SMB’s and Database Security

November 25, 2008

As a manager in the SMB space, maybe you use an accounting package such as Great Plains, maybe you use a manufacturing package, compensation package, or resource planning package.

You are familiar with the login screen that you type in your user name and password to access thae functionality of the appliaction.

But all of those applications utilize a database engine that stores the data in those tools.

Guess What

Those database engines have their own login ID’s and passwords. Not related to your program in any way.

Do you know what they are? Do you know who has access to them?

Because access to these acounts is access to all data in that financial package or manufacturing tool.

Yes – that includes the sensitive stuff.

Yes – that also includes deleting stuff.

As this article by John Hazard at eWeek states;

The survey recounts the DBAs’ concern over users with too much power to alter the data and upset the applecart.

*Sixty percent of respondents said they are powerless to prevent users from reading or tampering with sensitive information in financial, HR or other business applications.

*Thirty-one percent said users can bypass applications and gain access to application data in the database directly using ad hoc tools.

*Thirty-nine percent said they don’t have the monitoring capability to even know when such an event occurs. Another 25 percent couldn’t answer the question.

It could be relatively minor, (what is Jane’s commission cheque going to be?) or it could be major. 2.5 Million major.

And that can include default passwords that people forget to change.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s