Johannesburg, 19 Jul 2017
With POPI looming and possibly even compliance with GDPR, organisations need to have adequate measures in place to protect sensitive data in their custody. However, you need to know how data is breached in order to implement appropriate security measures.
This article explains the various methods that are used to gain unauthorised access to your databases and what solution is required to protect against this.
Encryption
Data, whether in databases or common document formats, is stored as plain text. Documents can easily be stolen or copied, while text can be extracted from database files without even opening the database.
Encryption is the most effective solution to protect data from theft, whether the data is in local database files, documents, internal file backups and/or offsite backups.
Privileged user accounts
System administrators and database administrators by default are the all-powerful users of any system. This means they have unfettered access to any and all data, including highly sensitive data. Their job function does not require them to have access to any sensitive data or personal information at all, which means they need to be blocked somehow from doing so. A database firewall (DBF) or a file firewall is a necessary component to enforce segregation of duties and block unauthorised access.
It is important that these users are also monitored and their activity recorded by a third party, such as a security administrator using a privileged user monitoring tool.
Segregation of duties is also an absolute necessity for these roles to eliminate any conflict of interests.
Administrative users pose a massive insider threat risk, and therefore the inherent risk associated with these accounts needs to be removed as a priority.
Use and abuse monitoring
Even if users have legitimate access to sensitive data, they still need to be monitored in order to identify any unusual activity, such as accessing systems out-of-hours, or querying unusually large quantities of data, as this could indicate possible data theft.
There are also many other ways to connect to a database without having to go through the application interface, and this type of connectivity should also be monitored and blocked.
All login attempts should be audited, including unsuccessful attempts, as these could indicate password cracking attempts, brute force attempts and DOS attempts.
Use and abuse monitoring should also detect unauthorised backups, extracts and dumps, as well as unauthorised DDL, DCL and database structure changes.
A database activity monitoring (DAM) product is the solution for the above.
Securing legitimate access to sensitive data
Access to personal information is often a requirement for certain job functions within an organisation such as call centre agents and other administrative type roles. It is very easy for users in these positions to simply write down on paper the sensitive information shown on their screen, and this will go completely undetected. Such information should be appropriately redacted or masked, so the information is of insufficient value if written down, but enough to enable the user to perform their job. Tokenisation is also an effective method to secure and manage access to sensitive data.
SQL injection
This is a very common and easy method to gain unauthorised access to a database by piggybacking on or hiding within a valid database connection. Web applications are the entry point of most SQL injection attempts, so having a Web application firewall (WAF) is vital to prevent attacks of this type.
Hackers
Do you trust your DBA or sys admin? Privileged accounts are targeted by hackers for the simple reason that these are the most powerful accounts. You may trust your employees in these privileged positions, but trust is not going to protect your data if these accounts are breached. You need to secure your sensitive data from privileged accounts. This is done using a DBF.
Excessive user rights
Users should only have sufficient access privileges to perform their job function. Any access rights over and above this should be revoked. There are many ways to log into a database without using the actual application, and when doing so, excessive privileges can easily be identified and exploited. Databases should be scanned regularly and a user rights management for databases (URMD) tool is necessary for this task.
Static data masking
A very common practice in organisations is to copy production databases into test and UAT environments. This exposes sensitive data in an environment that is usually totally unsecured. The solution to this is to use data masking tools that can mask the sensitive data by turning the 'real' data into 'realistic' data and thereby removing any value it may have.
Environment hardening
Most software is typically full of security weaknesses that need to be hardened or patched post installation. This is also the case after upgrades have been performed as the new upgrade will probably introduce new weaknesses or undo some of the previous version's hardened state.
New administrators may also be unaware of the existing hardening and could inadvertently reopen some known loopholes. It is therefore imperative that environments with sensitive data are assessed on a regular basis for weaknesses. This can be accomplished by CIS benchmarking or vulnerability assessment software.
Patch management
Software security bugs and weaknesses are commonly known in the hacking underworld long before a software company releases a patch for it. After all, it was hackers who discovered and exploited these weaknesses in the first place. Having this in mind, you can understand how crucial prompt and efficient software patch management is. As there are many components in a system, it is advisable to make use of patch management software to keep all environments up to date and secured.
A WAF can facilitate in greatly reducing the threats created by poor patch management by offering dynamic or virtual patch management.
Unknown data and databases
You cannot protect something that you are unaware you have. In other words, an organisation won't be able to adequately protect the data in its custody without having an inventory of its data. But, not all data is sensitive and requires protection so you need to classify it in order to identify what needs protection and how to go about doing so.
If an organisation does not find and protect sensitive data, you can be assured a hacker will find it on your behalf and exploit it. Regular data scans of the entire environment need to be carried out using a sensitive data discovery and classification tool.
For more information on this article, please watch our YouTube video below:
https://www.youtube.com/watch?v=0TvkRIUI4Vk&t=411s
Share