Think your company's information is safe? Well have you secured your databases?
If you're running a business, chances are you're also privy to some highly sensitive data. It could be about your customers, your employees, your entire business, but any company that has both clients and a staff has vital information that should not get into the wrong hands.
Over the last few days, months, years, decades, data breaches have happened. This should cause alarm for all those who want to be sure their vital information is protected by those with whom they share it. But what does that protection entail? Most companies and individuals alike believe that this means to properly secure your network with essential precautions like encryption. That, however, is only half the story.
Josh Shaul, director of product management at online security firm Trustwave, wants to remind everyone that while encryption is necessary for making sure one's data is secure, databases are in great need of protection, too. And database protection goes well beyond mere encryption. These databases are what companies use to hold customer accounts, employee information, even private bank information. "The real issue is that folks want their databases to be secure," he said. "But they haven't taken the steps to secure them." Shaul will be presenting his findings about database security at next month's RSA conference.
Most businesses, he says, focus on securing their networks, and assume databases come pre-loaded with necessary safeguards. They don't. He provides the analogy of a bank, which are patrolled at the borders to ensure the right people gain entry. But there's also a vault inside that holds the money.
"The way people treat their databases today," he said, "it's like a pile of cash on the floor."
Accessing these databases is easier than you might think. For example someone can gain database access by getting an employee's password (which can be done many ways, be it a phishing campaign or by just fooling the employee), or by using what are known as SQL injections, which are attacks hackers use to specifically target databases.
According to Shaul, the only skills either of these techniques require are "a little google and a little cut and paste." From there, hackers can gain entry into these databases, and sometimes company may not even know what's been breached. "Often companies don't have enough visibility [into the databases] because of lack of monitoring," he said.
Shaul works for a computer security company, so he has a dog in this fight, but he's also right. Just ask Target, Nieman Marcus, and any number of other businesses cum hack targets over the past few months. Shaul's message is that businesses should be extra cautious about securing their databases, because historically most have not. This makes sense since that's where most of the information sits. Yes, encryption is good, but it's necessary to go beyond that.
His prescriptions include having a general risk assessment on all your databases. From there, make sure to enforce restricted permissions so that people can only access to information they genuinely need. And, following that, always have a response plan. It turns out most companies don't.
This sounds like common sense, but I guess it's not. Shaul claims numerous clients of his rely on default settings and don't critically examine their database security. This is when mistakes happen.
And while mistakes are bound to happen, it's best to avoid them -- especially when so much is at stake.
[illustration by Brad Jonas for Pando]