Different Forms of Attack

By Lisa Vaas  |  Posted 2005-12-29 Print this article Print

Attacks generally come in three forms, Pescatore said. The obvious ones are when data gets put on backup tapes and the tapes get lost. The solution for that one is easy: encrypt the data before its put on backup tapes, or send it over an encrypted network.
Encryption of stored data protects both against lost tapes getting into the wrong hands or external attackers who break in and steal the entire database.
Still, even encryption hypervigilance wont protect enterprises from malicious users who obtain credentials of an authorized user. Credit card companies are ahead of the industry with their abilities to flag anomalies, detecting unusual buying patterns. But enterprise ability to flag anomalous usage has flagged, for good reason. In a nutshell, the problem is that enterprises need a good baseline to know what normal is, Pescatore said. "You can do some simple things, like why is that clerk doing retrieval of a thousand records when normally he retrieves one at a time?" Pescatore said. What really messes up the technology is the fact that user behavior is simply too unpredictable, Pescatore said. "In many environments, sometimes a clerk retrieves one record, and sometimes a thousand. The anomaly stuff is hard to make work inside enterprises," he said. "Think of security on a PC: Youll notice theres no behavioral intrusion detection; because user behavior varies so much, its been pretty hard to do." Thus, protection from all three levels of attack—internal, external, and lost or stolen backups—wont necessarily fit into one form of security solution, Pescatore said. "Thats sort of like the advertised end goal: This is nirvana, basically. Well get to this place where only authorized users can get to only the information theyre authorized to see." Will we get there? Pescatore thinks we will, but that were only now at the start of getting the technology right. Indeed, analyst firms are coming up for their own names for the new breed of full stack protection technologies vendors are moving toward. Gartner is referring to the coming technologies as application delivery controllers, while Yankee is calling the new breed application availability platforms. These new-breed security products focus on security as a subset of reliability. "Its an essential component of companies continuing to make money," Jaquith pointed out. Thus, beyond firewalling the data layer and the Web layer, availability players are also looking at adding load balancing, SSL acceleration, routing, content caching and other means to speed applications up. What should customers be asking if they consider purchasing products that vendors are selling as solutions to cover the entire stack and provide availability features? Jaquith advises asking if the product can protect an entire application. That includes all the layers of, for example, commerce applications with database back ends and Web front ends, along with Web interfaces to partners. Another thing to determine is what a given vendor can promise regarding availability. You dont want to just keep out hackers, Jaquith said—you also want the application to stay up so as to assure customers the performance guarantees they require. Finally, look at where vendors are heading as the market shifts. Niche players will assure potential customers that they specialize in one aspect of protection, such as database firewalling, but some, if not most, customers would prefer to go with a full-service player with a broad base of customers that will be around awhile, Jaquith advised. Jaquith had one last piece of advice: ask why sensitive data is being kept in the first place. "Its really hard to have security problems about data youre not storing," he said. "Do you need to keep credit card numbers on file? Addresses? Phone numbers? E-mails? If you dont have it, you dont have a problem. Thats a simple formulation, but if you turn the clock back seven to eight years, there was secure electronic transactions by credit card companies that would have kept all data centralized with the credit card folks. Sites that use it, theyd associate it with a transaction record of sorts. They wouldnt need to keep that data kicking around on e-commerce servers." Perhaps, Jaquith said, its time to dust that idea off once again, so that instead of securing a thousand bunkers, were only securing one. Editors Note: This story was updated to correct the misattribution of a quote from Andrew Jaquith. Check out eWEEK.coms for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel