In our first article, we looked at some of the basics of securing databases, examined several examples of major data breaches, and reviewed best practices companies use to prevent hackers from accessing sensitive information. In this article, we are going to look at some advanced database security issues and recommend steps you can take to address them.
With the explosion of big data and cloud computing in recent years, database security is more critical than ever. Sites like Facebook use massive, unstructured databases managing millions of data points to handle their enormous user base of more than one billion. Clearly, these types of computing environments provide security challenges.
Advanced Database Security Considerations
According to Imperva, a California-based cyber-security company, there are several major security threats to organizational databases. They include:
Excessive privileges or unused privileges
Abuse of privileges
Input injection (formerly SQL injection)
Poor audit trails
Exposure of critical storage media
Vulnerable and misconfigured databases
Insecure sensitive data
Distributed denial of service attacks (DDoS)
Low levels of security education and knowledge of proper procedures
Tackling Big Data Database Security
These challenges are magnified in advanced databases. Although similarities exist between traditional data security and big data security, the differences include:
The amount of data collected and analyzed in big data applications. The sheer variety and volume of big data increase exponentially the challenge of maintaining security. Data repositories are sprinkled across the enterprise, and every source has its own permission levels and security detail. Research, governance, compliance and other data may be in different data sets. The data transfer rates and workflows might be different for each data source. Each of these variables presents another potential attack point for hackers.
The technology used for both unstructured and structured big data. One of the major challenges of securing modern databases is that database tools such as Hadoop never had much security baked into them in the first place. By their very nature, they create vulnerabilities that are less prevalent in traditional databases.
How big data is stored. Picture a single database server environment in comparison to the distributed environment found in big data applications. By design, these databases can spread out across a number of data environments and server clusters in multiple locations. The distributed infrastructure increases the potential for attacks.
Recommended Security Controls
To meet these challenges, the SANS Institute, an organization focused on security research and education, has developed a list of recommended security controls that increase cyber-defense for advanced database configurations. They include:
Account monitoring. Eliminate any inactive accounts, require users to implement strong passwords, and establish maximums for failed login attempts. Close control of database access brings down the chance of a hacker doing damage from the inside.
Application security. Implement secure editions of open source software such as Apache Accumulo.
Inventory of devices. Monitor every hardware device on your network so that any unauthorized device can be quickly located and blocked from gaining access.
Inventory of software. Similar to device inventory, every application that accesses the network must be authorized. Block installation or execution of unauthorized and unapproved software.
Procedures and tools. Rather than building security guidelines from scratch each time you add an application or new piece of software, develop checklists, benchmarks, and guidelines that apply to every application. Two things that can help you get started are the Center for Internet Security Benchmarks Program and the NIST National Checklist Program.
Vulnerability assessment. On an ongoing basis, assess and evaluate new information and knowledge to identify potential vulnerabilities in your database, and implement procedures to minimize damage. Remember that hackers are on constant attack and are always trying to take advantage of new knowledge in the marketplace.
Protect browsers and email. Browsers and email software are popular access vectors for hackers to try to reach your system. Maintaining solid email and browser security minimizes the attacks on your database through these channels.
High-Profile Data Breaches
As powerful as modern technology is, sometimes it is hard to believe that computers that process millions of points of data on a daily basis can be crippled so easily. Yet, data breaches on a massive scale are regular items in the news. Here are some examples:
Ashley Madison. A group of actors dubbed “The Impact Team” announced they would release Ashley Madison customer information if it did not shut down operations. A site that facilitated extramarital affairs, Ashley Madison’s owners apparently did not believe they were vulnerable and took no action against the threat. However, The Impact Team made good on its promise, and in July 2015, released more than 37 million customer records, including names and passwords. The result was devastating and ongoing, as many customers continue to deal with the fallout of their names being released.
Internal Revenue Service. Hackers compromised the computer systems of the Internal Revenue Service and manipulated tax records for more than 300,000 taxpayers. Using stolen credentials, they garnered millions of dollars in bogus refunds. They were only discovered when the IRS noticed an inordinate number of requests for all the tax returns.
CareFirst/BlueCross BlueShield. Health records are some of the most personal pieces of data stored in corporate databases. Yet, the health industry continues to experience significant data breaches. In May 2015, CareFirst determined that hackers have gained access to more than one million members’ names, email addresses and birth dates. One good note: The thieves did not get to their employment information, social security numbers or financial data because the passwords were encrypted.
Kaspersky Lab. Is it possible for a security vendor to experience a significant cyber attack? The answer is yes because, in June 2015, Moscow-based security company Kaspersky Lab was infiltrated by hackers. They were able to compromise data on the company’s products that deal with fraud prevention and secure networks.
Harvard University. A July 2015 compromise of the security systems at Harvard University was the latest in a string of other breaches at institutes of higher learning across the nation. Although experts are not sure what data the hackers gained, the news of the infiltration was similar to other attacks at institutions, such as a Penn State University breach in the spring. That strike affected the records of more than 18,000 people.
Working With Cloud Providers to Ensure Security
If you are working with cloud vendors, is your data safe? Database security for enterprise computing and the cloud are much the same as non-cloud databases — data breaches have been happening at an alarming pace in both environments. However, placing data in the cloud means it is not on the same site as your organization, which adds another dimension of risk.
One of the sales points cloud providers extol is that they have specialists who are experts in their fields and so have advanced knowledge that your organization may not possess. While that may have validity, it may not be true in all cases.
In addition, using many people means more of the human element, always a greater risk to data security than any other factor. Even though cloud computing presents an idyllic world of data being secured somewhere “up there,” in truth, it is located in a data center much like the one at your site.
You should be asking cloud providers question such as:
Where is our data stored?
Who manages it?
Is it always stored in the same place, or is it moved around to different countries?
Do any outside personnel have access to my information?
Do you encrypt my data, and if so, how do you do it?
Other than your firm, what other organizations have green-light permission levels to the encryption key?
Database security for both traditional bases and the high-speed, high-volume distributed databases of big data and cloud computing are similar. However, the significant size, speed and complexity of databases managing huge amounts of information mean they are also open to a bigger attack surface, more points of vulnerability and increased physical environment concerns.
Effective Security Implementation
The best practices, strategies and tactics for effective security implementation remain the same for both environments: Keep track of hardware devices on the system, closely monitor all applications on the network, come up with solid guidelines and benchmarks that you apply to every program, consistently evaluate potential vulnerabilities in your system and come up with a plan of remediation, and constantly encourage end users and company personnel to maintain good security habits.
This wraps up the second article in our two-part database security series. In the first article, we looked at basic database security procedures that can be implemented by database administrators, especially those who may be new to the position. We recommended straightforward procedures like strengthening network security, limiting access to the server, cutting out unneeded applications, applying patches immediately, encrypting sensitive data and documenting baseline configurations.
In this article, we looked at the bigger picture of advanced database security by examining today’s world of cloud computing, big data, and unstructured databases. We discovered that, while the scope and size of these environments differ greatly from a localized, traditional database, the security concerns are the same. Implement these ideas, and you will have taken major steps toward preventing a critical data breach at your organization.