IRVINE, Calif. – The security world winces when it is reminded of the horror story of the TJX Inc. data breach, the largest such incident to date in IT history.
In that March 2007 event, more than 45.6 million credit card, debit card, social security, drivers’ license and military identification numbers were stolen from the company’s central database, breaking the old data breach record of 40 million records, previously “set” in 2005 by CardSystems Inc.
The breach that hit the parent company of apparel and gifts vendors TJ Maxx and Marshall’s was an unmitigated disaster; shareholder and customer lawsuits have been in court ever since.
Data stolen in the hack later turned up at Wal-Mart stores in Florida, where it was used to enable thieves to fraudulently buy more than $8 million in merchandise. The thieves – six of whom were eventually caught – also used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam’s Club gift cards, and then used those to bilk stores in 50 Florida counties.
Whether intentional or accidental, a database security breach can happen to any company. The negative media exposure can be overwhelming, and in some cases, the resultant drop in stock value is enough to turn companies into takeover targets or force them into bankruptcy.
Laptop data theft or a run-of-the-mill data breach are only two of the many concerns that can cause a compromise of financial applications theft from corporate databases and web-based breaches. Add in laws such as Gramm-Leach-Bliley (GLBA) or Sarbanes-Oxley (SOX), security and compliance risks become more common and compelling considerations for IT risk management.
The key to effectively managing these risks around structured data, a growing number of storage analysts contend, is securing the database where the data is housed – not the network, where the access is. If you are a network security advocate, consider this: How easy is it to hack all of those passwords? In addition, network sniffers can lose data packets during the process, providing a less secure detection effort.
“A good password sniffer can break into an account that uses an easy password in three to five minutes,” Phil Ruggieri, CEO of data security provider Cyber Operations in Pelham, Ala., told attendees at the recent Data Protection Summit here. “And it might take only a few minutes longer to break into one with a more difficult password.
“Either way, passwords are not the answer to solid security of a database or anything else.”
There are a couple of key differences in protecting structured (database) data and unstructured data, Adrian Lane, CEO of IPLocks in San Jose, Calif., told eWEEK.
“I’ve always maintained that within structured data is where all or most of the key intellectual property of a company resides,” Lane said. “Those threats [to structured data, as opposed to unstructured data] are different in a number of ways.
“Most notably, the size and volume of the data – so you’re talking about many, many years of data that gets stored in a very singular location – as opposed to unstructured data, which may [reside] in a file server or multiple file servers across different business divisions of the company. So it [structured data] tends to provide a very rich target, simply because of the quantity of information.”
A database becomes harder to protect than a regular storage system because of the sheer number of people who might use that data, Lane said.
“This might be ad hoc users doing ad hoc business or doing reports; it may be applications that have logic stored within the database – and there are many ways that a hacker can use existing functionality to leak information out, just by using replay attacks on existing functionality from an application,” Lane said.
There also tends to be a lot more generic access within a database, as opposed to specific user accounts, Lane added, which can lead to security issues.
“Let’s say an application server connects to a database,” Lane said. “For performance reasons, it’s actually going to pre-create dozens of different database accounts. In that way, it will round-robin through those connections as it needs them. That way it doesn’t incur the overhead of starting up the connection to the database, validating itself and so forth every time – it simply sends the query across. When it does that it creates a generic user account.”
The “generic account” tends to make the user activity less traceable, unless the database administrator takes some steps to resolve that issue, Lane said.
Thus, the database monitoring control market has been recognized as a fast-growing segment of IT by Gartner Group, IDC, Forrester and Enterprise Strategy Group. Companies in the space include IPLocks, Oracle, Embarcadero Technologies, Application Security Inc., Ingrian, Lumigent, Incida, CORE Security, NGS and others.
Reducing the Probability of Breaches
When viewed as part of a strategic effort, appropriately implemented data-security controls can provide compliance with the new federal data storage guidelines and reduce the probability of both inside and outside security breaches, Lane said.
But many companies are balking at investing in these tools, contending that their network security is sufficient. “The lack of controls around databases is fairly startling, as most companies concentrate on keeping the bad guy out as opposed to keeping the data itself secure,” Lane said.
Let’s not forget encryption. Database vendors are offering row- and column-based encryption capabilities. SQL Server 2008, for example, will feature what Microsoft calls transparent data encryption, enables the encryption of an entire database, data files and log files without the need for application changes.
While encryption is an important part of protecting data, it is not without its challenges. Improperly implemented encryption in the database can hurt the speed or performance of applications. Still, for all its complexity, some level of database encryption is a key element of security, and often part of complying with various regulations.
“The main thing is that regulations like PCI require (encryption) for certain types of data,” noted Paul Stamp, an analyst with Forrester Research. “Outside of that, you’re mainly worried about DBAs with direct access to the database who have no business actually seeing the data, and when that data gets shipped offsite, say in a backup.”
Lane and IPLocks colleague Bill Madaras offered eight simple steps for determining if your current data security solutions actually will contribute to the growth of your company.
1. Directly monitor your financial databases. Rather than monitor your network where rogue users can gain untraceable access to your data, monitor your financial databases. Make sure your tools can identify, alert on, and help you respond to, unusual activities on a near real-time basis.
2. Assess your databases for, and then harden them against, security weaknesses. Many databases are vulnerable to unauthorized access due to insufficient patch levels or the use of default or weak passwords. These conditions can leave open the door to unauthorized users who bypass application-level controls and directly alter data.
3. Audit your database-user access. All database-access rights must be regularly reviewed and, if need be, revised to ensure user rights are consistent and properly limited. With more self-service applications and increasing direct customer access, the failure to modify, or remove, user accounts as employees and customers change roles creates a large security-infrastructure loophole.
4. Know how users use your database. One of the best defenses against outside attacks and internal fraud is the detection of anomalous activity. Implement database-monitoring tools that distinguish normal and abnormal activities for each user and that can immediately respond to abnormal activities.
5. Ensure data integrity by verifying transaction authenticity. An auditing-generated forensic trail can help verify the authenticity of database transactions.
6. End-of-period adjustments require independent review. Even trusted users can manipulate standard business practices to perpetrate fraud with special, end-of-period adjustments. Check all individual, and application, sourced changes to financial data in order to identify odd adjustments. Rather than verify adjustments with the accounting software that your financial personnel are used to working with, use independent monitoring and auditing software.
7. Automate controls to reduce annual-audit costs. Manual, annual audits are expensive, cause seasonal spikes in resource requirements, overburden your staff, introduce errors and slow down other operations. Conversely, an automated, continuous monitoring of key database controls helps you identify issues throughout the year, enables quick resolution of issues, and reduces expensive, time-consuming mitigation procedures.
8 Employ encryption to protect data. Regulatory compliance requires some data in the database be encrypted, and it also mitigates against the insider threat.
Additional reporting by Brian Prince.