Every company has data they use to run their business, whether it’s personal data for their employees, customer data, financial details, HR and payroll systems, or web/mobile applications that facilitate their business. No matter what, all companies have critical data.
Knowing that it’s not a matter of “if” an organization will be compromised, but “when”, today’s savvy security leaders are no longer satisfied by just fortifying the network perimeter. Insight is needed at every point in the attack chain, from intrusion to potential data exfiltration. But what they don’t realize, is that they may not be getting a true picture of their database risk.
We spoke to Travis Lee, Director of Product Management at Trustwave to offer guidance on how organizations can take a risk-based approach to database security to better protect their critical data.
Database Threats Organizations Face Today
“Companies will purchase network security, endpoint security, network monitoring, and email gateway solutions to ensure protection,” says Travis, “but the last mile matters when/if an attacker gets in via network credentials, alters a company’s database, downloads data, and exposes it, leading to loss of trust, fines, brand and reputational damage.”
Without focusing on database security, organizations are leaving themselves open to attacks and breaches. This problem is compounded by the fact that most organizations are leveraging the cloud.
Risks and Responsibilities in the Cloud
With companies and different departments increasingly working with multi-cloud environments, cloud-based services, and applications, it’s easy to literally lose sight of how many different databases your organization has. You may also think cloud infrastructure providers are responsible for their own security, which is, according to Travis, a misconception, even when it comes to one of the major cloud platforms (Google, Azure, AWS).
In reality, while the cloud service provider has certain security features, there’s no liability on the part of the cloud provider. Your organization still has the responsibility for ensuring the database is secured.
Not having an accurate and complete inventory
Security leaders can struggle with identifying all the databases their organization are working with and might lack the processes to ensure they’re made aware if and when a department will adopt a new cloud-based service. The marketing team may access a key customer database through a cloud-based email management, the HR team might be migrating away from one payroll system to another, or an application developer may have temporarily copied a production database into a development environment to test their software. Assessing database inventories on a regular basis will help you manage and protect any “rogue” databases.
Once you have a good baseline of your database assets, the next step is to perform regular vulnerability scans to database misconfigurations. Many of the most headline-grabbing breaches of 2019 were due to misconfigurations.
Some databases may not have any security at all or, according to Travis, may have “default passwords or exploitable settings.” If a company is lucky, a security researcher will find and flag one of these misconfigurations so the company can fix it before any real damage is done. However, if an attacker finds it, an organization may not find out until it’s too late.
User rights and permissions
Without full visibility of your database infrastructure, it’s hard to maintain user rights and permissions. That means unauthorized users may have access to your database, whether they’re former employees, contractors, or vendors. Data doesn’t walk off by itself. It takes a compromised, careless or malicious human with elevated access to leak, alter or exfiltrate it. You need to regularly assess the relationships of users and applications and the data objects they have access rights to, so you can limit access to your most sensitive data.
The term "patch gap" refers to the time it takes from when a security patch issued by the manufacturer and when the patch is applied by the user. Databases, like software, require upkeep and constant updating. If you miss a patch or update, you might be missing out on an important fix for a known vulnerability. But with more than 12,000 vulnerabilities discovered in 2019 alone, patching can become an overwhelming security challenge. Companies can reduce their risks by continuously assessing their databases for vulnerabilities and continuously monitoring the assets with unapplied patches for anomalies.
How organizations can reduce database risk
Travis recommends security leaders take an inventory of and classify the databases your organization has based on risk, determine what security measures are needed, leverage permission and access settings, and ensure databases are properly configured, patched and have the right encryption.
As you build a process to tackle database security, remember that visibility is key above all things. You can then prioritize which databases require stricter security measures depending on what sensitive assets they hold. From there, you can build out processes for ensuring no databases are connected to your network without your knowledge.
This is easier said than done and smaller organizations or those with a less mature security posture will have a challenge implementing all these changes. Using a purpose-built database security tool or solution will help you detect, identify, and classify all your different databases so you know the risk associated with each one.
Finding the right tool
A purpose-built database assessment and monitoring solution will help you automate these resource-intensive tasks, such as detecting and identifying your landscape database, and save the time and expense of purchasing and installing costly plug-ins to make a network scanning tool provide you with the necessary database insights. This will help you easily spot your patch gaps and misconfigurations.
Your databases are your last line of defense against cyber-attacks and require a proactive approach to security instead of a reactive one. By taking a risk-based approach to database security, you’ll be able to better protect your company’s data – including your customers’ and employees’ sensitive data.
To learn how Trustwave can help you manage and secure your database on a continuous basis, click here to learn about Trustwave DbProtect, our on-premise and cloud database security platform.