Application Security // Database Security
11/1/2012
01:34 AM
Connect Directly
RSS
E-Mail
50%
50%

Lies We Tell Our CEOs About Database Security

South Carolina government executives' response to breach shows how nontech leadership often views security through a distorted lens

Beyond the raw statistics coming out of the South Carolina state government offices around a breach of its tax records that exposed the sensitive details of millions, Gov. Nikki Haley and her nontechnical senior executives have tried to dole out a measure of information about the breach and citizen credit remediation through a series of press conferences this week. A good faith effort, to be sure, security pundits say, but one whose content may also hint at how South Carolina may have gotten in this mess in the first place.

As investigators continue to unravel the clues around the South Carolina breach at the state's Department of Revenue that exposed 3.6 million individual taxpayers' Social Security numbers (SSNs), Haley announced more bad news on Halloween with the revelation that tax files for around 657,000 businesses were also stolen. While many details around how the hack went down are being kept under wraps due to law enforcement constraints, the governor and her staff have commented about the technical aspects of the breach. Some security pros argue that the messages and tone set by these comments hint at a dangerous lack of education about database security and threats.

For example, in one instance the governor justified the state's failure to encrypt taxpayers' SSNs with the comment that most banks don't encrypt them, and that it's too complex to do. In another instance, even though the attack was clearly from an outside hacker, she said that "this is not someone who came in from the Internet."

"She's getting really bad information from the people beneath her or she's speaking from a completely uneducated perspective," says Mike Murray, managing partner for consulting firm MAD Security. "Her version of what database encryption is seemed like it should be in a movie version of what hacking is."

What makes that so dangerous, of course, is that distorted views of security often lead to bad risk decisions. That's because when senior executives of any public or private organizations don't understand industry best practices or what really constitutes a sophisticated attack, they'll probably fail to properly fund protection measures against securing sensitive databases.

So whether it is through mistruths or miscommunications, security executives should try to eradicate the possibility that their CEOs could hold some of the misconceptions put forward in South Carolina this week, Murray warns.

Encryption Is Too Hard To Do
One of the first telling comments to come from Haley earlier this week was that it is "industry standard" that most SSNs are not encrypted in databases.

"A lot of banks don't encrypt," she said. "It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."

According to Mark Bower, a data protection expert and vice president at encryption firm Voltage Security, from his experience he can "categorically state" that the leading banks, payment processors, and enterprises are encrypting personally identifiable information such as SSNs.

"In fact, many data privacy laws require it," he says.

What's more, Haley's encryption-is-too-hard excuse is no longer justifiable, Bower argues.

[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]

"To suggest that it's too hard isn't taking into account the innovations that have taken place in the last 10 years," he says. "For example, data-centric security technologies like Format-Preserving Encryption, a NIST-recognized mode of AES and Stateless Key Management, make data-level security very simple to implement, deploy, and manage across hundreds of applications and thousands of databases, even in systems which might date back 30 years."

Only Extremely Intelligent, Sophisticated Crooks Could Possibly Breach Our Defenses
In South Carolina and Gov. Haley's defense, the boilerplate response to just about any executive responding to a recent breach is that an incident came at the hands of a mustache-twirling villain of superior intellect. So the superlatives Haley used to describe the suspected international criminal's tactics are hardly surprising.

"This was a sophisticated hacker who came in and creatively got into the system. This was no simple breach," she said. "This is not something that happens on a day-to-day basis; it is something that is very bizarre."

It's hard to say how creative the crooks really were in this case until details are released, but if common industry speculation proves true that this came as a result of an escalated attack following a standard SQL injection attack, that exceptionalism argument hardly holds water with security pros. The question to be asked is even if Haley could justify a lack of encryption to protect citizen details, where were other protections, such as database activity monitoring?

"Maybe lots of people have trouble encrypting Social Security numbers -- I don't really buy that, but maybe they do," Murray says. "But those organizations are doing lots of other things to protect their information."

Haley's staff made it clear that the attackers likely had access to systems for at least a month before detection. The state didn't know about the breach until it was informed by the Secret Service.

"I didn't get the feeling that they actually had a sophisticated database activity monitoring solution in place, which could have prevented this attack," says George Csaba, product manager for FortiDB at Fortinet.

The technology's rule sets could have detected or blocked unusual activity during an initial incursion into the database, before millions of records were stolen, he added. "At the end of the day, even if the hacker came from the outside, they probably used or stole a user ID/password combination in the database, which they were able to utilize to pull that data," Csaba says.

Data Theft Is Inevitable
According to Gov. Haley, "there was not one thing or one person in the Department of Revenue that could have avoided this hack."

Her statement suggests a sense of fatalism that, if it persists in the C-suite, will ensure that breach statistics will continue to grow for years to come, experts say. The problem is that while senior executives should get used to the ideas of attacks continuing ad infinitum, there's nothing inevitable about actually losing data.

"I think she's right: An attack is inevitable; losing 3.8 million Social Security numbers is not," Murray says. "That someone bad is going to keep trying to do something bad to you -- yes, that's absolutely inevitable. That they're going to be very, very successful like they were here, not so much."

According to Murray, he talks with plenty of clients that deal with attacks every day, but that don't deal with actual data loss every day. And that is an important distinction he believes CSOs need to make to their line-of-business executives.

"If we're failing to communicate that up to the highest level of the organization, that's a problem," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hurleyia
50%
50%
hurleyia,
User Rank: Apprentice
11/1/2012 | 1:21:43 PM
re: Lies We Tell Our CEOs About Database Security
One of the most scary realizations to this article is that it is not only true for databases. The same models for securing databases are the foundations for securing Big Data and cloud. Distributed file systems are being looked at like distributed databases/tables.

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.