Security concerns today touch virtually every department across the modern business. Many of these concerns centre around the rise of hacking, a threat which has continued to outpace other means of attack by a large margin, and which has grown proportionally alongside today's lucrative information black market. From RAM scrapers to crypto-malware, hacking has spread even more quickly as a wave of copycat innovators join the ranks. This trend has made enterprises, and in particular their relational databases, more vulnerable than ever to an attack. And yet, an examination of how typical organisations invest in security reveals that the database is not a priority. This approach is no longer tenable. It's time for business to secure data where it matters most.
A recent report found that databases are the second most frequently targeted asset by people inside an organisation, trailing only desktop computers themselves. IT decision-makers in the Independent Oracle Users Group (IOUG) concur, with 58 percent saying that the database represents the greatest security vulnerability. Indeed, the database is becoming an increasingly popular target for hackers carrying out SQL injection attacks, by which they embed SQL commands into queries in order to retrieve and modify information within the database. As databases have become increasingly accessible via the network and directly through web applications, they have become more vulnerable to SQL injection attacks than ever before. These types of attacks have seen entire tables of employee and customer records compromised, and sometimes involved corporate spies posing as employees and inserting themselves into HR databases.
It is surprising, then, that businesses don't prioritise investment in protecting their databases. According to the IOUG survey, the largest proportion of companies (65 percent) invest most heavily in simple network security measures, followed by servers (57 percent) and, finally, the database (56 percent).
What's more, SQL injection attacks are challenging to manage because they are simple for hackers to execute but difficult to prevent. An organisation would have to go through their entire application code base and replace all their existing vulnerable SQL code in order to fully protect itself. It is perhaps in light of this difficulty that only 38 percent of organisations have taken steps to prevent SQL injection attacks.
That said, security strategies do exist that can support database administrators in protecting this most valuable asset. For example, database firewalls that allow database administrators to monitor and block malicious SQL can help to drastically mitigate these types of attacks.
A more proactive approach to data security is also required. All too often, much of the information targeted by attackers is lying around relatively unprotected in test and development environments. For example, developers testing applications in non-production environments typically have access to the same sensitive data used in production: personally identifiable data, financial information, social security numbers and payment cards. If organisations secure applications but leave the databases unguarded, they risk succumbing to application bypass attacks. According to the IOUG study, 71 percent of organisations have no controls in place to prevent these types of attacks. To help prevent these types of attacks, application and database security must go hand-in-hand.
As part of this more proactive approach to data security, database administrators should map out where sensitive data exists across the organisation and in all environments; this is no small task in itself when one considers that companies are implementing increasingly large and complex IT systems. In fact, 39 percent of respondents to the IOUG survey admit they could not name all the databases in their organisation that house sensitive and regulated data.
Once a data mapping exercise has been conducted, encryption becomes a crucial line of defence in protecting the valuable information held within the database. It is therefore concerning that only 18 percent of organisations encrypt data at rest in all their databases, and that 51 percent don't even have measures in place to prevent accidental harm to databases or critical applications. Database administrators and security professionals must make encryption a priority if they wish to effectively protect the most vulnerable elements of their IT systems.
Finally, it is crucial for businesses to monitor databases for anomalies that could indicate suspicious activity. This proactive approach is fundamental to spotting and neutralisng threats before they have a significant impact on company data. That said, while 48 percent of businesses do have tools to monitor anomalies, only 32 percent do so on a regular, automated basis. On-going supervision is critical to database security, and database administrators should make sure they make use of the technologies they have in place to do this regularly.
Building a database security strategy is the first step for a company in ensuring security has been addressed inside out. Even if an organisation's perimeter is breached, by placing security controls around sensitive data, detecting and preventing SQL injection attacks, monitoring database activity, encrypting data at rest and in transit, redacting sensitive application data, and masking non-production databases, organisations can reduce the risk of data exfiltration. While striving to eliminate breaches entirely is an impossible task, organisations can and should stop the exfiltration of sensitive information via the database.
Contributed by Alan Hartwell, vice president security & identity solutions, EMEA, Oracle