Deadbolts for databases

As if federal security managers didn’t have enough trouble sleeping, now they have to worry about the health and well-being of their databases. For years, agencies reasoned that if they kept intruders outside the firewalls by buttoning up their networks, everything inside remained safe. But a series of high-profile database breaches in the last couple of years have shown the danger of this reasoning.

Last year, up to 40 million credit card records maintained by CardSystems Solutions were exposed to hackers. Reminding federal officials that such attacks are not limited to financial services firms, the Defense Department reported in April that an intruder infiltrated one of its servers and riffled through the confidential health insurance records of more than 14,000 people.

Why the interest in hacking databases? That’s “where the gold is,” said Ted Julian, vice president of strategy and marketing for Application Security Inc. (AppSecInc), a database security tools vendor. “Why bother with other parts of the infrastructure if in the database you can get it all?”

But experts worry that the security features that come standard with database management systems (DBMS) don’t do enough to protect against today’s data thieves.

“The basic database measures are not good enough,” said Noel Yuhanna, lead database analyst at Forrester Research. “You need advanced security to protect your private data. [Database management systems] are not sophisticated or intelligent enough.”

For many organizations, the answer is third-party tools that work directly with a DBMS to provide custom vulnerability assessment, intrusion detection and prevention, data monitoring, and auditing capabilities.

Hackers aren’t the only reason federal agencies want tighter database security. Insiders with valid authorization can also succumb to the temptation to sell private information.

“Pretty consistently over the last eight years, data theft has shown itself to be an insider problem,” said Adrian Lane, chief technology officer at IPLocks, a security tool provider. “It’s insider threats that are really driving security purchases nowadays.”

Adding to concerns are security holes inadvertently opened by third-party contractors and suppliers. To facilitate closer business collaboration, agencies routinely use virtual private networks to connect employees at private companies to agency contacts. But vulnerabilities in partner networks can unintentionally provide a hidden door for cyberthieves to enter federal systems.

Regulations add to database worries
On top of security worries, managers also grapple with mountains of regulations, ranging from those mandated by the Federal Information Security Management Act (FISMA) to health care privacy laws, notably the Health Insurance Portability and Accessibility Act (HIPAA). The regulations require auditing of best practices and regular reports about database activity.

According to a 2005 survey of federal chief information security officers by systems integrator Intelligent Decisions, federal security officers spent 23 percent more time than the previous year on compliance reporting for FISMA.

Add-on security tools address both DBMS security shortcomings and compliance burdens. Although such systems can keep unauthorized people away from sensitive information, they do little to control what happens once someone gains entry. An untrustworthy insider or the recipient of a stolen password could easily copy all the personal financial files held in an accounting database without raising concerns. A third-party intrusion-detection tool comparing the activity against agency best practices could alert security officers to the anomalous act. Add-on auditing software would also record the relevant times, dates and computers used in the activity.

Other advantages of add-on tools include separation of administrative and auditing duties, a requirement spelled out in FISMA rules. Under those regulations, the system that audits the changes being made to the database can’t be managed by the same people who have privileged access to the database. The intent is to prevent a database administrator from covering up intrusions.

“If you are using the native auditing functions of a DBMS, all of the information gets stored in the database itself, and anybody with privileged access to that database can then go in and change it,” said Phil Neray, vice president of Guardium, another tool vendor.

Finally, instead of learning and managing a number of discrete tools from each of the systems within a large agency, a single third-party management console can direct and audit a mix of databases from IBM, Microsoft, MySQL, Oracle, Sybase and others.

The opportunity to obtain all of these capabilities within a single suite of products was a prime selling point for Dennis Heretick, chief information security officer for the Justice Department, when he purchased security software from AppSecInc.

“Our philosophy is one of building security into the operational process and building our validation testing into the implementation process,” he said. “Tools such as AppDetective allow you to look for vulnerabilities in the [database] application and then verify that we have corrected them. And then the feedback to oversight folks is a copy of the results so they can see our progress in reducing vulnerabilities.”

Because of the range of tool choices, managers need to understand the role of each module to match the right technologies with their organization’s needs.

Start with vulnerability assessments
Vulnerability assessment tools create a baseline portrait of the database and surrounding IT infrastructure to help monitoring software spot atypical activity and provide a point of comparison for application directories and files. The assessments also can expose existing vulnerabilities, such as overly broad access privileges, outdated user accounts and easily cracked passwords.

They provide an inventory of databases, sometimes highlighting ones set up unilaterally by individual departments without the knowledge of IT managers. Once it completes an assessment, the tool should be able to create a graphical representation of the database environment, so managers have an easy way to see all the database servers and the people who access them.

Experts say the first consideration when shopping for an assessment tool is platform support. Since large agencies typically run database management systems from a range of vendors, the tools must support not only current implementations but any that might be added in the future. Also, because each DBMS offering has particular vulnerabilities, such as the Oracle Voyager or SQL Slammer worms, prospective vendors should be able to demonstrate timely updates for identifying new vulnerabilities.

Intrusion detection spots the infiltrator
Systems that detect and prevent intrusions provide ongoing monitoring of database activities to alert managers when unauthorized accesses or unusual usage patterns arise. For example, if a service representative with valid database access privileges suddenly starts viewing many more records a day than normal, the system may send an e-mail alert to a security officer.

Most systems can also be set to take preventive action automatically, such as blocking transactions, in addition to passively sending alerts. However, Yuhanna said many managers still aren’t comfortable with the proactive approach because they fear false alarms. “The maturity level [of the tools] is still evolving,” he said. As they evolve for database protection in the next couple of years, more organizations will use automated responses, he said.

Monitoring and audit tools complete the suite
The Database Security Technical Implementation Guide (STIG), a compendium of security advice for DOD released by the Defense Information Systems Agency late last year, recommends regular database monitoring to catch unauthorized modifications to records and signs of Trojan horse software or other malicious code. In addition, monitoring tools should screen for unauthorized activities such as illegal scripts that siphon information out of the database.

Monitoring tools should provide a drill-down capability so that managers can analyze detailed activity in each database. For example, a manager could see when someone at a computer with a particular IP address is inserting a table into a database and decide whether security policies are being followed.

Such tools should also create graphical displays of security metrics and track security strategies to demonstrate improvements to FISMA and other auditors.

For regulatory compliance, auditing tools should keep records of changes to database entries. According to STIG, such tools should at a minimum trace the creation, alteration and deletion of database accounts and objects, as well as related storage issues. The guidelines also stipulate keeping a close watch on actions by database administrators, including when they start up, shut down, back up, archive and collect performance statistics about databases.

Because of the large amount of information auditing tools collect, they should offer reporting and data analysis tools that let organizations easily write queries to address specific auditing questions.

“Many vendors will say they do auditing, but all they do is store these huge log files that are essentially successive text entries, so poring through those files looking for a pattern is not anywhere near the same thing as a database query” tool, Neray said.

He adds that auditors now routinely ask database administrators and IT managers to produce new types of reports, including rundowns of all privileged-user activities.

“Government organizations especially can’t afford to hire people to generate these additional reports, so automated report generation is one of the key functions that these solutions provide,” Neray said.

Automated reporting can track everyone who accessed sensitive tables in the database or who accessed Social Security numbers. The auditing system can create the reports and distribute them electronically to the appropriate oversight officials.

Finally, Lane said, auditing tools should be able to call out the use of “select statements,” which are instructions to the database that allow people with privileged access to view the actual content within database records. Misuse of this capability can expose sensitive information to untrustworthy parties.

“Organizations don’t mind if the database administrators are altering a table or performing some sort of work order, but they shouldn’t actually be looking at the contents of the data within the table,” Lane said. “So keeping a record of all the select statements that are issued by [database administrators] is a very important activity.”

Product choices grow

The market for database security tools is expanding and will likely only get bigger. “Threat management solutions are delving deeper into the application layers,” such as databases, said Charles Kolodgy, research director for secure content and threat management products for technology researcher IDC. “As network security has gotten better, attackers are targeting applications at a much greater rate.”

Typical commercial products include AppDetective, a vulnerability scanner, and AppRadar, an intrusion-detection and event-monitoring system from Application Security. The technologies are available via resellers, the General Services Administration schedule and other governmentwide contracts.

AppDetective costs $900 per database per yearly subscription. AppRadar costs a one-time fee of $10,000 for its management console and $2,000 annually for each activity sensor, which can monitor dozens of databases.

Guardium sells SQL Guard, a dedicated PC and software package for database assessments, security policy enforcement and audits. The company said a typical entry-level installation costs about $50,000, which can rise to more than $1 million for large organizations with hundreds of databases and especially high levels of data throughput. The company distributes its products through resellers on GSA contracts.

IPLocks offers assessment, monitoring and auditing software for a variety of database platforms, including Oracle, IBM and Microsoft. For implementations at small agencies, the fee starts at $28,000. The company currently doesn’t sell via standing government contracts.

— Alan Joch

Database vendors step up efforts

As third-party tool vendors expand their offerings to improve database security, some companies that make database management systems are introducing their own solutions for heightened protection.

In May, Oracle introduced Database Vault, software that allows managers to separate data into realms. Within each realm, the access is controlled. This allows human resources information and financial information to reside in the same database because it only allows users to access selected portions of the total information storehouse.

The software makes it possible to use several measures to limit an individual’s access to specific records, such as the user’s IP address, authentication codes or even the time of day.

“If you are dealing with sensitive information and it’s after 6 o’clock at night, there’s really no reason why you should be touching that data,” said Greg Gardner, vice president of Oracle’s Government and Homeland Security Solutions business unit.

The software currently supports only Linux and the latest version of the Oracle database. It costs $20,000 per computer processor and $400 per named user.

— Alan Joch

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.