Database Primer - Data meets Infosec
Back to Databases...but with a twist of my favorite hobby: cyber security!
Data is the life blood of a business, ranging from proprietary data, financial reports, research & development, and future plans and acquisition strategies. Improper database security measures can lead to higher a likelihood of data breaches occurring. If data is leaked on these values, other businesses can leverage that information to create an advantage in the market. Additionally, civil fines and forfeitures may be levied on a business that is found negligent on their security posture and it leads to the leakage of PII, HIPAA, or other protected data. It may be said that security procedures are a cost center rather than a revenue generation. However. it is vital that a business keeps a strong emphasis on cyber security measures to protect their bottom line.
There is no one-fit-all solution for security in a database and network environment. Instead, proper security doctrines should be focused on multi-layered security methods. Access rights should be kept within the principle of least privilege. Authentication and authorization should be clearly defined and regularly audited to ensure that role creep or unused accounts are not able to be leveraged in a privilege escalation attack. Networks should be sequestered and isolated through both inner and outer firewalls, as well as maximal usage of DMZ’s when appropriate. Hardware and software, to include firewalls and routers, should be patched frequently. Data within the network needs to be encrypted with robust encryption standards for both data at rest and data in transit, following guidelines set by NIST.
Depending on if you are private/public/hybrid cloud the responsibility of security may be the provider rather than the owner of the data. Therefor it is imperative to thoroughly research the cloud product’s security options and historical data on data breaches.
Big data is valuable metadata on customer trends and preferences that can directly correlate to current and future business maneuvers. However, if that data is leaked your competitors can use the same information to receive a competitive advantage over your business in the market. Therefore all big data stored within databases should be carefully protected from unauthorized access. Similarly to cloud based hosting, the storage and security of big data is typically not done at a local level and is instead outsourced to larger vendors to handle.
To adapt to these changes, organizations need to decide what data will be stored on premises, what company collects appropriate big data, and what data will be stored with a cloud provider. They should research the provider’s service offerings and contractual obligations. They should also look at the history of the service provider in regards to data leaks and how they handled that. Lastly, cost should be placed into consideration for both the rollout of the services and potential damages of a data leak.
Businesses, governments, and users should consider that cybercrime frequency is not going down and is not getting less impactful. Cybercrime has been steadily increasing in both frequency, efficacy, and losses in money (U.S. Government Accountability Office, 2023). These attacks can range from ransomware, insider threats, and SQL injections among many other vulnerabilities and exploits. A famous example of how dire a cyberattack can become is the ransomware attack NotPetya which brought several businesses down across the world in a matter of days, including the world shipping company Maersk who only just avoided having to completely rebuild their databases (Cybersecurity & Infrastructure Security Agency, 2018). This singular attack demonstrates how even the largest, most profitable companies, can be dealt a near catastrophic loss from cybercrime.
Though not as flashy, or by any means a new phenomenon, SQL injections are another one of the more commonly used exploits when targeting databases in today’s age (Cybersecurity & Infrastructure Security Agency, 2023). The means of protecting against SQL injections are not profound, often they are overlooked entirely, but contribute yearly to a large sum of cybercrime and business profitability loss. One of the most identified CVE exploits in 2023, CVE-2021-20016, is rectified by patching the SSLVPN software of SonicWall SMA100 as well as enabling MFA (SonicWall, 2021). These tactics are not complicated or profound, but their simplicity is often overlooked leading to SQL injections continually reported as a top exploit year after year.
To prevent potential breaches, it is vital to routinely audit your data environment. This includes internal and external penetration testing as well as routine audits on RBAC configurations and reviewing of network logs. The process of conducting reviews on these logs and running penetration tests can be time consuming as well as costly. Consideration should be given to automation tools, heuristics based learning software, and leveraging of AI to reduce the time, friction, and cost of performing these tasks.
Security audits ensure that security measures are both in place and effective in their employment. Without regular audits, you may have blind spots on security vulnerabilities and flaws within the design of the security system. This can range from improper RBAC controls, outdated software, or even improper employee practices. Audits do not need to be painful, nor do they need to get anyone in trouble, instead they should be about course-correcting and improvement. Further, the more you prepare and place an emphasis on proper security measures, the easier and quicker a security audit will be.
As companies move towards technologies such as cloud architecture, big data collection and utilization, and virtualization, they should be keeping security in mind. When the database is moved to a virtualized cloud environment, is that data encrypted? Are authentication and authorization controls being maintained and monitored? Additionally, is there heuristic-learning-based intrusion detection and prevention systems? Who manages the software updates and patch cycles? Can you request penetration tests on the database environment to ensure security compliance is met? Though the data may be in a new, shiny environment, the risks are still roughly the same even if the risk has been transferred onto a different entity.
References
Cybersecurity & Infrastructure Security Agency. (2018, February 15). Petya Ransomware. Retrieved from CISA: https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware
Cybersecurity & Infrastructure Security Agency. (2023, August 03). 2022 Top Routinely Exploited Vulnerabilities. Retrieved from CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
SonicWall. (2021, February 3). Vulnerability List. Retrieved from Sonic Wall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001
U.S. Government Accountability Office. (2023, June 20). Cybercrime: Reporting Mechanisms Vary, and Agencies Face Challenges in Developing Metrics. Retrieved from U.S. Government Accountability Office: https://www.gao.gov/products/gao-23-106080
Data is the life blood of a business, ranging from proprietary data, financial reports, research & development, and future plans and acquisition strategies. Improper database security measures can lead to higher a likelihood of data breaches occurring. If data is leaked on these values, other businesses can leverage that information to create an advantage in the market. Additionally, civil fines and forfeitures may be levied on a business that is found negligent on their security posture and it leads to the leakage of PII, HIPAA, or other protected data. It may be said that security procedures are a cost center rather than a revenue generation. However. it is vital that a business keeps a strong emphasis on cyber security measures to protect their bottom line.
There is no one-fit-all solution for security in a database and network environment. Instead, proper security doctrines should be focused on multi-layered security methods. Access rights should be kept within the principle of least privilege. Authentication and authorization should be clearly defined and regularly audited to ensure that role creep or unused accounts are not able to be leveraged in a privilege escalation attack. Networks should be sequestered and isolated through both inner and outer firewalls, as well as maximal usage of DMZ’s when appropriate. Hardware and software, to include firewalls and routers, should be patched frequently. Data within the network needs to be encrypted with robust encryption standards for both data at rest and data in transit, following guidelines set by NIST.
Depending on if you are private/public/hybrid cloud the responsibility of security may be the provider rather than the owner of the data. Therefor it is imperative to thoroughly research the cloud product’s security options and historical data on data breaches.
Big data is valuable metadata on customer trends and preferences that can directly correlate to current and future business maneuvers. However, if that data is leaked your competitors can use the same information to receive a competitive advantage over your business in the market. Therefore all big data stored within databases should be carefully protected from unauthorized access. Similarly to cloud based hosting, the storage and security of big data is typically not done at a local level and is instead outsourced to larger vendors to handle.
To adapt to these changes, organizations need to decide what data will be stored on premises, what company collects appropriate big data, and what data will be stored with a cloud provider. They should research the provider’s service offerings and contractual obligations. They should also look at the history of the service provider in regards to data leaks and how they handled that. Lastly, cost should be placed into consideration for both the rollout of the services and potential damages of a data leak.
Businesses, governments, and users should consider that cybercrime frequency is not going down and is not getting less impactful. Cybercrime has been steadily increasing in both frequency, efficacy, and losses in money (U.S. Government Accountability Office, 2023). These attacks can range from ransomware, insider threats, and SQL injections among many other vulnerabilities and exploits. A famous example of how dire a cyberattack can become is the ransomware attack NotPetya which brought several businesses down across the world in a matter of days, including the world shipping company Maersk who only just avoided having to completely rebuild their databases (Cybersecurity & Infrastructure Security Agency, 2018). This singular attack demonstrates how even the largest, most profitable companies, can be dealt a near catastrophic loss from cybercrime.
Though not as flashy, or by any means a new phenomenon, SQL injections are another one of the more commonly used exploits when targeting databases in today’s age (Cybersecurity & Infrastructure Security Agency, 2023). The means of protecting against SQL injections are not profound, often they are overlooked entirely, but contribute yearly to a large sum of cybercrime and business profitability loss. One of the most identified CVE exploits in 2023, CVE-2021-20016, is rectified by patching the SSLVPN software of SonicWall SMA100 as well as enabling MFA (SonicWall, 2021). These tactics are not complicated or profound, but their simplicity is often overlooked leading to SQL injections continually reported as a top exploit year after year.
To prevent potential breaches, it is vital to routinely audit your data environment. This includes internal and external penetration testing as well as routine audits on RBAC configurations and reviewing of network logs. The process of conducting reviews on these logs and running penetration tests can be time consuming as well as costly. Consideration should be given to automation tools, heuristics based learning software, and leveraging of AI to reduce the time, friction, and cost of performing these tasks.
Security audits ensure that security measures are both in place and effective in their employment. Without regular audits, you may have blind spots on security vulnerabilities and flaws within the design of the security system. This can range from improper RBAC controls, outdated software, or even improper employee practices. Audits do not need to be painful, nor do they need to get anyone in trouble, instead they should be about course-correcting and improvement. Further, the more you prepare and place an emphasis on proper security measures, the easier and quicker a security audit will be.
As companies move towards technologies such as cloud architecture, big data collection and utilization, and virtualization, they should be keeping security in mind. When the database is moved to a virtualized cloud environment, is that data encrypted? Are authentication and authorization controls being maintained and monitored? Additionally, is there heuristic-learning-based intrusion detection and prevention systems? Who manages the software updates and patch cycles? Can you request penetration tests on the database environment to ensure security compliance is met? Though the data may be in a new, shiny environment, the risks are still roughly the same even if the risk has been transferred onto a different entity.
References
Cybersecurity & Infrastructure Security Agency. (2018, February 15). Petya Ransomware. Retrieved from CISA: https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware
Cybersecurity & Infrastructure Security Agency. (2023, August 03). 2022 Top Routinely Exploited Vulnerabilities. Retrieved from CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
SonicWall. (2021, February 3). Vulnerability List. Retrieved from Sonic Wall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001
U.S. Government Accountability Office. (2023, June 20). Cybercrime: Reporting Mechanisms Vary, and Agencies Face Challenges in Developing Metrics. Retrieved from U.S. Government Accountability Office: https://www.gao.gov/products/gao-23-106080
Comments
Post a Comment