| Status | ||||
|---|---|---|---|---|
|
Legitimate Privilege Abuse
Alternative Forms
Legitimate Privilege-Based Abuse
...
Quotes
Excessive Legitimate Privilege-Based Abuse
Customers in a similar manner misuse bona fide database benefits for ill-conceived purposes. Exactly when database customers are outfittedwith getting to benefits that outperform their essential action, these advantages can be misused by intention or unexpectedly. For example, a database executive in budgetary affiliation. If he drops audit trails or makes counterfeit records he can have the ability to trade money beginning with one record then onto the following so mistreating the unnecessary advantage intentionally. Another case is a DBA in the bank, whose action is to change customer contact can access other details. An affiliation is giving a task at home, other option of agents and the laborer takes a fortification of extraordinarily sensitive information to manage from home. This is not only neglects the protection techniques of affiliation, yet what’s more may realize data protection break, if a system at home is dealt. So this advantage can be misused incidentallythe affirmed customer mishandles the true blue advantage for an unapproved reason, this is called genuine advantage abuse. Good old fashioned advantage misuse can be as mishandle by database customers, chiefs or a system boss doing any unlawful or deceptive development. It is, however not confined to, any manhandling of sensitive data or unjustified usage of advantages [2]. For example, affiliation laborer with advantages to see particular specialist records by methods for a customWeb application. The structure of the web application normally obliges customers to audit an individual laborer’s history. A couple of records cannot be seen in the meantime and electronic duplicates are not good old fashioned. Regardless, the heel laborer may dodge these imperatives by a partner with the database using different customers, for instance, MS Excel and his genuine login qualifications, the laborer may recover and spare every single delegate record.
(Aravindharamanan et al., 2019, p. 176)
Abuse of Excessive Privileges
In most database installations, the Least Privilege Principle is not adhered to. There are many reasons why more privileges than necessary were granted to a person or an application login. For example, the development staff might not know any better; or they do know better but think they do not have the time to implement this correctly. There are also occasions in which implementation of the least privilege principle is anything but trivial. Think about an application that needs to be able to create and alter SQL Agent Jobs. Even an extensive internet search might leave you with the false impression that adding the application account to the sysadmin fixed server role is your only option to make that particular requirement work.
Granting excessive permissions is problematic for two reasons. About 80% of the attacks on company data are actually executed by employees or ex-employees. Granting too many privileges or not revoking those privileges in time makes it unnecessarily simple for them to execute their wrongdoing. Some of these actions might even be executed inadvertently or without the perception of those actions being illegal. For example, medical records of prominent people are exposed by employees all the time. (That is just one of the reasons why you should encrypt HIPAA-related data.)
The second reason is connected to another vulnerability: SQL Injection. If an adversary gains access to your data using SQL injection, you are already in trouble. If they then can do additional harm, because of excessive privileges being granted to the application account, the damage might be substantially biggerLegitimate Privileges
It is a totally different ballgame if someone abuses privileges they have legitimately. Abuse of legitimate privileges can be considered a database vulnerability, if the malicious user misuses their database access privileges. An example for that would be a database administrator sticking his nose into data that he has no business of knowing, e.g. the contents of the CreditCard table. However, privilege abuse like this could also be an application problem, if for example the application allows an account specialist to access accounts not assigned to her.
Bibliography
...
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|