The document discusses database security threats and provides details about the top 10 threats in 2015 as identified by Imperva. It includes examples for each threat type and mitigation strategies. The top threats are: 1) Excessive and unused privileges 2) Privilege abuse 3) Input injection 4) Malware 5) Weak audit trail 6) Storage media exposure 7) Exploitation of vulnerabilities and misconfigured databases 8) Unmanaged sensitive data 9) Denial of service 10) Limited security expertise. The editor Michael Meissner is also introduced with his background and experience in cyber security.

1. MICHAEL W. MEISSNER 1
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
Primer
Database Security Threats
Revision: 0
Compiled and Edited By:
Michael W. Meissner, RCDD
Cyber Security Digital Engineer
Work: +1.339.368.6453
michael@ethernautics.com

2. MICHAEL W. MEISSNER 2
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
Forward:
This Glossary is crafted as a brief Summary of Protocols encountered while conducting Cyber Security Assessment
Nuclear Power Plants and is a “work in progress” and not intended to be a complete list found in the Cyber Security
Domain or Nuclear Power Plants.
For comprehensive and continuously updated lists of Database Security Threats,
please see the following:
http://www.wikipedia.org/
Glossary of Key Information Security Terms
http://www.imperva.com/docs/WP_TopTen_Database_Threats.pdf
http://sqlity.net/en/2542/privilege-abuse/

3. MICHAEL W. MEISSNER 3
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
About the Editor:
.
Mr. Michael W. Meissner, RCDD is a Senior Systems Engineer, Cyber
Security Specialist, Solutions Architect, Information Management Consultant,
RCDD, and noted Technologist. He has thirty plus years of experience in
information systems and network technologies. I have authored several
telecommunications patents. He possess experience in Information System
Management Technologies incorporating strong technical credentials with
exposure in all phases of systems and network design; development and
management, tempered with excellent general business skills. His talents
comes from years of experience working for international industry giants
including: IBM, Schlumberger, AT&T, Bellcore, Telcordia, TCI, Qwest,
Comcast, One Communications, France Telecom, Time Warner, TECO
Energy, US Cellular, Nokia, Deutsche Telekom, Urenco, Computer Sciences
Corporation, US Army and US Government.
He is highly qualified with experience and accomplishments in: Cyber
Security, SOA, Business Intelligence, Systems Analysis, Software Development, Application Development
Management, Systems Administration, Database Administration, Enterprise Network Planning, Systems Architecture,
Data Center/Call Centre/NOC/IVR (Design, Operations, and Relocation), RCDD/OSP Services and as an Internal
Business Consultant. He has assisted clients solve a variety of business problems including: strategic systems
planning, business requirements analysis, Gap Analysis, help desk operation, development of requests for proposals,
project planning, joint applications design and development, business continuity and disaster recovery planning (ISO
17799, BS7799), Sarbanes-Oxley compliance (SOX), systems and network design, hardware and software
acquisitions, data migrations and conversion, systems training, process re-engineering, systems performance tuning,
integration management, project governance, and project implementation management.
He maintains extensive experience and practicality with Information Technology as it pertains to specific industries:
studying, designing, implementing, and managing information systems in a variety of different organizational
environments. Industries served include:
 Telecommunications/Utilities
 Information Technologies
 Health Care
 Oil and Gas, Mining
 State, Local, Federal Government,
Military, and Non-profit
 Banking and Insurance
 Leisure and Entertainment
 Media and Broadcasting
 Manufacturing
 Wholesale and Distribution
 Retail
 Architecture, Engineering,
Construction, and Environmental
He has authored several papers and taught multiple information technology classes and seminars including: Best
Practices Guides, Wireless Application Development using Internet-Centric Technologies, Strategic Information
System Planning, Joint Application Development (JAD), Rapid Prototyping in a Production Environment, Advanced
Voice/Data Network Design, Information System Management, Help Desk Management, Project Management,

4. MICHAEL W. MEISSNER 4
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
Performance Tuning and Planning, Technology Forecasting, and Artificial Intelligence Techniques. In addition I have
been the keynote speaker at several IT Conferences.
Mr. Michael William Meissner, RCDD
Senior Systems Engineer/Cyber Security Digital Engineer/Programme
Director/Solutions Architect/RCDD
Business Phone: +1.339.368.6453
Mobile: +1.720.257.3933
Email: MichaelWMeissner@yahoo.com
Business Email: Michael@ethernautics.com
Web Site: https://sites.google.com/site/michaelwmeissner/home
LinkedIn: http://www.linkedin.com/in/michaelwmeissner
Ethernautics, Inc.
10655 Moonshell Ct.
Suite #10
San Diego, California 92130
U.S.A.
Business Phone: 1.339.368.6453
Facsimile: 1.877.871.6453
www.ethernautics.com

5. MICHAEL W. MEISSNER 5
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
Top Ten Database Security Threats of 2015
Ranking Threat Brief Description Example
1 Excessive and Unused Privileges Database access privileges are granted
that exceed the requirements of their job
function or there need to know, resulting
in privileges abused
1
2 Privilege Abuse Abuse of legitimate privileges can be
considered a database vulnerability, if
the malicious user misuses their
database access privileges.
2
3 Input Injection A class of attacks that rely on injecting
data or code into an application in order
to facilitate the execution or
interpretation of malicious data in an
unexpected manner (See also SQL
Injection and Code Injection)
3
4 Malware Is malicious code to automate the
exploitation of one or more known
exploits; the principal purposes of those
malicious agents are information stealing
and sabotage.
4
5 Weak Audit Trail Automated recording of database
transactions involving sensitive data
should be part of any database
deployment. Failure to collect detailed
audit records of database activity
represents a serious organizational risk on
many levels.
5
6 Storage Media Exposure Backup storage media is often completely
unprotected from attack. As a result,
numerous security breaches have involved
the theft of database backup disks and
tapes
6
7 Exploitation of Vulnerabilities and
Misconfigured Databases
Vulnerable and un-patched databases, or
discover databases that still have default
accounts and configuration parameters
7
8 Unmanaged Sensitive Data Companies struggle to maintain an
accurate inventory of their databases and
the critical data objects contained within
them. Forgotten databases may contain
sensitive information, and new databases
can emerge
8
9 Denial of Service (DoS) Denial of Service (DoS) is a general attack
category in which access to network
applications or data is denied to intended
users.
9

6. MICHAEL W. MEISSNER 6
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
10 Limited Security Expertise and
Education
Lack of expertise required to implement
security controls, enforce policies, or
conduct incident response processes.
10
The list of top ten database threat as identified by Iperva Application Defense Center. To read the White Paper
published by Imperva go hear.
1) A bank employee whose job requires the ability to change only accountholder contact information may
take advantage of excessive database privileges and increase the account balance of a colleague’s
savings account. Further, when someone leaves an organization, often his or her access rights to
sensitive data do not change. And, if these workers depart on bad terms, they can use their old
privileges to steal high value data or inflict damage.
How do users end up with excessive privileges? Usually, it’s because privilege control mechanisms for
job roles have not been well defined or maintained. As a result, users may be granted generic or default
access privileges that far exceed their specific job requirements. This creates unnecessary risk.
Mitigation
• User Rights Management
• Monitoring and Blocking
• http://itsecurity.telelink.com/excessive-and-unused-privileges/
2) An example for that would be a database administrator accessing data that he/she has no “need
to know”, e.g. the contents of the CreditCard table. This manifestation could also be an application
problem, if the application allows an account specialist to access accounts not assigned to them.
Mitigation
• Do not grant unnecessary privileges
• Follow the Least Privilege Principle
• Best Practice Audit Trails (including account information)
• http://sqlity.net/en/2542/privilege-abuse/
3) Examples of attacks within this class include Cross-Site Scripting (XSS), SQL Injection, Header
Injection, Log Injection and Full Path Disclosure. The most common form of Injection Attack is the
infamous SQL Injection attack. SQL Injections operate by injecting data into an application which
is then used in SQL queries
Mitigation

7. MICHAEL W. MEISSNER 7
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)
• Apply the Defense In Depth principle.
• Validation
• Escaping
• Parameterized Queries (Prepared Statements)
• Enforce Least Privilege Principle
• http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
4) In November 2012, Symantec published a security alert on a new malware dubbed W32.Narilam that
was designed to damage corporate databases. The W32.Narilam worm attempts to spread by copying
itself to all drives and certain shared folders on the victim’s PC. There weren’t instances that included
a module to steal information from the victims. The worm was designed to attack SQL archives; it was
able to search for database instances. Once the database instance was found, the malware was able
to access database objects to manipulate them; it was also able to delete the entire archive.
http://resources.infosecinstitute.com/databases-vulnerabilities-costs-of-data-breaches-and-
countermeasures/
Mitigation
• Physical and logical policies
• Reactive and proactive approaches to malware and virus prevention
• Strategies for helping to reduce malware
• https://msdn.microsoft.com/en-us/library/cc875818.aspx
5) On September 18th 2014, Home Depot published a press release (pdf) about their recent data
breach. In this document, they let us know, that the "cyber-attack is estimated to have put payment
card information at risk for approximately 56 million unique payment cards".
http://sqlity.net/en/2574/weak-audit-trail/
Mitigation
• Audit current security practices and applications.
• Do research, including reading the whitepaper mentioned several times above provided by Imperva.
• And lastly, resolve the issue of a weak audit trail now by investing in an independent data audit trail.
• http://www.realisedatasystems.com/weak-audit-trail-database-security-threat/

8. MICHAEL W. MEISSNER 8
©1994-2015 Copyright Michael W. Meissner
Author: Michael W. Meissner
Last revised: 06/12/2015 10:53:59 PM PDT (UTC/GMT –7)