michelangelus - Fotolia
Researchers found a huge increase in MongoDB databases being hijacked due to poor authentication, escalating from hundreds of attacks to over 28,000. Researchers estimate there are anywhere from 48,000 to 99,000 MongoDB configurations at risk for attack. What was the issue with these MongoDB instances? How can organizations properly configure their databases to protect them from these attacks?
Relational databases have a long history of security risks and challenges, and they have matured to include significant security-related capabilities. There are detailed guides for how to secure these databases, but many are still insecurely configured by default.
Relational databases have decreased in popular attention because of the cost and complexity involved, as well as the growing development of NoSQL databases.
One of the newer NoSQL databases, MongoDB has been in the news for poor security practices. The default configuration for MongoDB databases is insecure, as no authentication is required to access the database, enabling anyone to establish a connection as a privileged user.
The MongoDB developers made the same mistake the Redis NoSQL database developers made in 2016. Reviewing the Shoulders of Infosec Project may help them learn a little about how security has developed over the last 40 years to minimize the chance they repeat the same mistakes from 40 years ago, much less mistakes similar projects made.
Organizations can minimally secure their MongoDB databases by using the security documentation and checklist. The effectiveness of MongoDB's Security Technical Implementation Guide is limited, as developers need to manually request access to it. The documentation and checklist are very high level and must be configured manually, since the default configuration of MongoDB is not something that should be used outside of closed trusted networks. The company even says in a security webinar that it is dereliction of duty to not use their security checklist.
It is unclear why MongoDB databases can be configured so insecurely. It is also unclear how security requirements are included in software development for the MongoDB project.
Learn how a MongoDB database misconfiguration led to the exposure of millions of accounts
Compare the benefits of SQL and NoSQL database designs
Find out how to select the best operational database management system for your enterprise
Dig Deeper on Data security and privacy
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading