michelangelus - Fotolia
How did thousands of MongoDB databases get hijacked?
Thousands of MongoDB configurations were hijacked due to poor authentication practices. Expert Nick Lewis explains how organizations can properly configure their implementations.
Researchers found a huge increase in MongoDB databases being hijacked due to poor authentication, escalating from hundreds of attacks to over 28,000. Researchers estimate there are anywhere from 48,000 to 99,000 MongoDB configurations at risk for attack. What was the issue with these MongoDB instances? How can organizations properly configure their databases to protect them from these attacks?
Relational databases have a long history of security risks and challenges, and they have matured to include significant security-related capabilities. There are detailed guides for how to secure these databases, but many are still insecurely configured by default.
Relational databases have decreased in popular attention because of the cost and complexity involved, as well as the growing development of NoSQL databases.
One of the newer NoSQL databases, MongoDB has been in the news for poor security practices. The default configuration for MongoDB databases is insecure, as no authentication is required to access the database, enabling anyone to establish a connection as a privileged user.
The MongoDB developers made the same mistake the Redis NoSQL database developers made in 2016. Reviewing the Shoulders of Infosec Project may help them learn a little about how security has developed over the last 40 years to minimize the chance they repeat the same mistakes from 40 years ago, much less mistakes similar projects made.
MongoDB responded to the attacks in a blog post outlining the steps to take during a security incident.
Organizations can minimally secure their MongoDB databases by using the security documentation and checklist. The effectiveness of MongoDB's Security Technical Implementation Guide is limited, as developers need to manually request access to it. The documentation and checklist are very high level and must be configured manually, since the default configuration of MongoDB is not something that should be used outside of closed trusted networks. The company even says in a security webinar that it is dereliction of duty to not use their security checklist.
It is unclear why MongoDB databases can be configured so insecurely. It is also unclear how security requirements are included in software development for the MongoDB project.