Risk

10/1/2009
05:09 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Databases' Most Serious Vulnerability: Authorized Users

New Dark Reading report outlines threats posed to databases by end users -- and how to protect your data

[Excerpted from "Protecting Your Databases From Careless End Users," a new report published today in Dark Reading's Database Security Tech Center.]

In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.

While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.

"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."

According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.

Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.

"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.

In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.

While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.

Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.

"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."

In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.

These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.

To download the full text of the new Dark Reading report, click here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.