It’s all about the information.
The Information is paramount. It is the reason you are in business and it is why you are tasked with curating, storing and protecting the information that is your organisations greatest asset and a source of continuing business innovation and revenue.
It is information that is at the heart of all protective legislation, it’s the information that needs to be served out to the correct people, and it is the loss of information that can lead to business disruption, customer flight, litigation, and financial penalties.
Following on from an earlier post of mine, all data is not created equal. Some data is more important and sensitive than others. This is referred to as PII, and many of the current legislative frameworks around the world make the protection of PII an important responsibility for businesses and other organisations that hold this type of information.
Securing your databases using a data centric approach complements the ‘traditional’ perimeter based security approach.
An Information centric approach to securing a database concentrates on placing the security controls as close as possible to the data, rather than relying on the approach of securing the infrastructure alone.
The Administrators have to assume that a breach of perimeter security has already occurred and use data controls rather than solely using machine controls to secure the assets.
This assumption that a breach has already happened would not be too far wide of the mark. The UK Dept. of Business Information Security breaches Survey (2014) found that 61% of small firms had suffered a security breach in the previous 12 months, and that 81% of large organisations had also been targeted.
In reality, to secure a database server fully requires a blended approach, not only utilising the traditional ‘defence in depth’ system hardening, but also utilising the information centric approach to securing the information as close as possible to the database.
Why does this data centric security step need to happen?
- Insider Threat. Attackers can often be company insiders. No point securing only the perimeter when the threat posed comes from within the organisation.
- Standardisation. The channels that utilise the database all need to be secured, however, securing at the database end gives a base level of assurance for developers to work from.
- Severity. When Database breaches happen they are more serious than any other type, both in the numbers of records compromised and the cost to the company of compensation and remediation.
- Portability. The data in your database is less likely to be relocated than the apps or services that depend upon it. Applying controls at the data level aid security portability.
- Context. Data breaches can happen where companies have followed best practices and legislation but the leakage has occurred due to other side channel factors such as business process, product misconfiguration, product flaws or insufficient auditing.
Top Ten Database Threats In 2015, the top database threats were:
- Excessive & Unused Database Privilege
- Privilege Abuse
- Input Injection
- Weak Audit Trail
- Storage Media Exposure
- Exploiting Vulnerable or Misconfigured databases
- Unmanaged Sensitive Data
- Denial of Service
- Limited Security Expertise and Training
Fortunately, many of the actions required to secure your database from a breach are within the gift of the database administrators and business users, and many of the controls needed will pay off in terms of external and internal security as well as enhancing the knowledge of the organisation in managing its data responsibilities.
Create an Information Inventory.
Ensure that all data stores are subject to security process. Discover all of the official and ‘shadow’ data stores that are used in the organisation and ensure that they conform to a common standard.
Databases should only be configured with the services that are needed, to keep the attack surface area as low as possible, and all out of the box settings should be checked.
Identify Personal Information.
Identify all instances of Personally Identifiable Information (PII) in the database and ensure that additional controls (for example, encryption, masking or anonymisation) are applied to these fields, especially where they are utilised elsewhere for machine learning or reporting purposes.
Only the users that need access to the unmasked sensitive data should be able to see it. Selective encryption of PII data can ensure this is the case.
Maintain and Review Database Privileges.
Constantly maintain and review database privileges. Create a notification system from the business that involves company joiners, movers and leavers being notified to the administrators. Identify applications or stored procedures that are executed in an elevated privilege. Ensure that the data is not compromised by other programs like Excel being able to connect and access all records and expose the information.
Service desk privilege requests should be verified and authorised independently to ensure that the correct permissions are applied to the correct accounts.
Prevent Input Injection.
SQL Injection attacks can be prevented by always validating input parameters. Applications which access the database should use parameterised queries which cannot be tampered with. Big Data systems should be secured against attackers being able to inject or amend malicious commands into distributed query routines.
Keep up with Database Patching.
Although it is never a good time to patch live, critical business systems it is essential to apply critical software updates to protect against known vulnerabilities. Administrators should work closely with the business to ensure that a proactive patching regime is in place.
Ensure Separation of Duties
Setting up an effective auditing regime will involve separating out the duties of administrators and auditors to ensure that the controls to guard against internal and external threats are enforced. Many of the current legislative requirements like PCI DSS add rigour to the auditing and monitoring of suspicious activity.
Auditing should provide an end to end view of database access from end to end, ensuring the effective permissions used to retrieve from the database and through to the destination are visible. This will require some planning around the information required and how it will be retrieved and presented to the auditor.
Enable Backup Security
Set up a system of encrypted backups and ensure that these are stored correctly. Set up Transparent Data Encryption (TDE) on databases to ensure that data at rest is always safe from theft or unauthorised tampering.
Monitor Server Performance
Although there are many vectors for a Denial of Service (DoS) attack they all centre on attacking server resources to make it unavailable for querying. Utilise the server management tools to baseline the server load prior to any unusual activity so that it can be identified quickly.
Regularly identify the longest running queries to see if there are improvements that could improve the response capacity of the database before the capacity is needed.
Instigate a regular patching and malware detection regime on servers and client devices to ensure that keystroke logging or Trojan viruses are not present.
Security Education Programme
All members of the business process chains need to be security aware to ensure that information is not inadvertently revealed.
Business users should be made aware of the behaviours that can compromise data security. This can include
- Password renewal and strength
- Preventing password sharing
- Processes to prevent the unauthorised publication of data
- Due diligence checks that should be carried out on new employees or third party data recipients
- Policies governing the use of smartphones and personal data storage devices.
- Data protection legislation and responsibilities.
- Awareness of how social engineering attacks like Spear-phishing can lead to data loss.
Over 30% of data breaches are related to ‘Human Factor’ reasons. Secure your data at the database source and then take time to ensure that employees are fully aware of their security obligations and the legislative requirements that they must adhere to.
Investing time in security education and awareness could be the best investment you make this financial year.