Status | ||||
---|---|---|---|---|
|
Excessive Privilege Abuse
Alternative Forms
Excessive Privilege-Based Abuse
...
- Provide definition
Related Terms
Quotes
Excessive Privilege-Based Abuse
Exactly when database customers are outfittedwith getting to benefits that outperform their essential action, these advantages can be misused by intention or unexpectedly. For example, a database executive in budgetary affiliation. If he drops audit trails or makes counterfeit records he can have the ability to trade money beginning with one record then onto the following so mistreating the unnecessary advantage intentionally. Another case is a DBA in the bank, whose action is to change customer contact can access other details. An affiliation is giving a task at home, other option of agents and the laborer takes a fortification of extraordinarily sensitive information to manage from home. This is not only neglects the protection techniques of affiliation, yet what’s more may realize data protection break, if a system at home is dealt. So this advantage can be misused incidentally.
(Aravindharamanan et al., 2019, p. 176)
Abuse of Excessive Privileges
In most database installations, the Least Privilege Principle is not adhered to. There are many reasons why more privileges than necessary were granted to a person or an application login. For example, the development staff might not know any better; or they do know better but think they do not have the time to implement this correctly. There are also occasions in which implementation of the least privilege principle is anything but trivial. Think about an application that needs to be able to create and alter SQL Agent Jobs. Even an extensive internet search might leave you with the false impression that adding the application account to the sysadmin fixed server role is your only option to make that particular requirement work.
Granting excessive permissions is problematic for two reasons. About 80% of the attacks on company data are actually executed by employees or ex-employees. Granting too many privileges or not revoking those privileges in time makes it unnecessarily simple for them to execute their wrongdoing. Some of these actions might even be executed inadvertently or without the perception of those actions being illegal. For example, medical records of prominent people are exposed by employees all the time. (That is just one of the reasons why you should encrypt HIPAA-related data.)
The second reason is connected to another vulnerability: SQL Injection. If an adversary gains access to your data using SQL injection, you are already in trouble. If they then can do additional harm, because of excessive privileges being granted to the application account, the damage might be substantially bigger.
Bibliography
...