Lies We Tell Our CEOs About Database Security

South Carolina government executives' response to breach shows how nontech leadership often views security through a distorted lens
Beyond the raw statistics coming out of the South Carolina state government offices around a breach of its tax records that exposed the sensitive details of millions, Gov. Nikki Haley and her nontechnical senior executives have tried to dole out a measure of information about the breach and citizen credit remediation through a series of press conferences this week. A good faith effort, to be sure, security pundits say, but one whose content may also hint at how South Carolina may have gotten in this mess in the first place.

As investigators continue to unravel the clues around the South Carolina breach at the state's Department of Revenue that exposed 3.6 million individual taxpayers' Social Security numbers (SSNs), Haley announced more bad news on Halloween with the revelation that tax files for around 657,000 businesses were also stolen. While many details around how the hack went down are being kept under wraps due to law enforcement constraints, the governor and her staff have commented about the technical aspects of the breach. Some security pros argue that the messages and tone set by these comments hint at a dangerous lack of education about database security and threats.

For example, in one instance the governor justified the state's failure to encrypt taxpayers' SSNs with the comment that most banks don't encrypt them, and that it's too complex to do. In another instance, even though the attack was clearly from an outside hacker, she said that "this is not someone who came in from the Internet."

"She's getting really bad information from the people beneath her or she's speaking from a completely uneducated perspective," says Mike Murray, managing partner for consulting firm MAD Security. "Her version of what database encryption is seemed like it should be in a movie version of what hacking is."

What makes that so dangerous, of course, is that distorted views of security often lead to bad risk decisions. That's because when senior executives of any public or private organizations don't understand industry best practices or what really constitutes a sophisticated attack, they'll probably fail to properly fund protection measures against securing sensitive databases.

So whether it is through mistruths or miscommunications, security executives should try to eradicate the possibility that their CEOs could hold some of the misconceptions put forward in South Carolina this week, Murray warns.

Encryption Is Too Hard To Do
One of the first telling comments to come from Haley earlier this week was that it is "industry standard" that most SSNs are not encrypted in databases.

"A lot of banks don't encrypt," she said. "It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."

According to Mark Bower, a data protection expert and vice president at encryption firm Voltage Security, from his experience he can "categorically state" that the leading banks, payment processors, and enterprises are encrypting personally identifiable information such as SSNs.

"In fact, many data privacy laws require it," he says.

What's more, Haley's encryption-is-too-hard excuse is no longer justifiable, Bower argues.

[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]

"To suggest that it's too hard isn't taking into account the innovations that have taken place in the last 10 years," he says. "For example, data-centric security technologies like Format-Preserving Encryption, a NIST-recognized mode of AES and Stateless Key Management, make data-level security very simple to implement, deploy, and manage across hundreds of applications and thousands of databases, even in systems which might date back 30 years."

Only Extremely Intelligent, Sophisticated Crooks Could Possibly Breach Our Defenses
In South Carolina and Gov. Haley's defense, the boilerplate response to just about any executive responding to a recent breach is that an incident came at the hands of a mustache-twirling villain of superior intellect. So the superlatives Haley used to describe the suspected international criminal's tactics are hardly surprising.

"This was a sophisticated hacker who came in and creatively got into the system. This was no simple breach," she said. "This is not something that happens on a day-to-day basis; it is something that is very bizarre."

It's hard to say how creative the crooks really were in this case until details are released, but if common industry speculation proves true that this came as a result of an escalated attack following a standard SQL injection attack, that exceptionalism argument hardly holds water with security pros. The question to be asked is even if Haley could justify a lack of encryption to protect citizen details, where were other protections, such as database activity monitoring?

"Maybe lots of people have trouble encrypting Social Security numbers -- I don't really buy that, but maybe they do," Murray says. "But those organizations are doing lots of other things to protect their information."

Haley's staff made it clear that the attackers likely had access to systems for at least a month before detection. The state didn't know about the breach until it was informed by the Secret Service.

"I didn't get the feeling that they actually had a sophisticated database activity monitoring solution in place, which could have prevented this attack," says George Csaba, product manager for FortiDB at Fortinet.

The technology's rule sets could have detected or blocked unusual activity during an initial incursion into the database, before millions of records were stolen, he added. "At the end of the day, even if the hacker came from the outside, they probably used or stole a user ID/password combination in the database, which they were able to utilize to pull that data," Csaba says.

Data Theft Is Inevitable
According to Gov. Haley, "there was not one thing or one person in the Department of Revenue that could have avoided this hack."

Her statement suggests a sense of fatalism that, if it persists in the C-suite, will ensure that breach statistics will continue to grow for years to come, experts say. The problem is that while senior executives should get used to the ideas of attacks continuing ad infinitum, there's nothing inevitable about actually losing data.

"I think she's right: An attack is inevitable; losing 3.8 million Social Security numbers is not," Murray says. "That someone bad is going to keep trying to do something bad to you -- yes, that's absolutely inevitable. That they're going to be very, very successful like they were here, not so much."

According to Murray, he talks with plenty of clients that deal with attacks every day, but that don't deal with actual data loss every day. And that is an important distinction he believes CSOs need to make to their line-of-business executives.

"If we're failing to communicate that up to the highest level of the organization, that's a problem," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.