“We’re entering a new world in which data may be more important than software.”- Tim O’Reilly, Founder, O’Reilly Media

Current State of Database Security

The goal of most of system breaches is to obtain data stored on the systems.  Databases are high-profile targets for hackers because they often contain valuable and sensitive information.  Cybercriminals can profit from retrieving and then using or selling data. Data like financial records, corporate records, personal user data, and governmental records can bring a windfall to the cybercriminals.

There are numerous reports and whitepapers available on the internet that indicate an increasing chance the data we watch over will be compromised. According to the Identity Theft Resource Center (ITRC, 2019), that the number of breaches reported was down by 23% in 2018 but the number of Personally Identifiable Information (PII) records exposed was up by 128% [Table 1].  These numbers give us an idea of a trend but do not truly show the state of breaches.  The ITRC report is based on reported breaches and reported number of exposed records.  Not all reported breaches contain exposed record counts and not everyone reports a breach.

Table 1: ITRC Reported Breaches and Reported Records Exposed Statistics

According to statistics in Symantec’s 2018 Internet Security Threat Report, the number of attacks against small and large organizations was fairly balanced.  Companies with 250 or less employees had the same percentage of email malware received as companies with more than 2500 employees.  Phishing rate by organization size was also similar with 1 in 3,111 for organizations with less than 250 employees and 1 in 3,019 for organizations with 2500 or more employees (Symantec, 2018). Attacks are not only coming from the outside.  Malicious insider activity accounted for nearly 36% of the records compromised in 2018.  Additionally, 30 of 51 data breaches that involved Intellectual Property stemmed from inside the organization (Vijayan, 2018). These statistics do not include employee or individuals with insider access that mishandled assets.

Securing the data is not just a morality or business decision, governments are taking a tougher stance on how companies maintain and protect data.  In 2018, the General Data Protection Regulation (GDPR) was put into effect.   The purpose to impose uniform data security laws on all EU members.  In the United States, the number of individual states that have implemented data security laws has doubled since 2016. (National Conference of State Legislatures, 2019)

It is important that organizations recognize that the security of data should be a concern of everyone in the organization.. There are three keys to a good security posture in an organization: training, communication and cooperation.  For many organizations the first step down this path often starts with self-evaluation of an organization’s attitude towards security and then evaluation of system risk to vulnerabilities. .

Why are Organizations Failing?

The attitude of organization’s management can really have a tremendous impact on the security of the data.  One of the major issues is that organizations often have complacent attitudes about security.

• No one is interested in our data.

Many organizations believe that hackers will not be attacking their systems because they are either too small, not in an industry that hackers care about, or they do not store data hackers would want.  If you look at the reports from the last few years from ITRC, Verizon, and Symantec they all show similar information.  Cyberattacks conducted against small to medium-size businesses are nearly as frequent and often more frequent than those against large businesses.

• A complex password is good enough.

We would hope at this point that all organizations would have at least policies set that force the usage of complex passwords.  Yet that is not enough. Complex passwords can be circumvented.  Often it is through a mix of social engineering and complex malware attacks that hackers can gain the password to a system.  This can become devastating when the same password is used across multiple systems. A breach on one system places data on other systems at risk as well.

• We do not need database security assessments or tests.

If you do not conduct assessments and penetration tests you can not understand where improvements can be made.  Self-evaluations are a good start.  There are many free tools and documented processes to help you evaluate your database security. In addition to self-evaluations, having third-party assessments are invaluable.  Having an extra set of eyes and tests ran will often find areas that need improvement that you might not have considered or have just accepted as a standard.

• Once and done user creation.

Organization staff often have access to the most sensitive data depending on their company role. You can not just create a user, set their privileges, roles and then just forgot about them. Data security needs to include policies and procedures that consider employees leaving a company, changing roles within the company or not actively using a system for an extended period of time.  In this manner you reduce the effects of social engineering and the use of stolen user login information by cyber criminals.

• We patch our systems so we are not vulnerable.

Patching is only a small part of a good security posture.  There are tools and known best practices that can help  organizations protect their systems and reduce risk of data breaches.  There are tools that can help organizations judge benchmark their systems against these best practices.

Security Evaluation

Just as there is no way to have a 100% secure system, there is no way to have 100% data security.  If data security were simple the everyone would do it.  Data security is truly a stepwise progression.  The rest of this paper will provide you a springboard from which you can create your own pathway to a more secure database system.

Identifying Stakeholders

Ideally, the pursuit of data security should be done as part of an overall data governance effort.  If that is the case, then the data stakeholders have probably been identified.  When you are considering the security of the data, you need to involve others.  It would be difficult even within a small organization for one single individual to be able to have all the knowledge needed to secure everything appropriately.  A deep understanding of data location, data governance policies, and data usage is needed.  You can define a data stakeholder as an individual or group that could affect or be affected by data under discussion.

Groups often include:

• Those who interact with the data.
• Those who create or provide data.
• Those who set or enforce the rules and requirements for data.
• Those who provide the applications or tools that provide access to the data.
• Those who control the technology used to store or access the data.

Perhaps the following short list of possible data security stakeholders will help you in generating your own list.

Table 2: Possible data security stakeholders

Getting Expert Help

The purpose of putting together a list of stakeholders is so that they can provide you their expert help.  The expert help is to assist in developing data protection requirements and making sure everyone understands data protection concerns. Here are some basic questions and areas to investigate that you can use as a springboard.

• What data needs protected?
  • Personally Identifiable Information (PII)
  • Supplier data
  • Intellectual property
  • Financial data
• Where is the data located?
  • Live data
  • Archived data
  • Data backups
  • Non-production environments
• Who should be able to access the data?
  • Are there specific roles defined for the users?
  • How roles assigned?
  • What happens when they change roles or leave the organization?
• What regulations govern our industry?
• What data protection laws pertain to our organization?

These should give you a good foundation for creating your own questions.  In researching for resources on data security policies and data governance I found some other resources that might be helpful,

• Review some sample data security polices from Sophos. https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-example-data-security-policies-na.pdf
• Check out the great example of a data security policy from Bravua Technologies. https://www.bravuratechnologies.com/bravurasite/?page_id=1043

The requirements and decisions made by this group of stakeholders will give the organization a firm foundation.

References:

ITRC. (2019). End-of-Year Data Breach Report [White paper].  Retrieved February 2, 2019, from ITRC https://www.idtheftcenter.org/2018-end-of-year-data-breach-report/

NCSL. (2019). Data Security Laws | Private Sector. Retrieved February 8, 2019, from http://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx

Sheridan, K. (2019). Exposed Consumer Data Skyrocketed 126% in 2018. Retrieved February 8, 2019, from https://www.darkreading.com/attacks-breaches/exposed-consumer-data-skyrocketed-126–in-2018/d/d-id/1333790

Sophos. (2018). SamSam: The [Almost] Six Million Dollar Ransomware [White paper].

Retrieved February 1, 2019, from https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf?la=en

Symantec. (2018). 2018 Internet Security Threat Report. Retrieved February 5, 2019, from https://www.symantec.com/security-center/threat-report

Vijayan, J. (2018). 2018 on Track to Be One of the Worst Ever for Data Breaches. Retrieved January 10, 2019, from https://www.darkreading.com/vulnerabilities—threats/2018-on-track-to-be-one-of-the-worst-ever-for-data-breaches/d/d-id/1333252

Waratek. (2018). Oracle: Apply Out-of-Band Patch for Database Flaw ASAP. Retrieved January 25, 2018, from https://www.waratek.com/oracle-database-server-flaw/