Although IT teams are beginning to develop advanced strategies to combat emerging cybersecurity threats, it may be wise to shift focus back to the database level and ensure fundamental protections are in place.
"Data security, application security and database security are like pieces of a puzzle – different yet still dependent on one another to reach true completion," explained Dark Reading contributing editor Ericka Chickowski in a recent report. "In order to limit the scope of attacks, developers and database administrators need to acknowledge their roles in the process and work together to ensure that Web applications aren't exposing sensitive databases."
This may sound like an obvious component of a well-thought-out data protection strategy, but companies are still finding it difficult to put policy into practice. Surprisingly enough, a number of significant data breaches in the past year have been the result of hackers discovering treasure troves of sensitive information with simple Google searches.
According to technology journalist Robert Lemos, Groupon subsidiary Sosasta inadvertently placed a database file of 300,000 on publicly accessible servers. By the time the company had been notified, hackers were well on their way to sorting through and exploiting the sensitive customer data. In August, both Yale University and Purdue University suffered similar scandals, compromising the records of approximately 50,000 students in the process.
"Inadvertent misconfigurations by insiders are a common way for data to be placed online, awaiting an opportunistic attacker to find them," Lemos explained in a recent column. "In its 2011 Data Breach Investigation Report, Verizon found that 83 percent of breaches were the result of opportunistic attackers, not specific targeted attacks."
Part of the problem, according to Chickowski, is the continued disconnect between data security teams and individual database administrators. While it may require a bit of humility on both sides, welcoming DBAs into the fold and providing them with both education and accountability can go a long way. By acknowledging the shared responsibility of both sides, and the big picture implications of organizational security, IT managers may be able to establish common ground to work from.
But before these potentially difficult conversations take place, security officers must make sure adequate technical defenses are already well-established.
IT teams can begin by improving their data segmentation strategies, according to Chickowski. This process of identifying and isolating high-value information should be a part of any organization's risk management, as it allows security administrators to customize and prioritize their data protection mechanisms.
"Medium to large organizations are not segmenting enough," Verizon Business principal Chris Novak told the Dark Reading columnist. "In these organizations, they've got databases spread over offices, campuses and complexes around the globe. And the problem is that if they're not segmenting, then a risk in one place becomes a risk everywhere."
The next step will be to focus on how this data is formatted. A surprising amount of companies are still storing their passwords in plain text. While this is understandable for young businesses and those in high-growth modes, according to Chickowski, it could prove a fatal mistake. If and when data is exposed, hashing and encrypting passwords may limit the resulting fallout of such an incident.
But even as more organizations recognize the merits of database encryption, few employ best practices. Storing encryption keys on a separate server and using up-to-date algorithms is essential, according to Chickowski, but lack of adherence to these rules may be creating a false sense of data security within a number of companies.
Data Security News from SimplySecurity.com by Trend Micro