Each year in the security landscape can be characterized by some major themes. Back in 2009 it was the theft of major payment card data stores, while 2010 shined a light on Stuxnet and the advanced persistent threat. But 2011 may be the year of the database hack, with dozens of large information stores having been absconded throughout the year.
And why wouldn’t hackers – or cybercriminals – want this information in a neat, tidy package wherever available? After all, while this may not lead to an immediate financial windfall, the information that can be gleaned from databases is a gold mine of personal details that can be employed in subsequent scams, hacks, and general malfeasance.
“All of the data we really care about, nowadays, is stored in databases”, said Phil Neray, IBM’s VP of Data Security Strategy. He then cited comments by Purdue professor Eugene Spafford, who previously told Infosecurity that the recent large database hacks should come as no surprise, because all of the data that criminals need is centralized in one place.
Neray said IT security pros now face a new challenge when reflecting on these hacking incidents: protecting databases that are beyond traditional parameter defenses, such as firewalls and anti-virus. This challenge is two-fold, because databases are vulnerable to both external and internal misuse.
A perfect example is a web application vulnerability being compromised by a hacker, which typically would not be picked up by a firewall. “You need to be monitoring what’s going on with your database, so you can find abnormal activity”, Neray asserted. He added that technology can be used to discover and perhaps block these suspicious events.
The IBM VP also had one small surprise in store when he spoke with Infosecurity recently. Neray said that, contrary to widespread belief in IT security circles, small and medium-sized enterprises (SMEs) that outsource databases to the cloud can actually be setting themselves up for a letdown by decreasing their security posture.
“Often the security at a cloud provider is less than what [an organization] would provide itself”, adding that the company outsourcing its database is still liable for that data from both legal and compliance perspectives. “You need to make sure that the cloud provider has the right controls in place”, Neray affirmed.
Another challenge SMEs face is their limited resources, the IBM executive noted. This is especially true on the personnel side, as he cited Forrester research demonstrating that less than 5% of database administrators’ time is spent on security.
At an SME, “the person in charge of security is often the same person in charge of the network, and may be in fact in charge of the database system”, Neray observed. He said that, historically, the database administrator’s primary focus was performance optimization and availability, and not security. In cases where there are separate roles for each function, SMEs often get caught up in a game of supposition when the database administrator assumes that the network or security manager has considered the database’s security needs.
Getting organizations to focus on proactive – rather than reactive – security is one of the goals IBM has set for the future, Neray said. Rather than the traditional review of logs every six months or quarterly, as can typically be the case, he believes automated tools that continuously monitor for suspicious or unauthorized activity are necessary. The ‘automated’ portion of this equation is especially important to SMEs that already face the challenge of staff constraints.
“From a people point of view, you actually help your situation when you put into place automated security tools”, Neray continued. “Instead of looking at every single event, you will only be notified on an exception basis by putting in place rules for notification. By using automated technology, you are actually reducing the burden on your limited people resources.”
Neray said he has come across many C-level executives who are now putting security near the top of the agenda as a strategic issue. In the not-too-distant past, such concerns typically came about only after a compliance issue emerged, or an organization suffered a security incident, he recalled.
“Now we are seeing the more forward-thinking executives who say: ‘We need to be more proactive about security’ ”, he shared. “It’s much less expensive to prevent a breach then having to deal with the cleanup after.”