Things used to be simple. You could have on-site security guards and identity checks at the server room. You could stop outsiders from accessing your data by restricting physical access to the machines that process it.
In today's web-enabled world, that's no longer the case. To be useful, a company's data must be connected to the internet. That exposes it to more automated and targeted attacks than ever before. Hackers are highly motivated, with crime syndicates willing to pay hard cash for personal information hacked from customer databases. Should the database be breached, a company risks financial penalties from governments and credit card companies, as well as lost competitive advantage and customer trust. But defending the business requires companies to rethink how they protect their IT infrastructures.
Breach Analysis: Highest Risk is to Online Data Versus End-User Devices
The 2009 Data Breach Investigations Report from the Verizon Business RISK Team examines 285 million records that were compromised in 2008. While much media attention and security funding have focused on lost laptops and backup tapes, the study reveals some startling statistics: only 0.05 percent (1/20th of one percent!) of breached records came from mobile devices such as USB drives, end-user systems such as laptops, and offline data.
In comparison, the #1 source of breached records was database servers – which accounted for a massive 75 percent of all compromised records.
With the very real risks present at the core of their data centres, it may seem surprising that many businesses put almost all their focus into protecting the perimeter. They set up firewalls and IDS/IPS systems, and install AV software to scrutinise email attachments. They may even install Data Leak Prevention (DLP) solutions to examine USB devices and email and instant messaging (IM) traffic for sensitive data patterns. While these are important activities as part of a multi-layered, defence-in-depth strategy, they are not sufficient on their own.
The truth is that there is no longer a perimeter to protect. There are many ways the data in a database could fall into the wrong hands, and in most of these cases, a firewall isn’t going to do much good.
The Threat from Privileged Insiders
One of the primary threats comes from insiders. Privileged users such as database administrators (DBAs), developers and outsourced personnel typically have unfettered access to databases as part of their daily jobs.
It only takes one dissatisfied employee to cause a breach. Privileged users can also disrupt business applications by making unauthorised or even accidental changes to sensitive data – bypassing formal change control processes – and in most organisations, no one would know the difference.
External Attacks: SQL Injection
Let’s turn to external attacks. According to a recent IBM report, SQL injection attacks have now become the number one web application vulnerability, increasing 134 percent in 2008.
Most modern businesses use web applications, which are essentially windows into your most critical databases used by customers, partners and employees.
By typing malicious code into poorly-coded web forms, hackers can steal sensitive data and even plant malware on unsuspecting users that visit vulnerable sites. This type of attack completely bypasses traditional security measures because it leverages web applications to penetrate your perimeter.
Database Activity Monitoring (DAM)
With these threats ever-present, businesses need to start protecting themselves more proactively. One way is do this is to deploy a database activity monitoring (DAM) solution. These do exactly what their name implies – they track all database activities in real time.
Some also create a granular audit trail of all activities, which can’t be modified by privileged users – which is important for auditors. If unauthorised or anomalous access occurs, based on predefined policies, DAM immediately triggers a real-time alert. Some solutions can even shut down the threat before any damage occurs.
It’s important to look for solutions that have the ability track all database access by privileged users, including local access to the database via console ssh connections and non-TCP protocols such as shared memory, named pipes or Oracle Bequeath.
DAM solutions offer additional business benefits beyond safeguarding critical data. Many offer automation and centralisation of key security controls, across multiple DBMS platforms and applications, replacing manual processes that may already be in place.
This automated approach produces a significant ROI by reducing the time and cost required to both catch unauthorised access and generate the detailed compliance reports required for regulations such as PCI-DSS and European data protection laws.
Education and Awareness Are Key
So why do so many organisations overlook the risk at the database layer? Until recently, there were no practical mechanisms for tracking all database access (including read operations, which typically occur in very high volumes) without imposing significant performance overhead on databases.
Most DAM solutions monitor access from outside the database, thereby minimising any performance impact.
Many people have also been trained to believe that traditional perimeter defences are sufficient, and decision makers are reluctant to allocate the resources and budgets necessary to tackle these new challenges.
According to the Verizon report, more records were breached last year than in the previous four years combined. Clearly, security needs to improve and this change has to come at both the IT level and the management level. With compliance such a major issue, and database protection becoming ever more important, change really does need to come sooner rather than later.
Phil Neray is vice president of security strategy, at database security specialists Guardium