![]() This includes the execution of programs to compromise information held in the databases within the local network or from other external networks and the Internet.ĭatabases contained unused schemas and automatic procedures, which can lead to a full compromise of the server. This allows access from one database to other connected databases so anyone with access to one may access the other. We found database links accessible by PUBLIC in a small number of databases. We also found instances where this account was allocated access to network folders, which creates additional vulnerabilities and introduces data integrity risks. We found many databases that have allocated Read/Write privileges to PUBLIC, thereby providing all users with highly privileged access and creating information security risks. The ‘PUBLIC’ role in a database gives all users its assigned privileges. Alternatively they may be able to use the compromised server as a stage to perform other unauthorised activity across the entire network. These functions can allow an attacker or a well-crafted piece of malware to perform unauthorised activity leading to the compromise of the server and the data it contains. For example, we found settings enabled to allow the execution of operating system commands that permit the extraction of information from the database or to run unsolicited programs. Settings in the database that are disabled by default when installed were enabled without reason. This increases the attack surface by making the data more freely available to a wider pool of staff and contractors without the same level of security afforded to the production database. These environments replicated information from production (live) databases across all environments. We found several agencies did not separate their production, test and development environments. This type of weakness made up 25 (22 per cent) of the total findings of which 18 were rated as extreme or high risk. We found that agencies have increased the risk of unauthorised access and loss of information by increasing the number of opportunities for exploitation. This part of the health check gauges the attack surface by checking what applications and services are installed and accessible. The greater the attack surface of a system the more likely it is to be compromised. Figure 1 shows the number and severity of the findings per agency database. It is concerning then, that these four areas make up 64 per cent (73) of the total findings, with 47 per cent (54 of the total 115 findings) rated extreme or high.Įach agency had at least three findings that we rated as extreme or high. The first four areas attack surface, account security, system hardening and version/patching represent the greatest risk to databases and the information they contain. We have structured our findings in line with the seven key areas we tested. ![]() We rated these types of weaknesses as extreme or high given how easily an attacker can exploit them to gain the level of access needed to view or modify data. Our findings also revealed copies of sensitive information across systems and poorly configured databases. ![]() Most concerning was a lack of some basic controls over passwords, patching and setting of user privileges. We identified 115 findings with failures in all seven key areas. Sensitive and confidential information is at risk and agencies may not know if or the extent to which data is compromised. Our operations are also subject to the policies of the University of North Carolina system as well as internal UNCW Policies.The seven sampled agencies have not adequately protected information from attackers to prevent unauthorised access and data loss. We regularly review departmental operations for compliance with federal regulations, compliance with North Carolina General Statutes and the rules of the North Carolina Office of State Budget and Management and the North Carolina Office of State Human Resources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |