Defending the database
And those are just the outsider threats that keep Kevin Alwood, a systems manager at the Jacksonville, Fla.-based corporation, up at night. Alwood and his colleagues are also concerned with threats from the inside — specifically malicious or careless employees — who could cause a data breach with a misplaced USB drive or laptop.
“We do online payment sites, and I worry about someone getting in and getting that info. We look at this through all angles, whether insider or outside, and we want to have the latest technologies and practices and procedures,” says Alwood.
Alwood, whose database is pinged numerous times per day by wannabe insiders from Asia, is just one of many security practitioners who point to SQL-injection attacks as the most effective way to crack a database. By targeting vulnerabilities in the database layer, a mass-SQL-injection assault compromised tens of thousands of websites earlier this year.
That threat is complicated by the many administrators who run unsecure third-party code on databases, making those data repositories increasingly attractive to cybercriminals, says Alexander Kornbrust, founder and CEO of Oracle security consultancy Red-Database-Security GmbH.
“The database is getting better from the security perspective, but a lot of customers are installing their own software in the database,” says Kornbrust. “With that amount of code, this is most always unsecure. And the problem is SQL injection.”
That threat may become more common before many administrators are adequately prepared. It spells significant trouble for administrators, says Mark Kraynak (right), senior director of strategic marketing at Imperva, a Foster City, Calif.-based company that offers solutions for application data security and compliance.
“Sequel injection is the biggest attack out there today. From the perspective of a hacker, it has some good things,” says Kraynak. “It's one of the top worries.”
Looking for anomalies
Threats to the database extend beyond complicated cyberattacks. Company insiders, specifically those with privileged access, can also cause significant damage by retrieving guarded data and selling it to a competitor or by losing a mobile device. There's also the case of the disgruntled network administrator in San Francisco who held the city hostage in July by setting up passcodes that locked out everyone except himself from the city's WAN.
With media reports on lost data growing more common, malicious and careless insiders are always on the minds of administrators, says Bob Gorrie, information security project manager at USEC [United States Enrichment Corporation], a supplier of enriched uranium fuel for commercial nuclear power plants.
“My worst-case scenario is that someone goes in and starts siphoning things off from one place to another and messes up our accounts, or perpetrates some sort of fraud on a large level,” he says. “Once the damage is done, it's not only damage to the corporate treasure, but to reputation.”
Many corporations encrypt info within the database, on mobile devices and in email, and employ activity monitoring solutions to watch employees who interact with the network. Those solutions look for unusual actions that can tip an administrator that a trusted insider may be trying to take advantage of their status. A benefit of such technologies is that a lead administrator is notified of unusual occurrences in real time, quick enough that they can prevent an incident, says Gorrie.
“We're not only looking for anomalies, but [we use] control management. So if someone attempts to do something to the database, it automatically alerts me according to the rules I've set up,” says Gorrie.
While ensuring that employees do not damage a company's public standing via a data-loss incident, CSOs should also ensure that workers are aware of company policies and best practices. When employees acknowledge such procedures, the risk of an accidental information loss is considerably lower, says Alwood.
“We have written standards, which everyone has to read and sign, and very specific policies for people that handle sensitive data. Everything that has changed has to get several levels of approval, and it goes up depending on the sensitivity of what it might effect,” says Alwood. “Everyday I get information that someone is trying to scan or send an email to get in.”
Compliance as an ally
While improved database security wasn't an original intent of the Sarbanes-Oxley Act of 2002 (SOX) or the Payment Card Industry Data Security Standard (PCI DSS), both sets of regulations have helped administrators strengthen their security postures. Although PCI DSS was implemented at many companies with expected financial and administrative growing pains, executives took the regulations very seriously. The main reason: unlike the Health Insurance Portability and Accountability Act (HIPAA), PCI has “teeth” — significant financial consequences for companies working with major payment card vendors, says Tracy Hulver, EVP, marketing and product management at netForensics, an information-management solutions provider based in Edison, N.J.
“PCI was created by Visa and MasterCard, and if you are going to do any type of business with Visa and MasterCard, you will have to meet the requirements. Visa says we will fine you per month if you do not meet these guidelines. PCI is about securing the infrastructure,” says Hulver. “It's one of the few industry-mandated requirements that has teeth.”
Preparing for recession
Although front page stories about massive data-loss incidents, or complicated compliance requirements, keep some administrators up at night, both can make it easier to justify hefty security spending if pitched to executives properly.
Solution implementation and reporting could require the creation of new positions, a daunting possibility when market analysts are forecasting slow economic growth, says Phil Neray (left), vice president of marketing at Guardium, a database security vendor based in Waltham, Mass.
“This is not just about putting tighter security in place. There's a return-on-investment aspect to these tools, and that's because producing these reports is manually intensive and requires full-time database administrators. And so by implementing an automated solution that automates the entire sign-off process, you can get a significant payback,” he says. “As we enter a tighter economy, return on investment and automation become an important part of justifying security investment.”
From the - October 2008 Issue of SCMagazine »