Security is always a potential concern when it comes to information systems. Security falls under confidentiality, integrity, and availability. One approach with information systems security is to create systems such as honeypots that are used to help mislead intruders about certain resources being available. While the intruders are focused on those systems, this can give the organization enough time to react to protect the actual systems. With confidentiality, this focuses around ensuring that the data is protected against unauthorized access. This measure focuses on safeguarding data against any disclosure of private information. Many organizations have to follow various laws and guidelines depending on the types of regulation organizations like the Health Insurance Portability and Accountability Act (HIPAA) for medical purposes or the Sarbanes-Oxley Act (SOX) as examples. As such, the data that’s stored within the databases need to be classified whether it’s highly restricted where very few individuals would have access (credit card information as an example), confidential where certain groups would have information (pay information for employees as an example) or unrestricted where anyone can have access. Availability focuses on the accessibility of the data when authorized users wanted access to the data.
Integrity on the other hand focuses on ensuring that the data is consistent and free from errors. The database itself plays one of the key roles for this as we have already seen in prior tutorials. This also includes the importance of encryption on the underlying data. Through encryption, the underlying data is taken and scrambled using a key to a format that it cannot be read as is. There are many forms of encryption with various algorithms. For weaker encryption, you may see tools being used that try to decrypt the data by brute force which is basically trying to guess what the decryption key is.
With applications, security vulnerabilities can occur in many different factors. There may be bugs within the application that connects to the database that individuals can take advantage of. When code is poorly developed or focused purely on functionality and not security, there may be issues that occur. One example could be session hijacking where an individual could take over a web session from another individual. As such, they would be able to get access to certain personal information from another user that they may not have been able to access otherwise.
SQL injections are one of the most commonly used web hacking techniques with applications. It is a method that can damage your database or provide complete access to the database if things are not well protected. SQL injection typically works by attempting to add malicious code into SQL statements through the use of web page input.
This can occur if the page asks for input like a userid and concatenates the input to the SQL string. For example from a program, we may have something that looks like:
myinput = readFromInput(“userid”);
mysql = “SELECT * FROM users where user_id =” + myinput;
If the user enters in 5 for the userid, this would create a SQL statement like:
WHERE user_id = 5;
That would be the expected result. However, if the “hacker” entered in “5 or 1=1”, the following SQL statement would look like:
WHERE user_id = 5 or 1=1;
In we look at the statement, the 1=1 will always return true which means that the query would return every single row within the table. Imagine if the table had the usernames, passwords, and other user information. All of that would now be compromised in this successful SQL injection as this statement would not return any errors but instead the intended data.
Or perhaps the input could look like this “5; DROP TABLE customer;”. The resulting query would look like this:
WHERE user_id = 5; DROP TABLE customer;
This could potentially also end up dropping the table customer which is quite problematic.
Different databases will handle the SQL injection issues slightly differently but what is important is that the application ensures that the input data has been validated first before it then sends the query to the database to avoid these types of scenarios. We also want to filter out input data to avoid the user bypassing our validation. In many applications, the use of SQL parameters can help where the data being passed in is verified and treated as if it were an actual value regardless to avoid hackers from adding in those parameters.