Data breaches continue to make headlines, and they are not just about stolen credit card information anymore. Data breaches are now targeting different industries and different types of information. What’s going on, and what can organizations do to protect their corporate data?
Oracle Magazine sat down with Vipin Samar, vice president of Oracle Database security, to talk about the latest data breaches, how data breach threats are evolving, and how to work with the wide variety of data that needs protection in the enterprise.
Oracle Magazine: Data breaches continue to make news, but they also seem to be changing. What patterns do you see in recent company data breaches?
All data is not equal. Organizations should start by classifying their database data and assigning priorities to it. ”–Vipin Samar,
Vice President of Oracle Database Security
Samar: The last 12 to 18 months have seen data breaches grow in size, number, and scope. Whether attacks are against retail, telecom, financial services, or entertainment, tens of millions of users are getting breached directly or indirectly. And the attackers are no longer going after just credit card information. Attackers are after the PII—the personally identifiable information—including name, address, e-mail, and so on. And now more than ever before, attackers are going after the IP of the company under attack—which can include e-mail messages, for example, as it did recently with a media company.
Oracle Magazine: Who and where are the attackers, and what are their strategies?
Samar: The attackers are different types of people with different motivations: they may be curious insiders, criminals, “hacktivists,” or even nation-states. But just as the attackers are diverse, the attack vectors—how the attackers attempt to break in—are many and varied. There is no one way to attack information technology. Looking at the common data breach themes over the last 18 months, however, a key strategy of many recent successful attacks has been to get inside the company network not by brute force, but through the use of social engineering, a phishing attack, or some malware to gain access to the company network or endpoints as an authorized user. And once an attacker is inside the network, the company assets are only as safe as the remaining IT security.
Encryption is an important level of defense for digital assets in general and databases in particular. But there’s one big challenge with encryption: how do you manage and protect the encryption keys?
“Oracle Key Vault manages your encryption keys, wallets, and credentials, all in one single centralized location. It allows those credentials to be shared—safely—across trusted servers,” says Vipin Samar, vice president of Oracle Database security.
Learn more about Oracle Key Vault at bit.ly/orclkeyvault.
Once an attacker has become an insider, that attacker can map the network; read unencrypted, or clear, network traffic; mine the operating system for passwords stored in clear text; and finally get to database targets.
Oracle Magazine: Why are databases the target of attacks?
Samar: Businesses and public sector organizations store much of their customer, partner, employee, and citizen data in databases. And a lot of that data is quite sensitive, ranging from names and addresses to transaction, credit card, supply chain, and customer relationship information. Databases organize this information very well, not only for applications, but also for attackers—if they can get in. Databases store a company’s IP crown jewels, and hence they have become the target of attacks.
When network and endpoint security are breached and the attackers are inside the company gates, they can try different techniques to get at databases. They can attack a database from the network or the operating system, attempt to steal database passwords, or try to bypass database security controls in improperly configured databases. Attacks can also come from the web, through SQL injection attacks that exploit application design flaws.
Oracle Magazine: Organizations may have dozens to thousands of databases. How can they develop a comprehensive—and practical—database security strategy for so many databases?
Samar: All data is not equal. Organizations should start by classifying their database data and assigning priorities to it. Then they should assign security controls proportional to the value of the data.
Oracle ACE Director and PL/SQL evangelist Steven Feuerstein explores when to use and not to use dynamic SQL in his column for this issue: “Dynamically Dangerous Code.” As part of that journey, Feuerstein looks at how to protect your company’s data by protecting against SQL injection.
In this issue’s “On More-Secure Applications,” database evangelist and Oracle Magazine technology advisor Tom Kyte addresses a question about how to maximize security in database application design. Kyte’s answer features multiple security design priorities (including least privilege, multiple schemas, and bind variables), pointers to several Oracle Database security references, and a discussion of different levels of defense available for Oracle Database.
Lowest-priority data includes internal information portal content, internal organization directories, test/development system data, and other nonsensitive content. Attackers often target this information because the host database systems are rarely secured or monitored. Attackers can use these systems to understand more about your security infrastructure, and they can use that understanding to launch subsequent attacks. For this level of data, focus on making sure the latest security patches have been applied, the databases are properly configured, and privileged user database auditing is in place. I call this bronze-level security.
The next data priority level includes corporate internal information, such as order tracking and transaction data. For this level of data, confirm that you have bronze-level security, and then secure your data with encryption on production databases and on the network. And because sensitive production data ends up on unsecured test and development systems, mask the data on those unsecured systems. I call this silver-level security.
The next data priority level includes information that has specific regulatory requirements, such as PII, credit card, or health information. For this level of sensitive data, confirm that you have silver- and bronze-level security and then focus on restricting access. For example, you can redact sensitive fields for call centers, restrict privileged users from accessing sensitive data, and monitor SQL traffic for unauthorized use. I call this gold-level security.
The last and highest data priority level includes the corporate IP crown jewels—quarterly report information, M&A plans, source code, and so on. For this level of data, confirm that you have gold-, silver-, and bronze-level security and then focus on command and control by controlling database operations, analyzing and revoking unused privileges, blocking unauthorized SQL traffic, and auditing comprehensively.
This platinum-level security minimizes database attack vectors and helps secure your databases from attacks—whether they are coming from operating systems, internal privileged users, or even SQL injection.
Database data is assigned four different priority levels and prescribed four levels of data protection.
LEARN more about Oracle Database security
WATCH a discussion of Oracle Database security solutions
Photography byMarc Wilnauer,Unsplash