By Randy Reiter, CEO, SQL Power Tools
In 2018 there were 1,200+ data breaches in the United States with over 446.5 million records stolen. According to IBM, the average cost of a US data breach in 2018 was $7.9 million with fines dwarfing initial costs. As an example, Uber paid a $148 million dollar settlement in 2018 for concealing a 2016 data breach. Is your organization’s confidential database data secure from hackers and rogue insiders? High probability it is not due to Zero Day Attacks and Rogue Insiders.
What is a Zero Day Attack?
A Zero Day Attack is the time between when a security vulnerability in software is identified and the organization using the respective software applies the software patch issued by the vendor to prevent the security threat. How quickly do organizations apply security patches to an applications server, browser, CRM, email, medical, military, payroll, reservation, web server, web application or other production software? Semi-annually, quarterly, monthly, weekly or daily? Based upon the nature of the security patch, software to be upgraded, time for regression testing and deployment to production environments a software vulnerability can be present in an organization for days, weeks or months. Meanwhile, hackers are aware of the zero-day vulnerability once the issue or fix has been publically announced. They will attempt to exploit it immediately.
How do Hackers use a Zero Day Vulnerability?
To gain access to the inside of an organizations security perimeter using the software vulnerability. Once the security perimeter has been breached, confidential database data is a prime target for hackers and rogue insiders. Confidential database data includes credit card, tax ID, medical, social media, corporate, manufacturing, law enforcement, defense, homeland security, and public utility data. This data is almost always stored in for Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server, and Sybase databases. Once inside the security perimeter commonly installed database utilities can be used to query database data.
How to Protect Confidential Database Data from Hackers or Rogue Insiders?
Security software that monitors the real-time database query activity and learns what the normal query activity is can detect data theft within a few seconds. Applying Advanced SQL Behavioral Analysis to the known query activity allows rogue queries to be detected immediately. This type of security software can be inexpensively run from a network tap or proxy server so that there is no impact upon production servers.
Consider the following SQL query of customer information. SELECT NAME, ADDRESS, PHONE_NO, SOCIAL_SECURITY_NO, CREDIT_CARD_NO FROM CUSTOMERS. It would be a very rare application that would query the entire CUSTOMERS table containing tens of millions of customers, yet most security software would be unaware that this differs from other database queries.
Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum amount of data queried plus the IP addresses all queries were submitted from for each of the unique SQL queries sent to a database. This type of data protection can detect never before observed query activity, queries sent from a never observed IP address and queries sending more data to an IP address than the query has ever sent before. This allows real-time detection of hackers and rogue insiders attempting to steal confidential database data. Once detected the security team can be notified within a few seconds so that a data breach is prevented.
Data breaches will continue until organizations protect confidential database data from hackers and rogue insiders from the inside of the security perimeter using Advanced SQL Behavioral Analysis of the real-time database query and SQL activity. This will allow the protection of private and public sector confidential data.
About the Author
Randy Reiter is the CEO of SQL Power Tools. He the architect of the Database Cyber Security Guard product, a database data breach detection and prevention product for Informix, Microsoft SQL Server, MySQL, Oracle, and Sybase databases. He has worked extensively over the past 25 years with real-time network sniffing and database security. Randy can be reached online at firstname.lastname@example.org or at www.sqlpower.com/cyber-attacks.