To Parse or To Protect: The Database Paradox
Well-managed databases form the backbone of your organization. Storing and protecting the data that flows throughout your tech stack, influencing key decisions, is one of the most important forms of cybersecurity. Malicious actors know precisely how important both your structured and unstructured data is to you – and they’re more than willing to exploit this.
Many companies overlook the five major threats facing their database. This, fundamentally, constitutes irresponsible data handling: organizations may be willing to collect and benefit from customer data as they please, but fall at the first hurdle in protecting that data. Failure to uphold the integrity of customer data places not just the company in harm’s way – but also the hundreds or thousands of affected individuals.
Here are the five biggest threats to your database today.
The Privilege Death Spiral
One of the most common misconfigurations facing databases is the accidental implementation of excessive privileges. When employees are granted access permissions that exceed what they need in their day-to-day role, your organization’s security stance violates the last key component of CIA. CIA stands for confidentiality, integrity and accessibility – the triad governing top-notch data defenses. Accessibility is the paradox that lies at the heart of your organization’s databases: data only has real value if an organization can share – and act upon – it. However, the more freely an organization shares data, the higher the risks of compromise. Finding the correct balance is critical.
Excessive privilege is one of the key issues facing cybersecurity today, particularly following the Great Resignation. This describes the swathes of people that chose to leave previous roles, seeking change after the pandemic. Many organizations cope with role changes by simply transferring the access privileges of the previously-established employee over to the newbie. While this is the fastest and easiest method, this is a shockingly poor practice: incoming employees may not have the experience and skill set to protect the data they now reside over. In many cases, the new employee will not have the same scope of responsibilities, leaving large swathes of over-privileged access.
Enabling a culture of over-privilege makes each employee a ticking time bomb. Earlier this year, it became clear that notorious hacking group Lapsus$ paid Microsoft employees for initial access. If you don’t pay attention to privilege mistakes, attackers certainly will.
It goes without saying that databases make for attractive targets. Theft of personally identifiable information (PII) is one of the many ways that cybercriminals make money, and the black market for data is at an all-time high. LinkedIn’s recent data breach saw the exposure of over 90% of its user base: one recent collection of which was placed on sale for $7,000 worth of Bitcoin.
With the goal of gleaming profit from widespread breaches, attackers have a few key techniques that are worth their weight in gold. SQL injection is the base of traditional database platforms. This takes advantage of a user’s ability to interact with – and legitimately take information from – an underlying database. For instance, when an app asks a user for input such as their username, this information will be used to return relevant data to the end-user. However, SQL injection sees an attacker input a SQL statement into the input field. A vulnerable database will simply run this statement, and return potentially all user information to the attacker.
Don’t make the mistake in thinking that only traditional databases are vulnerable to this – big data solutions that rely on other languages are still susceptible to the same fundamental format.
IBM’s Cost of Data Breach Study found that, in 2022, over 30% of data breach incidents were caused by human negligence. This is no surprise, as human errors have a long history of major disruption, and played a vital role in the infamous 2017 Equifax breach. In the spring of 2017, Equifax was sent a notice by the US department of Homeland security about a serious flaw in Apache Struts – an open source function that supported the company’s mission-critical apps. The IT team failed to implement a fix. They also overlooked the fact that a traffic-encrypting device had suffered a misconfiguration, thanks to a digital certificate that had expired ten months ago. Together, these oversights allowed an attacker to access – and freely pull financial information from – Equifax’s systems from mid-May until the end of July.
Your Own Backups
In the world of database security, it’s tempting to throw an automated backup solution up, then simply leave it. However, this results in backups that remain completely unprotected. The same protections afforded to your primary databases must also apply to their backup versions, particularly if you take advantage of cloud-based backups.
The Patching Process
Touched upon in the Equifax breach, the unfortunate reality for database security is that patches are always one step behind vulnerability discovery. It’s in this gap that attackers have free reign to break in and steal vital data. Even worse, thanks to the widespread reliance on open source packages – which often publicly address vulnerabilities – attackers are empowered to replicate easy-to-use attacks that resonate throughout entire industries. Worsening this struggle is the high workloads and unending backlog faced by security teams, alongside the difficulty of finding a suitable maintenance window for an important system.
How to Defend Your Database
Though this list appears sprawling and unmanageable, the key component to database management is visibility. You need to know where data is stored and who’s accessing it; your attacker needs to stay in the dark, even if they’ve successfully gained access.
Given the sheer scale of modern databases – and the sheer sprawl of most tech stacks – automated classification and detection solutions are the way forward. A high-quality security solution provider will offer tools that automatically discovers, classifies, and analyzes the risk of every new string of data. Once the data itself is secured, your time is freed up to address who’s accessing it. Employee privileges need to be minimized dynamically, with high-privilege users prioritized. Automated solutions can still aid throughout this process, as – once you’ve established what normal behavior looks like – it becomes much easier to spot abnormal and malicious actions. Finally, defending data in the case of intrusion can take the form of encryption.
These layers all interlink, acting like chainmail: each requires the strength of the other, to produce flexible yet tough protection for a dynamic, future-facing business.