Risky Business: The Importance of Data Audits for Content Security
Sue Marquette Poremba. EContent. Wilton: Oct 2008. Vol. 31, Iss. 8; pg. 32, 5 pgs
Abstract (Summary)
Database security is a serious issue that affects every business or organization, and most IT security personnel state one of the most effective means of database security is good database auditing. There are four key categories to database auditing: server security, database connections, table access control, and restricting database access. The federal government and some industries have begun to realize the severity of database breaches and have begun to institute data privacy regulations. Companies are expected to follow these regulations and are regularly audited to make sure they are properly securing their databases. Despite the regulations and governance councils, companies are slow to respond to the need for better database auditing. Not every data breach is caused by criminal intent, but for every accidental breach, there is a disgruntled employee who is looking for revenge or a crime ring eager to make a few thousand dollars selling the information on the black market.
In early July, a Texas man was arrested for allegedly filing more than 160 false tax returns using the Social Security numbers of University of California-Irvine graduate students. The Social Security numbers were reportedly stolen while the man worked for the Student Resources Department of United HealthCare Services, Inc.
In June, a California man was sentenced to nearly 5 years in prison after he was found guilty of hacking into the protected computer system of his former employer, Council of Community Clinics, multiple times, disabling the backup system and deleting files. (He was angry after receiving a negative performance review.) His actions destroyed personal medical records of patients, putting their lives at risk.
This spring, online mortgage loan marketplace Lending Tree, LLC sent a letter to its customers to inform them of a possible data breach caused by former employees providing passwords and access to personal information to other mortgage lenders.
Even members of the Supreme Court aren't safe from identity theft: Justice Stephen Breyer's personal information was made public when someone in an investment firm used peer-to-peer networking and inadvertently provided a gateway to a database. The breach wasn't discovered for 6 months.
Troubling as they are, these stories are just a few of what seems like a never-ending list of companies experiencing data breaches, which can lead to the theft of information ranging from a customer's Social Security number to a corporation's secret designs for a new product.
A 2007 study of 494 IT security personnel conducted by the Computer Security Institute found that, while the numbers are slowly decreasing, 46% of the respondents said their company experienced a security incident in the past year. Fraud caused, in part, by the loss of customer and proprietary data is the number one reason for financial loss within companies (overtaking computer viruses for the first time).
Database security is a serious issue that affects every business or organization, and most IT security personnel state one of the most effective means of database security is good database auditing. Too often, however, data is left vulnerable, partly because companies are more concerned with protecting the network from the outside and invest in technologies such as firewalls to prevent attacks. What gets overlooked is that information from a database is more likely to be hacked by a current or former employee than from a virus injection.
"Essentially, we are guarding the front door, while the bad guys are walking in the back door," says Rick Kam of ID Experts.
THE DATA TRAIL
In order to ascertain risk, companies must track data usage, which is commonly referred to as database auditing. There are four key categories to database auditing: server security, database connections, table access control, and restricting database access.
Server security limits user access to the database server. Database connection involves knowing who has access to a database and how and when it is accessed, while table access control dictates what the user can do within the database itself. Restricting database access refers to protecting the database from outside sources, such as malware that can manipulate code on an internethoused database.
Perhaps the biggest breakdown in database auditing is the lack of governance over user accounts. Too often, when an employee leaves a company or even transfers from one department to another, the person's account isn't closed or changed.
In fact, user access is the number one IT security concern among healthcare workers, according to a study taken at the Healthcare Information and Management Systems Society (HIMSS) 2008 Annual Conference and Exhibition by Courion Corp. Of the 136 people questioned, 64% cited access as their main security issues, while 60% were concerned about passwords being shared between personnel and 52% admitted that orphaned accounts were not properly disabled.
While providing doctors, nurses, and other caretakers easy access to the data they need improves patient care, Kurt Johnson, vice president of corporate development at Courion, adds, "It also opens a whole new concern in the organization to exactly who has access to this information."
There are three phases to a database audit, according to Robert Grapes, chief technologist with Cloakware's data center. "There's the upfront work, the tactical things to be done day-by-day, and the post-forensic or the real audit of what happened on the system," he explains.
The upfront phase involves password issues and who has access to accounts. "While a lot has been done to address password management from an engineering standpoint, we're finding that very little has been done to correct password issues for human administrators who need access to the database," Grapes continues.
So upfront, the idea is to look at who exactly has access to a database and to regularly do audits to account for everyone who has access to the database.
Automated software functions control the tactical daily audits. This can include closing a person's access to the network or changing the fields an employee should have access to, depending on the job duties. The software also dictates when passwords should be changed.
After applications have been run and the database logs have been recorded for the day, the audit occurs. Software, such as Grapes' Cloakware, can be used to record every time the data had been manipulated or a password changed. This information should then be verified on a regular basis to make sure the people working with the database had the authorization to do so.
Unfortunately, financial issues often drive database auditing best practices. It costs money to manage thousands of passwords, Grapes says, yet password management is the best way to protect data.
"Automating the process can improve the security profile," he says. Software, for example, can produce new passwords but not release the new code until the user is ready to log in.
However, if the funds don't exist for automated auditing software, there is a relatively low-tech way to go to protect database information: Make sure that multiple people have access to the database. Too often, companies will assign control to one person, and there are no checks and balances in place.
"In San Francisco recently, a guy was able to lock out an entire system," Grapes says, "and that scenario is not uncommon. One person has all the privileges, like the fox protecting the hen house, and in this case, the fox is able to set up new accounts. Financial institutions are worried about this."
PRIVACY PLEASE
The federal government and some industries have begun to realize the severity of database breaches and have begun to institute data privacy regulations. They include best practice requirements and industry guidelines regarding usage and access to customer data. Financial institutions are currently regulated by the Gramm-Leach-Bliley Act (GLBA), which requires the protection of nonpublic personal data while in storage and implements a variety of access and security controls. Payment Card Industry Data Security Standard (PCI DSS) requires that merchants who accept credit cards follow certain standards of security protection for consumers. The Sarbanes-Oxley Act of 2002 is a congressional response to the Enron and similar accounting scandals and establishes new and enhanced standards for publicly held companies. Perhaps the bestknown privacy effort is the Health Insurance Portability and Accountability Act (HIPAA), which is meant to further protect patient information as more medical records are shared via electronic means.
In addition, the IBM Data Governance Council was formed to create best practices around risk assessment and data governance. The IBM Data Governance Council is an industry group comprising about 50 members representing financial companies such as American Express, Deutsche Bank, Citibank, MasterCard, and others.
Companies are expected to follow these regulations and are regularly audited to make sure they are properly securing their databases.
"IT security is a strategic part of the company, but business people haven't recognized that yet," explains Steve Adler, chairman of the IBM Data Governance Council. "We think that the current methods used for calculating risk need to be automated and a normal part of business."
He says that every individual in an organization needs to be aware of the security risks, which is not usually the case. "There are many people who work in the IT department who are unaware of the security strategy," he says. "There needs to be more operational awareness." Despite the regulations and governance councils, companies are slow to respond to the need for better database auditing. For example, the PCI DSS had a June 30th deadline requiring that web application security testing be upgraded from a best practice to mandatory compliance, yet IT security firms helping with this transition say that only a handful of firms were prepared to meet the requirement, despite being notified of this requirement in 2006.
Rick Kam blames the inefficient database auditing on the natural disconnect between what the executive teams think they are doing for security and what's really happening in the IT and privacy offices.
"There's a tendency to compartmentalize functions," Kam says, "and this has provided easy opportunities to steal information."
THINK LIKE A THIEF
One thing Kam recommends is for organizations to think like a bad guy when protecting data. "We think very differently from crooks," he says. "We think, 'how would a rational person break into the system,' and we invest heavily to protect where we think the vulnerabilities lie. The problem is, the crooks don't view it the same way and will find other ways to access the information they want."
What the company can do instead, Kam says, is bring in a person who can look at database security from a different perspective, such as an auditor hired to investigate fraud risks.
Good training is another vital step toward database auditing. Too often, Kam explains, a person may detect potential fraud early on, such as improper access to certain information, but then not know what steps to take to stop the breach.
Kam has three tips for putting a database-auditing plan into action:
1. Do an information security assessment.
2. Have an up-to-date instant response plan. "Most companies have information security plans and disaster recovery plans, but when they have to respond to lost or stolen information, they scramble like crazy," Kam says.
3. Have an insurance policy to cover the risk. "You have insurance policies to cover employee accidents or other financial loss," he adds. And with nearly half of all companies experiencing a database violation or theft of information, it makes sense to be prepared to cover the costs involved.
Of course, contrary to popular belief, data theft has been around as long as there has been data to steal, and criminals still use low-tech methods, such as stealing mail with personal checks inside or recording credit card information during a restaurant transaction. Computers and the internet have simply provided the bad guys with access to more information stored in one place.
SEPARATE, NOT EQUAL
For that reason, Yuval Ben-Itzhak, CTO of Finjan, Inc., says it is important to segment the data. For a simple database, multiple users may have access to a database, but for each application, each person will use a specific credential to only access the information that is needed.
"The majority of data breaches happen because most applications provide access to all the information in the database," he says. "But once you segment the data, even if it is compromised, the hacker will have limited access to the information."
Encryption is another important and often overlooked tool, he says. Good encryption tools will make information from a violated database useless to a cyber criminal.
Ben-Itzhak suggests companies be creative when it comes to the way they create their databases too. "There's no reason to have all customer data or medical records in one place that's easy to access," he says. Providing different avenues to access the data will better protect it.
He also disagrees with those who say that the costs of better database auditing prohibit companies from making changes. Instead, he says, these practices should be included as the database is being built, that companies need to plan for better security from the get-go. "You don't need to buy other products," he says. "It's a design issue. The developers aren't educated in how to provide security; their job is to provide functionality. And in ignoring security in the design, it becomes a playground for hackers. "
He also recommends frequently checking the information that is in the database. If a customer's information hasn't changed within a specified period of time, it should be considered outdated and removed. "You can't focus on just one element of database auditing," he adds, "or you will end up with a weak link in your security efforts."
COMMUNICATING THE RISK
Customers understand the risks involved when it comes to database breaches, and reports of a breach affect their relationship with the company. According to a study the Ponemon Institute and issued by ID Experts, nearly one-third of consumers notified of a security breach terminate their relationship with the company.
"We found that most people do care about security breach notifications and are concerned," says Larry Ponemon, founder of the Ponemon Institute. "And their concerns are identity theft, financial losses, and the inconveniences that the breaches cause."
Not every data breach is caused by criminal intent, but for every accidental breach, there is a disgruntled employee who is looking for revenge or a crime ring eager to make a few thousand dollars selling the information on the black market. Smart companies realize their reputations and their financial growth depend on ongoing database security.
No comments:
Post a Comment