If your enterprise customers seem unaware of the dangers to their databases
posed by rogue employees, it might be time to tell them the story of Timothy
Curley.
Employed by American Express as a database administrator; Curley was arrested on
June 24 by the U.S. Secret Service on claims from his former employer
that he and an accomplice stole more than 1,000 customer records in order to
carry out over $1
million in fraudulent activity.
The lesson is obvious. Corporate data stores are extremely valuable. So much
so that even those charged with keeping them safe can be tempted to dip into
the treasure chest. DBAs and similarly privileged users have access to some of
the most concentrated, well-organized and precious collections of data your
customers own.
“I am really surprised we don't hear more about these types of cases,” says
Slavik Markovich, founder and CTO of the
database security vendor Sentrigo, who at the same time says the scarcity of
stories may be understandable—and "frightening"—considering “monitoring
of insiders and privileged users is just in its infancy. It’s really just
started.”
After all, in the case of Curley and his buddy, the cops found crack pipes
and methamphetamine alongside their stash of cloned credit cards. If the
drug-fueled DBA could steal $1 million before being caught, imagine how long
the ones with clear minds are lasting.
In a survey of 400 IT workers conducted earlier this year by Cyber-Ark, 35
percent admitted to accessing corporate information without authorization. More
specifically, in regard to databases 47 percent said that if they moved to
another job they would steal database information to bring with them. And among
all respondents, approximately 75 percent reported that they could circumvent
the controls currently in place to restrict access to internal information.
Cyber-Ark’s data supports estimates from analysts at Forrester Research, who
believe that 70 percent of threats to databases come from within the
enterprise.
“These [internal threats] are often very difficult to detect and block,
largely because of excessive privileges granted to users, users sharing common
log-ins and accounts, and privileged users such as testers, developers and even
DBAs having access to sensitive data,” wrote Noel Yuhanna in a February 2009
report on the state of database security.
Analysts say solution providers have an opportunity to bring all of this
overwhelming evidence to bear on clueless enterprise IT administrators and
line-of-business managers. Now is the time to begin formulating strategies for
implementing controls over the database that include not just the average user,
but also the unchecked super-user, they say.
If you can’t appeal to the customer’s sense for the carrot of security, you
can at least pull out the compliance stick. For example, those organizations
that must comply with PCI DSS standards
could potentially be putting themselves at risk if they are not able to track
privileged user access to databases containing credit card information.
According to VeriSign, which acts as a PCI assessor, more than 70 percent of
organizations that fail their audits are flagged for failing to track and
monitor access to cardholder data.
Regardless of the motivations you try to build awareness, the key is to try,
Markovich says.
“I think the most important thing is awareness,” Markovich says. “The
channel needs to talk with their customers and explain to them that protecting
via firewall or from the outsider is no longer sufficient. You have to be aware
that your database can and—if you don't do anything—will be breached by
privileged users.”
Clearly awareness is a start, but what next?
Yuhanna of Forrester says: “Security professionals should secure databases
starting with strong authentication, authorization and access-control
procedures, and should then use advanced security solutions such as encryption,
auditing, masking and real-time protection.”
