• Home
• Security Products
• Industry News
• ISC Education
• ISC Events
• About ISC365

Cyber attacks are no longer the work of bored teens defacing Web sites. The bad guys, including those on the inside, have valuable data in their sights. Enterprises large and small face the same considerations in protecting critical, sensitive and personally identifiable information.

In the face of the growing threat of attack, organizations must make securing critical data from theft, misuse and abuse a priority. In order to protect agency data and meet regulatory requirements, security best practices must be extended to the database so that both government and private sector companies can ground these best practices into an all-around security strategy in the face of the changing nature of attacks.

Attacks are shifting from the network to the database

In the past, people hacked into networks to "prove they could." It was a case of wanting to establish notoriety and garnering attention to demonstrate vulnerabilities in corporate Web sites and company networks. While those attacks were malicious, the motivation more recently has become financial. With data being at a premium today, attackers are now after that data in order to sell it -- and that information resides in the database.

The Privacy Rights Clearinghouse reports that during the period from January 2005 to September 2007, more than 160 million records containing sensitive information, including credit card numbers, Social Security numbers, bank account numbers and drivers license numbers, were stolen from organizations within the U.S. The actual total could be much higher. This number only represents reported breaches and in many cases the total number of compromised records remains undetermined.

Industry analysts estimate that each stolen record costs an organization between $150 and $300 in remediation expense, bringing the total cost to U.S. organizations to tens of billions of dollars. In addition, the individuals affected, on average, spend more than $800 and significant time to clear their names. The net result is incalculable in terms of forensics, remediation, public relations and perhaps most importantly constituent confidence. In fact, in the wake of some of the recent high-profile and high-volume attacks, some experts are predicting some attacks costing upwards of $1 billion when all is said and done.

Approximately one third of the reported breaches were the result of a direct attack on the database. Another third can be associated with the loss or theft of personal computers or backup storage devices. The cause of the final third is unidentifiable, but when a breach affects tens or hundreds of thousands of records, one must assume that the attack was targeted at a database or storage medium.

Organizations require a security strategy that focuses on both external and internal threats to mitigate database risk. Historically, organizations focused their efforts on perimeter security and external attacks. They invested in firewalls, antivirus software and secure router configurations. Despite these investments, inappropriate user activity from inside the organization remains largely unaddressed and is becoming an increasing challenge. Forrester Research estimates that nearly 80 percent of all database attacks are internal and Gartner estimates that more than 95 percent of intrusions that result in significant financial loss are perpetrated by insiders. As a result, organizations must implement best practices that manage internal as well as external risks and secure the infrastructure where the data resides.

Evaluating current database systems

Today, organizations are protecting personally identifiable information (PII), confidential information and other proprietary data at the database level. A key component of any database security effort is the prevention of insider attacks. Threats from the inside are difficult to identify and resolve because of the very nature of the action. Often, insider attacks are premeditated and deliberate, but organizations must also recognize that occasionally insiders inadvertently access and even unintentionally distribute sensitive information.

The recent Presidential Report on Combating Identity Theft states that, "Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the agency experiencing the breach and carry financial costs for everyone involved. While ‘perfect security' does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it."

The report makes recommendations for data security in the public sector. Among these recommendations are:

• Decrease the unnecessary use of personally identifiable information, such as Social Security, bank account and credit card numbers
• Limit access to PII data
• Establish agency-wide "best practices" for managing data
• Monitor compliance with existing data security guidelines

A critical first step in addressing database security best practices is the evaluation of the existing database security profile. To determine current status, the following questions should be considered:

• Do you have a satisfactory database vulnerability profile? Are you currently able to discover, assess, prioritize and harden your existing systems to help prevent unauthorized or malicious behavior?
• Who are your insiders and can you characterize them?
• Would you pass a privileged user audit? Can you benchmark your progress against existing compliance benchmarks and requirements?
• Can you monitor database access & behavior?
• Are your monitoring systems and audit trail tamper hardened?

If you can't provide a positive response to all of these questions, it's a fair bet that improvements in your database security strategy are necessary.

Five steps to improved data security

To meet today's threats, organizations need to align efforts with the appropriate IT controls and regulations. By implementing these controls, organizations can identify and correct security vulnerabilities before an incident occurs, which really means that the IT and security alignment needs to be based on implementing a proactive approach at the database level.

Begin by implementing a database vulnerability assessment to determine risk level. Prepare reports that identify risk exposure and plan for remediation. Deploy database monitoring and auditing facilities that not only monitor database activity, but also identify and alert in real-time, as attacks or malicious insider activity occur. Solutions that employ security policy templates simplify this process. In addition, the following steps are recommended:

1. Implement distinct database vulnerability assessment or extend existing vulnerability management programs to the database. Today's attacks demand extending best practices to include databases. This step includes the ongoing process of discovery, assessment, hardening, activity monitoring and reporting.
2. Utilize robust database access controls and policies. Utilize regulations and policies that deter or prevent unauthorized data access and map them to specific guidelines, including PII protections, HIPPA, DISA-STIG and NIST 800-53.
3. Extend configuration control to the database. These principles enhance a defense in depth approach and proactively identify unauthorized database alterations, reconfigurations and access control violations.
4. Establish segregation of duties and strict control policies. Comprehensive role-based access controls restrict access and help prevent unauthorized modification, loss and disclosure.
5. Protect the integrity of your systems and data against insider threats. To be effective, strong security policies must be enforced with strong monitoring technologies. Monitor the activities of external and internal users (including administrators) to provide real-time alerts on violations or other suspicious activity.