http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004474 By Bert Latamore October 27, 2006 Computerworld Probably 80% of the threats to corporate data come from outside the company walls, but organizations should have those pretty well under control today," says Jerald Murphy, senior vice president and director of research operations at The Robert Frances Group. "The 20% of risk that comes from inside the organization -- people doing illegitimate things with data they have legitimate access to -- is much less well contained," Murphy says. "Consequently, this is one of the greatest sources of data security vulnerability -- and one of the hardest to defend against -- that organizations face today." A DBA makes a perfect industrial spy. He has unfettered access to data of all kinds, and he spends his days working with and on that data. He can easily copy corporate secrets or employee and client personal information for nefarious purposes. However, security violations don't have to be purposeful. An employee with legitimate access to sensitive data could download that information to a laptop and take it home or on a business trip to work on, or he could inadvertently put it into a presentation or business e-mail attachment and send it to a legitimate business contact outside the company. Detecting such activities is difficult. At least when an outside malefactor exploits a flaw in enterprise defenses, IT usually knows something illicit is happening. Employees can steal or accidentally lose sensitive data, or, perhaps worse, change it, and no one may know. Fortunately, Murphy says, software is available which can help guard data from internal threats. Murphy suggests a four-step program to combat internal security risks: 1. Screen employees for sensitive positions like DBAs to ensure they are honest. The rigor of those background checks will depend on the degree of risk. Also, companies need to create specific policies to protect secrets and educate employees in the methods and reasons behind security and of the penalties for violations. And employees need periodic reminders and refreshers. 2. Pay attention to what DBAs are doing. This means reviewing log files for suspicious activities. "If a DBA is doing a lot of seeks at 11 p.m., for instance, I have to wonder what he is doing." Applications from companies like Guardium can monitor activity automatically and identify suspicious patterns for manager review. 3. Encrypt the data in the database (encryption at rest) as well as when it is sent over the Internet (encryption in motion). While organizations commonly use virtual private networks (VPN), Secure Socket Layer (SSL) and other encryption technologies to protect their data on the Internet, many databases themselves remain unencrypted. Encryption adds a layer of protection, making it difficult for unauthorized individuals to read the data should they succeed at gaining access to it. The leading database engines (Oracle, DB2, etc.) have built-in encryption capabilities. Murphy, however, recommends using third-party encryption utilities from vendors such as Protegrity or Ingrian Networks for two reasons. First, if the encryption is done by the database engine, the DBA has access to the key, and if the DBA is stealing the data, this will not stop him. Second, the keys will be stored in the database, and if they become corrupted, data recovery will be difficult. Third-party encryption removes the keys from the DBA's purview, allowing the separation of responsibilities between database management and security. These third-party solutions keep the keys outside the database and have sophisticated key management, making recovery simpler should the keys become corrupted. 4. Attack information leakage. "Organizations focus on restricting access to the corporate network from exploitations coming in," says Murphy. "They need to pay attention to what is going out as well." Extrusion solutions intercept sensitive data on its way out of the corporate network and either prevent it from crossing the corporate boundaries or notify a designated individual, such as the corporate security officer, of what is being sent to whom by whom. Vontu focuses on e-mail, including attachments; Fidelis Security Systems encompasses all files. "This is the opposite of a firewall, and it is important for catching the mistakes of well-meaning employees that are behind 80% of corporate data security breaches." "Best practice is to look at the total life cycle of the data -- who creates it, where it is stored, who uses it and how it is used," says Murphy. "The reality is there is no silver bullet for data protection. It is one thing to expect IT professionals to adhere to good data protection and quite another to try to get every end-user to line up behind security policy. -=- Bert Latamore is a journalist with 10 years' experience in daily newspapers and 25 in the computer industry. He has written for several computer industry and consumer publications. He lives in Linden, Va., with his wife, two parrots and a cat. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Oct 27 2006 - 00:16:16 PDT