An organisation’s Achilles heel now is the quality of its applications – and the trustworthiness of those people who use them. Vulnerabilities in vendors’ database technology are rarely to blame. Instead, the biggest IT problems are application weaknesses, and the false sense of security created by user authentication and data encryption.
When your database answers any question that an application or trusted user asks of it, how can you ensure that you protect against compromised software and malicious individuals? In short, how do you prevent today’s criminals from gaining access to your data?
By understanding the true intent of database interactions – at the same level as the database itself - it is now simple to protect your data from attack.
The key to protecting against abuse is to ask the McEnroe question – “you cannot be serious” to every request of the database – and to allow ONLY acceptable behaviour.
10 steps to preventing data breaches
Protect against external attacks. The most common form of external attack is through subverting applications that connect to databases. Typically, this is achieved through targeted SQL injection, exposing weaknesses in applications, and making them do something to your database that you would not normally observe.
Know who is doing what in your company. Make sure that the software implemented to protect your databases can track who is accessing what data, and when. Use this information to enforce conformance to what is normal.
Review users’ permissions. Over time, many users and systems have extra access rights granted to them. In many situations these permissions are not reviewed in an effective manner. Implement a least-privilege access scheme by comparing the levels of access actually used to those that have been granted.
Comply with legislation. Create efficient logging and monitoring environments demonstrating audit compliance.
Tighten application development processes. Each new feature expands the vulnerability surface of your systems. Remove access to the database from features that are no longer necessary.
Never install your database straight out-of-the-box. Default installations can result in an excessively open RDBMS. Many RDBMS platforms provide a large number of default usernames and passwords. Audit the configuration and usage of databases by intelligently logging interactions with the database.
Regularly test systems. Use reputable external security penetration test experts. Expect them to find issues, but remediate as soon as possible. Ensure all lessons learned from the tests become standard policy.
Ensure you can trust the people you employ. Vet potential employees thoroughly and ensure that all staff are both aware of, and actively enforcing, security policy throughout the organisation.
Ensure your systems are fully up-to-date. Vulnerabilities are being discovered and fixed by software vendors all the time, yet operational systems can remain un-patched and vulnerable for many months. If you can’t patch immediately, ensure you have an effective database IPS in place to protect the exposed vulnerability.
Segregate duties of high privilege personnel. Ensure that operations requiring human intervention with administrator authority always have two people involved. If this process cannot be achieved, then employ technology to provide a tamper-proof audit trail of all administrative activities.
