Updated: News Analysis: Database security breaches have been coming fast and furious as the year draws to a close. What are companies still doing wrong, and what questions should they ask vendors who are
Database security breaches have been coming fast and furious as the year draws to a close.
Last week, role-playing game company White Wolf Publishing Inc. reported that it was the victim of attempted extortion
after international hackers exploited a software flaw and threatened to post stolen user data including user names, e-mail addresses and encrypted passwords.
Rather than pay the money, the company closed up shop and went to work with the FBI to trace down the criminals.
Swiping passwords from a game company is one thing. Far more embarrassing was a database breach revealed by Guidance Software Inc.,
maker of anti-hacker software.
Guidance last week sent a letter to customers warning that its databases were breached in November.
Some 3,800 credit card numbers stored on an unencrypted database might have been exposed, along with card value verification numbers and the names, addresses and telephone numbers of clients.
The clients, ironically, were network security professionals and law enforcement officials.
According to the Washington Post,
one customer, the computer-forensics investigative firm Kessler International, received the Guidance letter at the same time it also received an American Express bill containing some $20,000 in unauthorized purchases of pay-per-click Google advertising.
What are such companiesincluding security firms, which one would think would have better defenses and internal security policiesstill doing wrong when it comes to securing the database?
Its not that businesses are oblivious to the need to secure the database.
That might have been the case a few years back, when security was focused on the perimeter, where Web servers resided.
But companies nowadays are focused on keeping auditors happy. Keeping auditors happy means that money has been spent on securing at the data level.
Thats reflected in the robust growth rate of database security product vendors.
Andrew Jaquith, an analyst with Yankee Group, said that the majority of such vendors are growing at rates of about 100 percent.
These are tools that are database-specific. As such, they specialize in database-specific intrusion detection, and they likewise seek out database holes.
For example, Oracle databases are famous for having the default user name Scott, password Tiger.
Such tools look through the database for such unchanged default accounts or for null passwords for administrative users.
Theyll also trace anomalous database user activity as users try to grab more information than is typical for their access levels and usage patterns.
Would having such a database-specific device have stopped the recent breaches?
Its hard to say. As is typical with security breaches that become public, little detail has been provided on either breach.
But Shlomo Kramer, CEO of data center security company Imperva, theorized in an interview with eWEEK that the Guidance attack likely came from an insider.
"Think of an analyst, someone with legitimate access to the database for legitimate use of data, looking up ZIP codes of customers, and then abusing these privileges to go beyond business usage to steal credit cards [and other] customer information," he said.
Would such an internal attackone that happens within the normal parameters of business access to datahave been picked up by a database-specific firewall device?
Such internal attacks do underscore the need for a layer of protection that understands access privileges and normal usage patternsa capability that vendors such as Imperva are touting.
Other vendors would like companies to believe that if they want to protect their databases and networks from both internal and external attacks, they need to purchase solutions that protect the entire stack.
They protect the database from external attack, go beyond that to assess vulnerabilities in the database or application, perform auditing in order to determine abnormal access, and protect at the perimeter as well.
Such a scenario involves a firewall in front of the Web application and a data security gateway that sits in front of databases, protecting them from internal attacks.
Together, theyre managed from a single framework that provides end to end transactional security.
A defined policy spans the Web tier and the databases tier to provide a unified picture of security in the data center.
Were seeing such products come out of vendors such as F5 Networks Inc., Radware, Citrix/NetScaler and, in the future, Cisco Systems Inc.
Whats wrong with the picture? John Pescatore, an analyst with Gartner, says that theres just no one-size-fits-all solution to all of the problems faced by the aforementioned breached companies.
Different forms of attack.