Information Security News: Is your DBA a spy? Don't fall victim to internal security threats

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004474

By Bert Latamore 
October 27, 2006 
Computerworld

Probably 80% of the threats to corporate data come from outside the 
company walls, but organizations should have those pretty well under 
control today," says Jerald Murphy, senior vice president and director 
of research operations at The Robert Frances Group.

"The 20% of risk that comes from inside the organization -- people doing 
illegitimate things with data they have legitimate access to -- is much 
less well contained," Murphy says. "Consequently, this is one of the 
greatest sources of data security vulnerability -- and one of the 
hardest to defend against -- that organizations face today."

A DBA makes a perfect industrial spy. He has unfettered access to data 
of all kinds, and he spends his days working with and on that data. He 
can easily copy corporate secrets or employee and client personal 
information for nefarious purposes.

However, security violations don't have to be purposeful. An employee 
with legitimate access to sensitive data could download that information 
to a laptop and take it home or on a business trip to work on, or he 
could inadvertently put it into a presentation or business e-mail 
attachment and send it to a legitimate business contact outside the 
company.

Detecting such activities is difficult. At least when an outside 
malefactor exploits a flaw in enterprise defenses, IT usually knows 
something illicit is happening. Employees can steal or accidentally lose 
sensitive data, or, perhaps worse, change it, and no one may know. 
Fortunately, Murphy says, software is available which can help guard 
data from internal threats.

Murphy suggests a four-step program to combat internal security risks:


1. Screen employees for sensitive positions like DBAs to ensure they are 
   honest.

The rigor of those background checks will depend on the degree of risk. 
Also, companies need to create specific policies to protect secrets and 
educate employees in the methods and reasons behind security and of the 
penalties for violations. And employees need periodic reminders and 
refreshers.


2. Pay attention to what DBAs are doing.

This means reviewing log files for suspicious activities. "If a DBA is 
doing a lot of seeks at 11 p.m., for instance, I have to wonder what he 
is doing." Applications from companies like Guardium can monitor 
activity automatically and identify suspicious patterns for manager 
review.


3. Encrypt the data in the database (encryption at rest) as well as when 
   it is sent over the Internet (encryption in motion).

While organizations commonly use virtual private networks (VPN), Secure 
Socket Layer (SSL) and other encryption technologies to protect their 
data on the Internet, many databases themselves remain unencrypted. 
Encryption adds a layer of protection, making it difficult for 
unauthorized individuals to read the data should they succeed at gaining 
access to it.

The leading database engines (Oracle, DB2, etc.) have built-in 
encryption capabilities. Murphy, however, recommends using third-party 
encryption utilities from vendors such as Protegrity or Ingrian Networks 
for two reasons.

First, if the encryption is done by the database engine, the DBA has 
access to the key, and if the DBA is stealing the data, this will not 
stop him.

Second, the keys will be stored in the database, and if they become 
corrupted, data recovery will be difficult. Third-party encryption 
removes the keys from the DBA's purview, allowing the separation of 
responsibilities between database management and security. These 
third-party solutions keep the keys outside the database and have 
sophisticated key management, making recovery simpler should the keys 
become corrupted.


4. Attack information leakage.

"Organizations focus on restricting access to the corporate network from 
exploitations coming in," says Murphy. "They need to pay attention to 
what is going out as well."

Extrusion solutions intercept sensitive data on its way out of the 
corporate network and either prevent it from crossing the corporate 
boundaries or notify a designated individual, such as the corporate 
security officer, of what is being sent to whom by whom. Vontu focuses 
on e-mail, including attachments; Fidelis Security Systems encompasses 
all files. "This is the opposite of a firewall, and it is important for 
catching the mistakes of well-meaning employees that are behind 80% of 
corporate data security breaches."

"Best practice is to look at the total life cycle of the data -- who 
creates it, where it is stored, who uses it and how it is used," says 
Murphy. "The reality is there is no silver bullet for data protection. 
It is one thing to expect IT professionals to adhere to good data 
protection and quite another to try to get every end-user to line up 
behind security policy.

-=-

Bert Latamore is a journalist with 10 years' experience in daily 
newspapers and 25 in the computer industry. He has written for several 
computer industry and consumer publications. He lives in Linden, Va., 
with his wife, two parrots and a cat.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org