in references.
However, there are a few cases when it is necessary for readers to retrieve the cited work from a particular database or archive, either because the database publishes original, proprietary content or because the work is of limited circulation. This page explains how to write references for works from academic research databases and how to provide database information in references when it is necessary to do so.
Works From Academic Research Databases
Do not include database information for works obtained from most academic research databases or platforms because works in these resources are widely available. This includes journal articles, books, and book chapters from academic research databases.
- Examples of academic research databases and platforms include APA PsycNET, PsycINFO, Academic Search Complete, CINAHL, Ebook Central, EBSCOhost, Google Scholar, JSTOR (excluding its primary sources collection because these are works of limited distribution), MEDLINE, Nexis Uni, Ovid, ProQuest (excluding its dissertations and theses databases because dissertations and theses are works of limited circulation), PubMed Central (excluding authors’ final peer-reviewed manuscripts because these are works of limited circulation), ScienceDirect, Scopus, and Web of Science.
- When citing a work from one of these databases or platforms, do not include the database or platform name in the reference list entry unless the work falls under one of the exceptions described next (databases with original, proprietary content and works of limited circulation).
- Likewise, do not include URLs from these academic research databases in reference list entries because these URLs will not resolve for readers.
- Instead of a database URL, include a DOI if the work has one. If a widely available work (e.g., journal article, book, book chapter) from an academic research database does not have a DOI, treat the work as a print version. See the guidelines for how to include DOIs and URLs in references for more information.
The following example shows how to create a reference list entry for a journal article with a DOI from an academic research database. Flux 4 1 30 – advanced web design tool.
Hallion, M., Taylor, A., Roberts, R., & Ashe, M. (2019). Exploring the association between physical activity participation and self-compassion in middle-aged adults. Sport, Exercise, and Performance Psychology, 8(3), 305–316. https://doi.org/10.1037/spy0000150
- Parenthetical citation: (Hallion et al., 2019)
- Narrative citation: Hallion et al. (2019)
If the article did not have a DOI, the reference would simply end after the page range, the same as the reference for a print work.
Databases With Original, Proprietary Content
Provide the name of the database or archive when it publishes original, proprietary works available only in that database or archive (e.g., UpToDate or the Cochrane Database of Systematic Reviews). Readers must retrieve the cited work from that exact database or archive, so include information about the database or archive in the reference list entry.
References for works from proprietary databases are similar to journal article references. The name of the database or archive is written in italic title case in the source element, the same as a periodical title, and followed by a period. After the database or archive information, also provide the DOI or URL of the work. If the URL is session-specific (meaning it will not resolve for readers), provide the URL of the database home page or login page instead.
The following example shows how to create a reference list entry for an article from the UpToDate database:
Stein, M. B., & Taylor, C. T. (2019). Approach to treating social anxiety disorder in adults. UpToDate. Retrieved September 13, 2019, from https://www.uptodate.com/contents/approach-to-treating-social-anxiety-disorder-in-adults
- Parenthetical citation: (Stein & Taylor, 2019)
- Narrative citation: Stein and Taylor (2019)
Works of Limited Circulation
Provide the name of the database or archive for works of limited circulation, such as dissertations and theses, manuscripts posted in a preprint archive, and monographs in ERIC. The database may also contain works of wide circulation, such as journal articles—only the works of limited circulation need database information in the reference.
References for works of limited circulation from databases or archives are similar to report references. The name of the database or archive is provided in the source element (in title case without italics), the same as a publisher name, and followed by a period. After the database or archive information, also provide the DOI or URL of the work. If the URL is session-specific (meaning it will not resolve for readers), provide the URL of the database home page or login page instead.
The following are examples of works of limited circulation from databases or archives (for additional examples, see Section 9.30 of the Publication Manual):
- dissertations and theses published in ProQuest Dissertations and Theses Global
Risto, A. (2014). The impact of social media and texting on students’ academic writing skills (Publication No. 3683242) [Doctoral dissertation, Tennessee State University]. ProQuest Dissertations and Theses Global.
- Parenthetical citation: (Risto, 2014)
- Narrative citation: Risto (2014)
- manuscripts posted in a preprint archive such as PsyArXiv
Inbar, Y., & Evers, E. R. K. (2019). Worse is bad: Divergent inferences from logically equivalent comparisons. PsyArXiv. https://doi.org/10.31234/osf.io/ueymx
- Parenthetical citation: (Inbar & Evers, 2014)
- Narrative citation: Inbar and Evers (2014)
Database Is Locked
- monographs published in ERIC
Riegelman, R. K., & Albertine, S. (2008). Recommendations for undergraduate public health education (ED504790). ERIC. https://files.eric.ed.gov/fulltext/ED504790.pdf
- Parenthetical citation: (Riegelman & Albertine, 2008)
- Narrative citation: Riegelman and Albertine (2008)
Database Isam
If you are in doubt as to whether to include database information in a reference, refer to the template for the reference type in question (see Chapter 10 of the Publication Manual).