There is much being spent on IT, but it is not being used to secure databases. This is ironic, as most of the data stolen by hackers resides in the database, said Craig Moir, MD of MyDBA, speaking at ITWeb Security Summit 2015, in Midrand, yesterday.
Moir said there are only two types of organisations – those that have been hacked and those that will be hacked. Businesses that think they will never be hacked are naïve, because it will happen, he added.
Companies are not aware of their entire database and the type of data found within them, which leaves them vulnerable, he noted.
Moir listed six steps to protect data and secure an organisation's database:
1. Discover sensitive dataAll companies need an inventory of their data. Identify all databases within an organisation. Identify all sensitive data within each database and scan regularly.
Non-production environments are typically completely unsecured. Any copy of a database in an unsecured environment completely nullifies all security efforts and expenses of keeping the initial database secure.
Secure root and system administration accounts – data is only as secure as the root and system administration accounts. Hackers target privileged accounts first. Weak passwords account for 31% of intrusions.
2. Find and remediate database vulnerabilities
Almost by default, software installations are vulnerable. Harden the environment by addressing known vulnerabilities. Assess the environment regularly and assess again after every upgrade or patch. The importance of database patch management is hugely underestimated. Hackers automate scanning for targets that are susceptible to publicly known vulnerabilities. Out-of-support software versions pose significant risk.
3. Understand who has access to private information
Manage user access rights across applications and databases. Enforce the "principle of least privilege" rule, and also enforce segregation of duties. Companies should also segregate and delegate administration duties.
4. Protect data from unauthorised access
Enforce segregation of duties at database access level. Block unauthorised data access; this will prevent breaches due to hacker privilege escalation.
5. Monitor and alert on privileged user activity
Understand who has access to private information. Discover and map user access rights; remove excess rights and privileges, while also reviewing and approving or rejecting individual user rights.
6. Develop and implement a data privacy protection policy
Develop audit policies and audit reporting. Have a separate and secure audit repository and audit all database access activity.
Our comments policy does not allow anonymous postings. Read the policy here