Application Security // Database Security
01:34 AM

Lies We Tell Our CEOs About Database Security

South Carolina government executives' response to breach shows how nontech leadership often views security through a distorted lens

Beyond the raw statistics coming out of the South Carolina state government offices around a breach of its tax records that exposed the sensitive details of millions, Gov. Nikki Haley and her nontechnical senior executives have tried to dole out a measure of information about the breach and citizen credit remediation through a series of press conferences this week. A good faith effort, to be sure, security pundits say, but one whose content may also hint at how South Carolina may have gotten in this mess in the first place.

As investigators continue to unravel the clues around the South Carolina breach at the state's Department of Revenue that exposed 3.6 million individual taxpayers' Social Security numbers (SSNs), Haley announced more bad news on Halloween with the revelation that tax files for around 657,000 businesses were also stolen. While many details around how the hack went down are being kept under wraps due to law enforcement constraints, the governor and her staff have commented about the technical aspects of the breach. Some security pros argue that the messages and tone set by these comments hint at a dangerous lack of education about database security and threats.

For example, in one instance the governor justified the state's failure to encrypt taxpayers' SSNs with the comment that most banks don't encrypt them, and that it's too complex to do. In another instance, even though the attack was clearly from an outside hacker, she said that "this is not someone who came in from the Internet."

"She's getting really bad information from the people beneath her or she's speaking from a completely uneducated perspective," says Mike Murray, managing partner for consulting firm MAD Security. "Her version of what database encryption is seemed like it should be in a movie version of what hacking is."

What makes that so dangerous, of course, is that distorted views of security often lead to bad risk decisions. That's because when senior executives of any public or private organizations don't understand industry best practices or what really constitutes a sophisticated attack, they'll probably fail to properly fund protection measures against securing sensitive databases.

So whether it is through mistruths or miscommunications, security executives should try to eradicate the possibility that their CEOs could hold some of the misconceptions put forward in South Carolina this week, Murray warns.

Encryption Is Too Hard To Do
One of the first telling comments to come from Haley earlier this week was that it is "industry standard" that most SSNs are not encrypted in databases.

"A lot of banks don't encrypt," she said. "It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."

According to Mark Bower, a data protection expert and vice president at encryption firm Voltage Security, from his experience he can "categorically state" that the leading banks, payment processors, and enterprises are encrypting personally identifiable information such as SSNs.

"In fact, many data privacy laws require it," he says.

What's more, Haley's encryption-is-too-hard excuse is no longer justifiable, Bower argues.

[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]

"To suggest that it's too hard isn't taking into account the innovations that have taken place in the last 10 years," he says. "For example, data-centric security technologies like Format-Preserving Encryption, a NIST-recognized mode of AES and Stateless Key Management, make data-level security very simple to implement, deploy, and manage across hundreds of applications and thousands of databases, even in systems which might date back 30 years."

Only Extremely Intelligent, Sophisticated Crooks Could Possibly Breach Our Defenses
In South Carolina and Gov. Haley's defense, the boilerplate response to just about any executive responding to a recent breach is that an incident came at the hands of a mustache-twirling villain of superior intellect. So the superlatives Haley used to describe the suspected international criminal's tactics are hardly surprising.

"This was a sophisticated hacker who came in and creatively got into the system. This was no simple breach," she said. "This is not something that happens on a day-to-day basis; it is something that is very bizarre."

It's hard to say how creative the crooks really were in this case until details are released, but if common industry speculation proves true that this came as a result of an escalated attack following a standard SQL injection attack, that exceptionalism argument hardly holds water with security pros. The question to be asked is even if Haley could justify a lack of encryption to protect citizen details, where were other protections, such as database activity monitoring?

"Maybe lots of people have trouble encrypting Social Security numbers -- I don't really buy that, but maybe they do," Murray says. "But those organizations are doing lots of other things to protect their information."

Haley's staff made it clear that the attackers likely had access to systems for at least a month before detection. The state didn't know about the breach until it was informed by the Secret Service.

"I didn't get the feeling that they actually had a sophisticated database activity monitoring solution in place, which could have prevented this attack," says George Csaba, product manager for FortiDB at Fortinet.

The technology's rule sets could have detected or blocked unusual activity during an initial incursion into the database, before millions of records were stolen, he added. "At the end of the day, even if the hacker came from the outside, they probably used or stole a user ID/password combination in the database, which they were able to utilize to pull that data," Csaba says.

Data Theft Is Inevitable
According to Gov. Haley, "there was not one thing or one person in the Department of Revenue that could have avoided this hack."

Her statement suggests a sense of fatalism that, if it persists in the C-suite, will ensure that breach statistics will continue to grow for years to come, experts say. The problem is that while senior executives should get used to the ideas of attacks continuing ad infinitum, there's nothing inevitable about actually losing data.

"I think she's right: An attack is inevitable; losing 3.8 million Social Security numbers is not," Murray says. "That someone bad is going to keep trying to do something bad to you -- yes, that's absolutely inevitable. That they're going to be very, very successful like they were here, not so much."

According to Murray, he talks with plenty of clients that deal with attacks every day, but that don't deal with actual data loss every day. And that is an important distinction he believes CSOs need to make to their line-of-business executives.

"If we're failing to communicate that up to the highest level of the organization, that's a problem," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/1/2012 | 1:21:43 PM
re: Lies We Tell Our CEOs About Database Security
One of the most scary realizations to this article is that it is not only true for databases. The same models for securing databases are the foundations for securing Big Data and cloud. Distributed file systems are being looked at like distributed databases/tables.

Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

Published: 2015-07-26
Honeywell Tuxedo Touch before relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!