Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2009
05:09 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Databases' Most Serious Vulnerability: Authorized Users

New Dark Reading report outlines threats posed to databases by end users -- and how to protect your data

[Excerpted from "Protecting Your Databases From Careless End Users," a new report published today in Dark Reading's Database Security Tech Center.]

In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.

While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.

"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."

According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.

Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.

"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.

In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.

While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.

Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.

"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."

In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.

These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.

To download the full text of the new Dark Reading report, click here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.