22 February 2016

DoD databases: A prime target for cyberattacks

John Edwards and Eve Keiser, February 18, 2016
Cyberattacks are on the rise, and networked military resources are on the front line of what may someday escalate into an all-out cyberwar.
Databases, storing tactical and various other types of sensitive information, are widely used across the Department of Defense. Yet a growing number of defense technology industry observers, including Oracle CEO Mark Hurd, believe that DoD is misapplying its security resources, prioritizing overall network protection over what has become the prime target of most attackers.
At a recent defense conference, Hurd produced a chart from Oracle’s database division showing that databases are, at 52 percent, the IT layer most vulnerable to attack. The network layer, on the other hand, is the target of only 34 percent of attacks. Databases are far more vulnerable to attack than networks, but only 15 percent of IT layer security resources are allocated to database protection while 67 percent are directed toward network security. Applications and middleware are the least vulnerable IT layers at 11 percent and four percent, respectively. Applications, however, are allocated 15 percent of IT security resources and middleware receives three percent.

Protecting vulnerable targets
Mark Savage, security principal director for Accenture Federal Services, noted that DoD’s security allocations make more sense when viewed from a wide-angle perspective. “Budgets are spent on network, end-point systems and application security because they have to be compromised to reach a database,” he said. “If a database has been compromised, you can be sure that the network services, application brokering the database, and/or insider system with communication access to the database server was hacked first.”

Still, databases generally hold the most sensitive organizational data, which make tempting targets for attackers. “There are multiple tactics cyber criminals use to access this data, whether directly with SQL injections that take advantage of application code vulnerabilities, or simple phishing emails that trick recipients into downloading malware onto their laptops that in turn steal privileged user credentials that attackers then use to penetrate databases and access sensitive data,” said Vipin Samar, Oracle’s vice president of database security.

Once on the network, cyber criminals can directly access data on backups, in nonproduction environments, or access data at third-party data centers where production data is often copied. “Therefore, we must have defense in in-depth layers of security that prevent an attacker from successfully accessing the data,” Samar said. “There is no one security control that can prevent all of the different methods of attack.”

“Passwords and credentials are the main threat access that we’re dealing with now inside the ecosystem,” said retired RDML Michael Brown, a former Navy warfare cryptologist, now vice president and general manager of RSA Global Public Sector. “Part of what I believe to be good practice is to move to multifactor authentication, with two-factor authentication being a good start.”

Database vendors are beginning to understand the need for improved access security, Savage said. “Some databases support the configuration of fine-grained identity models for table/field level authorizations or the use of various access credentials, such as passwords, one-time tokens, digital certifications, biometrics and combinations of credentials.”

According to Samar, inadequate predeployment testing can expose databases to configuration drift related attacks. “Configuration drift occurs over time due to changes and updates to data center software and hardware,” he said. “Inconsistency in patches and databases creates cracks and seams in the database environment that cyber criminals can exploit by, for example, guessing default passwords or hacking unpatched databases.”

Database administrators and other IT leaders need to carefully track all database-related assets and components, Samar said. “This will provide insight into what assets are live, and which require relevant patches and security controls around sensitive data,” he said. “Then, in order to prevent configuration drift and to lock down databases, organizations should use ‘gold’ configurations that consistently take into account appropriate security precautions such as updating default passwords, database comparisons and change history functions.”

Nir Carmel, product director at IBM Security, said timely patching is critical. “Close to 70 percent of breaches target known vulnerabilities, where a patch or a fix would have been able to secure that database,” he explained. “Hackers not only know how to exploit vulnerabilities, but they can exploit unknown vulnerabilities to compromise data sources — known as zero-day attacks.”

Even if the vulnerabilities cannot be patched immediately, it is important to monitor the affected repository — or repositories — for potential attempts at exploiting the vulnerability, he added.

Stopping Leaks

Data leaks also pose a major threat to DoD databases. “We are seeing an increase in the number of worldwide data breaches and an increase in the number of records lost per incident, as well as more and more sensitive data types being exposed,” Samar said.

Yet all data is not equal. “Organizations should start by classifying their database data and assigning priorities to it,” Samar said. Then they should assign layers of security controls proportional to the value of the data.

“This includes preventive measures such as encryption, masking and privileged user controls, as well as detective measures that include database firewalls to monitor and block potential SQL injection attacks and auditing of databases and systems in order to alert and report on suspicious activity,” Samar said. “Database activity monitoring and auditing are key security controls that help find the source of data leaks, as well as record and secure audit trails for proof, follow-up and compliance purposes.”

Separation of duties is another important part of securing sensitive data. “Administrator roles and data access should be defined differently from end-user access,” Carmel said. He noted that massive organizations, such as DoD, have an almost endless number of developers, data scientists and various other types of individuals possessing some level of access to different types of sensitive data.

“You must be able to keep track of all the different roles, via entitlement reporting, and then monitor and control access to sensitive data accordingly. It is also important to watch the watchers — the administrators — just in case their credentials end up being compromised,” he added.

Database and IT security leaders should also be aware of the threat of stolen database backups. “Database backups can be complex, as they usually require additional database or IT personnel to have access rights to implement the administrative tasks,” Carmel said. “Backups should be encrypted to ensure that data cannot be easily stolen and access to backup data should be monitored to avoid unauthorized operations.”

Savage noted that the guidance offered by database vendors and security experts is failing to help organizations keep pace with a growing mountain of rapidly evolving threats. He doesn’t see this situation improving any time soon, meaning that database administrators and IT leaders will have to place even more emphasis on database security, using both best practices and the strongest available security technologies to protect their resources.

“Historically, structured data sources — such as databases — have been viewed as an environment difficult to attack due to proximity from external threats and are complex to comprehend even if reached,” Savage said. “That’s no longer the case, as threats have become more sophisticated.”

No comments: