Attacks/Breaches
7/2/2010
09:48 AM
50%
50%

Six Messy Database Breaches So Far In 2010

From a National Guardsman's external hard drive faux pas to a financial services firm's slack practice of password-sharing, this year has already had its share of shocking database exposures

Whether it be insecure Web applications, poor password management, or a lack of database policies and monitoring, the average database today is at risk of exposure through a host of different threat vectors that many organizations are not even aware of -- let alone are addressing. Already in 2010, the number of database breaches as a result of such mistakes is mounting.

The list of disturbing database breaches so far this year mostly could have been avoided. The affected organizations had to learn the hard way, through public embarrassment and expensive incident response procedures. But the missteps that led to them provide a cautionary tale for other organizations.

"Security needs to be addressed by appropriate policies and systems, but perhaps more importantly a cultural commitment and buy-in by employees to achieving security," Daniel Mayo and Graham Titterington, principal analysts for Ovum, wrote recently about database security.

Garnering that cultural commitment starts with awareness. Here are six of the more eye-popping database-related breaches so far this year -- and some lessons learned from each:

1. Arkansas Army National Guard

Breach Details: An Arkansas soldier caused the Arkansas Army National Guard a lot of embarrassment earlier this year when he brought home an external hard drive containing a copy of the Guard's entire personnel database with the personal information of more than 32,000 current and former Guardsmen. For about two months the Guard couldn't track the hard drive down and had to notify personnel of the loss as a result of the potential breach. The drive was eventually recovered and the information destroyed, but the entire event left the organization with egg on its face.

Lessons Learned: Strike one in this case was that the data was completely unencrypted. But strike two and three was the fact that the soldier in question was able to copy the database in the first place and take it off-site.

Database security experts repeatedly warn organizations to take measures to prevent wholesale copying of database files, whether by innocent but negligent insiders or by malicious insiders looking to steal data. Database activity monitoring tools can help monitor for and prevent such activities.

2. University of Louisville

Breach Details: A staff doctor who set up a Web application that tapped into a University of Louisville database of dialysis patients put hundreds of patient records at risk by failing to use password protection to prevent unauthorized access to the application. The records were openly available online for close to a year-and-a-half until someone outside of the organization sent an e-mail cluing the university in on the privacy breach.

Lessons Learned: Web applications are the Achilles' heel of database security, and organizations have to work hard to bring DBAs, developers, and business stakeholders together to develop Web app security policies, particularly around access management issues that can cause breaches such as this.

3. WellPoint

Breach Details: A business logic flaw in a Web application that was tied to a database of individual insurance customers of health giant WellPoint allowed unauthorized users to potentially access any of 470,000 customer records. The vulnerability was discovered by a WellPoint customer who found that a simple URL manipulation could give her access to other customers' personal data. Turns out an outsourced vendor tasked with updating the application introduced the flaw last fall.

Lessons Learned: Insecure Web app code is frequently the submerged iceberg just waiting to sink an organization's database security. Before rolling out new or updated applications to live environments, organizations should run application testing that not only scans for common code vulnerabilities, but also business logic flaws such as this one.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?