Current Filter: Network>>>>>Opinion>

   

A continuing series of data breaches is producing international headlines with little sign of abating, in turn revealing an eye-opening reality; no matter the size or type of business, if it has valuable information, it is on the criminals radar. No surprise then that those businesses need to get ahead of criminals and implement a multi-layer security strategy that protects not only their networks and applications, but also their data.

A common misconception among businesses is that if their networks and applications are protected, so are their databases. An attacker's objective is to access data handled by a business. That data is most likely stored on a database and therefore it requires its own protection. Failing to protect a database is like putting your valuables in a safe but leaving the safe door wide open and unlocked, which of course is unlikely.

We have investigated thousands of data breaches during the past few years and in the course of that work we have gained a unique insight into the techniques cybercriminals employ to penetrate business defences and steal valuable data. Those techniques include launching phishing and watering hole attacks to deliver zero-days exploits, extracting passwords directly from employees and using old standby weapons like SQL Injection. Once an attacker has established a network entry point, all perimeter defences are defeated. Only internal security controls remain and if you aren't protecting your databases, it's game over.

We frequently see exposed databases while performing penetration tests on networks and applications. Penetration tests help businesses to identify and fix weaknesses in their security, before it's too late. Typically, when ethical hackers perform these kinds of tests they find a chink in the armour protecting the network perimeter and gain internal access. From there, we find that most businesses have left the door to their databases wide open. They relied so much on their perimeter security that they never learned how to secure their databases, potentially providing criminals with full access to their private information.

Businesses should think more like criminals and develop defences around all aspects of their infrastructure that contain valuable data, especially their databases. A rigorous approach to database and application security, complimented by adequate security at the network perimeter, creates a layered defence posture where the closer an attacker gets to the target, the more difficult it becomes to progress without detection.

The security measures required to protect databases should include the following:

• Create a database security plan that outlines the process of database protection with responsibilities clearly assigned to specific stakeholders
• Perform a risk assessment and locate all databases that contain sensitive data and identify vulnerabilities, including misconfigured security settings
• Deploy protection for web applications that sit in front of databases such as Web Application Firewalls and employ secure coding practices
• Install technology that limits access privileges to networks, applications and databases so that only those who actually need access get it. Regularly review
• Finally, databases must be constantly monitored for attacks, abuse and misuse. When a problem is identified a well-rehearsed incident response plan must be ready to deploy immediately and ultimately reviewed for its effectiveness.

Some businesses may struggle to allocate the resources and even skills required from among the in-house team. This cannot be allowed to impede the effective deployment and management is such a security plan. It may be worth considering the use of a third party team of experts to augment existing staff and who will inevitably introduce a new and updated perspective. Ensuring that the most effective security tools are installed and running properly is the only way to prevent a data compromise and it can be the difference between a foiled attack and producing the next headline.