Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Databases' Most Serious Vulnerability: Authorized Users

New Dark Reading report outlines threats posed to databases by end users -- and how to protect your data

Oct 01, 2009 | 05:09 PM

By Ericka Chickowski
DarkReading

[Excerpted from "Protecting Your Databases From Careless End Users," a new report published today in Dark Reading's Database Security Tech Center.]

In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.

While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.

"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."

According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.

Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.

"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.

In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.

While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.

Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.

"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."

In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.

These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.

To download the full text of the new Dark Reading report, click here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Subscribe to RSS



Database Security Reports

report Database Activity Monitoring: Emerging Technology Keeps Tabs on Assets
You can read about the consequences of not protecting critical data in the daily headlines. In response, security-conscious organizations are tackling the complexities involved in effectively monitoring their databases for potential leaks and compromises. Fortunately, an emerging class of software is stepping up to help. Here’s what enterprises need to know about selecting, deploying, and managing DAM technology.

report SQL Injection: A Major Threat to Data Security
Of all the attacks taking place on Web sites across the Internet today, SQL injection is the most popular for cybercriminals trying to hack their way into corporate data stores. But for such a pervasive threat, there is still little understanding within the development and database communities about what constitutes a SQL injection vulnerability, how attacks against a SQL injection bug work, and how to mitigate the risk. We examine how these exploits work and what you can do to stop them.

report Protecting Your Databases From Careless End Users
While much attention is paid to outside attackers' efforts to crack enterprise databases, IT organizations often overlook an even greater threat: end users. Ignorance and disregard of company security policies may lead employees to expose their organizations' databases to compromise, often without even knowing that they’re doing so. In this report, we offer advice on how to educate users on database security, and some common-sense recommendations on how to limit the damage.

report A Database Administrator's Guide to Security
While most security pros have become painfully aware of the threats posed to their organizations' databases, many of those who create and maintain the databases still don't fully understand the danger.  This "security primer" is designed to open the eyes of the DBA to the risks posed by poor database security – and to current "best practices" that can help prevent those risks from becoming reality.

report Why Your Databases Are Vulnerable To Attack - And What You Can Do About It
Most of an enterprise’s most sensitive and valuable information resides in databases. Yet, in many organizations, database security is often neglected, misunderstood, or even ignored. In this report, we discover why databases have become one of the most popular targets for hackers - and how everyday mistakes in database administration contribute to these attacks. We also offer some advice on what your organization can do to protect your most critical data - and to stop hackers in their tracks.

Related Content

HOWTO Secure and Audit Oracle 10g and 11g
Read the "Hardening Your Database" chapter from the 454-page book "HOWTO Secure and Audit Oracle 10g and 11g" and learn how to navigate the many security options within Oracle (authored by database security expert and Guardium CTO, Ron Ben Natan, Ph.D.)

HOWTO Monitor Database Activity
Read the "Database Activity Monitoring (DAM)" chapter from "HOWTO Secure and Audit Oracle 10g and 11g" (CRC Press, 2009) and learn how to leverage DAM to prevent cyberattacks, monitor privileged users and track access to sensitive data.

8 Steps to Holistic Database Security
Get the 8 essential best practices for a holistic approach to both safeguarding databases and achieving compliance with key regulations such as SOX, PCI-DSS, NIST 800-53 and data protection laws.

Essential Steps to Implementing Database Security and Auditing
Learn best practices and specific tips for effectively securing Oracle, SQL Server, DB2, MySQL and Sybase environments, including tracking security vulnerabilities, the anatomy of buffer overflow vulnerabilities and database auditing.

Databases at Risk: Current State of Database Security (ESG Research)
This recently published ESG report analyzes the current state of database security -- concluding it depends upon too many manual processes -- and also offers concrete steps to improve database security across the enterprise.