Attacks/Breaches
7/2/2010
09:48 AM
50%
50%

Six Messy Database Breaches So Far In 2010

From a National Guardsman's external hard drive faux pas to a financial services firm's slack practice of password-sharing, this year has already had its share of shocking database exposures

4. Virginia Beach Department of Social Services

Breach Details: In April The Department of Social Services in Virginia Beach, Va., announced it had fired or disciplined at least eight employees and supervisors in the past year for abusing their database privileges to access restricted information about former employees, family members, and clients. In one egregious example, a supervisor made her employees access a Virginia database to find information about her husband's child.

Lessons Learned: Insider threats to database information are very real, as this example clearly illustrates. While all of the employees involved in these incidents had legitimate access to departmental databases, their use of credentials was for purposes way outside the bounds of their job duties. Robust database activity monitoring tools are the only reliable way for organizations to ferret out account abuse cases on this plane.

5. Florida International University

Breach Details: Though details are sketchy about the exact nature of this breach, what is clear is that Florida International University found the "existence of a database containing sensitive information that did not reside in a secure computing environment" during a risk assessment following an unrelated security incident, according to notification letters sent to nearly 20,000 students and faculty. The unsecure database contained personal data, such as student data related to state mastery standards, grade tracking, assignments, and Social Security numbers of both students and faculty.

Lessons Learned: Not only do databases themselves need to be secured, but so, too, do the systems on which they run and the networks that they're attached to. This means practicing diligent patch and configuration management on database servers, segregating critical databases onto the most secure network segments, and employing the rule of least privilege for these critical database environments.

6. Lincoln National Corp.

Breach Details: In January this financial services firm revealed that lax password management practices and frequent credential-sharing for access to the company's client portfolio database potentially exposed the records of 1.2 million customers. Some shared passwords were used for as long as seven years. The security lapse was not uncovered until an anonymous whistleblower sent Financial Industry Regulatory Authority (FINRA) a user name and password combo that gave access to the portfolio.

Lessons Learned: Password-sharing is one of the most common and potentially damaging behaviors to affect enterprise database security postures. Not only do organizations need to develop and enforce password management policies, they also need a way to look for account use patterns that indicate illegitimate sharing.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.