No One-Stop Shopping to Stop Database Pilferages

By Lisa Vaas  |  Posted 2005-12-29

No One-Stop Shopping to Stop Database Pilferages

Database security breaches have been coming fast and furious as the year draws to a close.

Last week, role-playing game company White Wolf Publishing Inc. reported that it was the victim of attempted extortion after international hackers exploited a software flaw and threatened to post stolen user data including user names, e-mail addresses and encrypted passwords.

Rather than pay the money, the company closed up shop and went to work with the FBI to trace down the criminals.

Swiping passwords from a game company is one thing. Far more embarrassing was a database breach revealed by Guidance Software Inc., maker of anti-hacker software.

Guidance last week sent a letter to customers warning that its databases were breached in November.

Some 3,800 credit card numbers stored on an unencrypted database might have been exposed, along with card value verification numbers and the names, addresses and telephone numbers of clients.

The clients, ironically, were network security professionals and law enforcement officials.

According to the Washington Post, one customer, the computer-forensics investigative firm Kessler International, received the Guidance letter at the same time it also received an American Express bill containing some $20,000 in unauthorized purchases of pay-per-click Google advertising.

What are such companies—including security firms, which one would think would have better defenses and internal security policies—still doing wrong when it comes to securing the database?

Its not that businesses are oblivious to the need to secure the database.

That might have been the case a few years back, when security was focused on the perimeter, where Web servers resided.

But companies nowadays are focused on keeping auditors happy. Keeping auditors happy means that money has been spent on securing at the data level.

Thats reflected in the robust growth rate of database security product vendors.

Andrew Jaquith, an analyst with Yankee Group, said that the majority of such vendors are growing at rates of about 100 percent.

These are tools that are database-specific. As such, they specialize in database-specific intrusion detection, and they likewise seek out database holes.

For example, Oracle databases are famous for having the default user name Scott, password Tiger.

Such tools look through the database for such unchanged default accounts or for null passwords for administrative users.

Theyll also trace anomalous database user activity as users try to grab more information than is typical for their access levels and usage patterns.

Would having such a database-specific device have stopped the recent breaches?

Its hard to say. As is typical with security breaches that become public, little detail has been provided on either breach.

But Shlomo Kramer, CEO of data center security company Imperva, theorized in an interview with eWEEK that the Guidance attack likely came from an insider.

"Think of an analyst, someone with legitimate access to the database for legitimate use of data, looking up ZIP codes of customers, and then abusing these privileges to go beyond business usage to steal credit cards [and other] customer information," he said.

Would such an internal attack—one that happens within the normal parameters of business access to data—have been picked up by a database-specific firewall device?

Such internal attacks do underscore the need for a layer of protection that understands access privileges and normal usage patterns—a capability that vendors such as Imperva are touting.

Other vendors would like companies to believe that if they want to protect their databases and networks from both internal and external attacks, they need to purchase solutions that protect the entire stack.

They protect the database from external attack, go beyond that to assess vulnerabilities in the database or application, perform auditing in order to determine abnormal access, and protect at the perimeter as well.

Such a scenario involves a firewall in front of the Web application and a data security gateway that sits in front of databases, protecting them from internal attacks.

Together, theyre managed from a single framework that provides end to end transactional security.

A defined policy spans the Web tier and the databases tier to provide a unified picture of security in the data center.

Were seeing such products come out of vendors such as F5 Networks Inc., Radware, Citrix/NetScaler and, in the future, Cisco Systems Inc.

Whats wrong with the picture? John Pescatore, an analyst with Gartner, says that theres just no one-size-fits-all solution to all of the problems faced by the aforementioned breached companies.

Next Page: Different forms of attack.

Different Forms of Attack

Attacks generally come in three forms, Pescatore said.

The obvious ones are when data gets put on backup tapes and the tapes get lost. The solution for that one is easy: encrypt the data before its put on backup tapes, or send it over an encrypted network.

Encryption of stored data protects both against lost tapes getting into the wrong hands or external attackers who break in and steal the entire database.

Still, even encryption hypervigilance wont protect enterprises from malicious users who obtain credentials of an authorized user.

Credit card companies are ahead of the industry with their abilities to flag anomalies, detecting unusual buying patterns. But enterprise ability to flag anomalous usage has flagged, for good reason.

In a nutshell, the problem is that enterprises need a good baseline to know what normal is, Pescatore said.

"You can do some simple things, like why is that clerk doing retrieval of a thousand records when normally he retrieves one at a time?" Pescatore said.

What really messes up the technology is the fact that user behavior is simply too unpredictable, Pescatore said.

"In many environments, sometimes a clerk retrieves one record, and sometimes a thousand. The anomaly stuff is hard to make work inside enterprises," he said.

"Think of security on a PC: Youll notice theres no behavioral intrusion detection; because user behavior varies so much, its been pretty hard to do."

Thus, protection from all three levels of attack—internal, external, and lost or stolen backups—wont necessarily fit into one form of security solution, Pescatore said.

"Thats sort of like the advertised end goal: This is nirvana, basically. Well get to this place where only authorized users can get to only the information theyre authorized to see."

Will we get there? Pescatore thinks we will, but that were only now at the start of getting the technology right.

Indeed, analyst firms are coming up for their own names for the new breed of full stack protection technologies vendors are moving toward.

Gartner is referring to the coming technologies as application delivery controllers, while Yankee is calling the new breed application availability platforms.

These new-breed security products focus on security as a subset of reliability.

"Its an essential component of companies continuing to make money," Jaquith pointed out.

Thus, beyond firewalling the data layer and the Web layer, availability players are also looking at adding load balancing, SSL acceleration, routing, content caching and other means to speed applications up.

What should customers be asking if they consider purchasing products that vendors are selling as solutions to cover the entire stack and provide availability features?

Jaquith advises asking if the product can protect an entire application.

That includes all the layers of, for example, commerce applications with database back ends and Web front ends, along with Web interfaces to partners.

Another thing to determine is what a given vendor can promise regarding availability.

You dont want to just keep out hackers, Jaquith said—you also want the application to stay up so as to assure customers the performance guarantees they require.

Finally, look at where vendors are heading as the market shifts.

Niche players will assure potential customers that they specialize in one aspect of protection, such as database firewalling, but some, if not most, customers would prefer to go with a full-service player with a broad base of customers that will be around awhile, Jaquith advised.

Jaquith had one last piece of advice: ask why sensitive data is being kept in the first place.

"Its really hard to have security problems about data youre not storing," he said. "Do you need to keep credit card numbers on file? Addresses? Phone numbers? E-mails? If you dont have it, you dont have a problem. Thats a simple formulation, but if you turn the clock back seven to eight years, there was secure electronic transactions by credit card companies that would have kept all data centralized with the credit card folks. Sites that use it, theyd associate it with a transaction record of sorts. They wouldnt need to keep that data kicking around on e-commerce servers."

Perhaps, Jaquith said, its time to dust that idea off once again, so that instead of securing a thousand bunkers, were only securing one.

Editors Note: This story was updated to correct the misattribution of a quote from Andrew Jaquith.

Check out eWEEK.coms for the latest database news, reviews and analysis.

Rocket Fuel