Rogue DBAs: Hidden Inside Security ThreatBy Ericka Chickowski | Print
Analyst and security experts say Timothy Curley, a database administrator accused of $1 million in fraudulent activity, is indicative of insider security threats. Solution providers, they say, need to elevate business awareness about insider threats.
If your enterprise customers seem unaware of the dangers to their databases posed by rogue employees, it might be time to tell them the story of Timothy Curley.
Employed by American Express as a database administrator; Curley was arrested on June 24 by the U.S. Secret Service on claims from his former employer that he and an accomplice stole more than 1,000 customer records in order to carry out over $1 million in fraudulent activity.
The lesson is obvious. Corporate data stores are extremely valuable. So much so that even those charged with keeping them safe can be tempted to dip into the treasure chest. DBAs and similarly privileged users have access to some of the most concentrated, well-organized and precious collections of data your customers own.
"I am really surprised we don't hear more about these types of cases," says Slavik Markovich, founder and CTO of the database security vendor Sentrigo, who at the same time says the scarcity of stories may be understandable—and "frightening"—considering "monitoring of insiders and privileged users is just in its infancy. It’s really just started."
After all, in the case of Curley and his buddy, the cops found crack pipes and methamphetamine alongside their stash of cloned credit cards. If the drug-fueled DBA could steal $1 million before being caught, imagine how long the ones with clear minds are lasting.
In a survey of 400 IT workers conducted earlier this year by Cyber-Ark, 35 percent admitted to accessing corporate information without authorization. More specifically, in regard to databases 47 percent said that if they moved to another job they would steal database information to bring with them. And among all respondents, approximately 75 percent reported that they could circumvent the controls currently in place to restrict access to internal information.
Cyber-Ark’s data supports estimates from analysts at Forrester Research, who believe that 70 percent of threats to databases come from within the enterprise.
"These [internal threats] are often very difficult to detect and block, largely because of excessive privileges granted to users, users sharing common log-ins and accounts, and privileged users such as testers, developers and even DBAs having access to sensitive data," wrote Noel Yuhanna in a February 2009 report on the state of database security.
Analysts say solution providers have an opportunity to bring all of this overwhelming evidence to bear on clueless enterprise IT administrators and line-of-business managers. Now is the time to begin formulating strategies for implementing controls over the database that include not just the average user, but also the unchecked super-user, they say.
If you can’t appeal to the customer’s sense for the carrot of security, you can at least pull out the compliance stick. For example, those organizations that must comply with PCI DSS standards could potentially be putting themselves at risk if they are not able to track privileged user access to databases containing credit card information. According to VeriSign, which acts as a PCI assessor, more than 70 percent of organizations that fail their audits are flagged for failing to track and monitor access to cardholder data.
Regardless of the motivations you try to build awareness, the key is to try, Markovich says.
"I think the most important thing is awareness," Markovich says. "The channel needs to talk with their customers and explain to them that protecting via firewall or from the outsider is no longer sufficient. You have to be aware that your database can and—if you don't do anything—will be breached by privileged users."
Clearly awareness is a start, but what next?
Yuhanna of Forrester says: "Security professionals should secure databases starting with strong authentication, authorization and access-control procedures, and should then use advanced security solutions such as encryption, auditing, masking and real-time protection."