This post’s purpose is to draw attention to how easily sensitive data stored in databases can be compromised. We recently discovered a short video clip that deserves watching which proves the point. It’s a demonstration of 500,000 identities stolen in just a few minutes using regular office software.
The video caught our attention because something similar occurred to a client of ours last year. It involved a disgruntled employee who was about to leave the organization and wanted something valuable to take with him. Much like was done in the video, he managed to get administrative credentials in order to access their customer database and then emailed its entire contents to a non-company address. Nobody knew about it until an investigation took place months later and computer forensics uncovered what had been done.
Databases are now one of the most compromised corporate assets, for two simple reasons: They usually contain valuable information and they are surprisingly easy for non-authorized people to access. Why? Because many remain poorly configured, sloppily managed and improperly secured.
Companies are starting to put more money into physical and IT security but still leaving their databases largely uninspected. To make matters worse, convincing management or the board to invest in taking greater care of databases is often a tough sell, especially when nothing like the incident above has yet to happen. It sometimes takes a breach to occur before proper attention is paid.
If this is a concern in your organization, there are steps you can take to better ensure databases are protected and adequately managed:
- Minimize the number of people with administrative network privileges.
- Design databases for the long-term, not for one specific application today.
- Maintain the database; don’t allow it to get messy. Clean-up is never easy.
- Configure properly to optimize performance – slow database response drives users crazy.
- Make sure unpatched or non-secure applications aren’t inadvertently connected to a production database.
- Avoid emergency situations by having simple database health checks performed periodically.
One final suggestion: Don’t relegate this to being an IT responsibility. Those days are long gone. Caring for one of the company’s most valuable assets warrants executive oversight and accountability. Without it, incidents like the one depicted above will continue to happen with regularity.