A report was published in the United States last week highlighting the source, and cause, of over 900 data breaches over the last six years comprimising 900 million sensitive records (see link below).
The Report findings brought out some telling statistics highlighting that databases themselves, and key users with privileged user access to the databases, were one of the main sources of data breaches taking place within US organisations -
- the majority of data breaches came from servers where the main databases were held (98%)
- 48% of data breaches occurred because of Privileged User misuse on the databases by trusted individuals
- the event logs within servers and databases are not being monitored and mined for sources of information on data breaches. 86% of victims of data breaches had evidence of the breach sitting in the logs files of their databases but no one had taken the time to look for them, and
- user accounts were not being audited, and the activity of Privileged User monitored, to alert and report to management on any potential data breaches being perpetrated within the organisation
The foundation of any organisations data, the database itself, has been long ignored as a source of crucial information on potential data breaches taking place within an organisation. The misconception has been that databases are highly secure, and safe from potentially damaging manipulation or data theft. They are safe in the security policies and processes which are constructed around the database. However, the Report has proved that data breaches are occurring at the database level of an organisation due to lack of monitoring and mining of audit information lying on the database itself.
The technology exists to get this information for you. It’s just knowing how to get what you are looking for, and the Report comes up with the following recommendations specifically around databases which organisations should be addressing to save the ultimate impact of data breaches – Brand, Reputation, Fines, Legal Action, Shareholder Value, Client Confidence -
1) Restrict and monitor Privileged User activity
2) Watch out for minor policy violations
3) Implement measures to thwart stolen credentials
4) Monitor and filter egress network traffic
5) Change your approach to event monitoring and log analysis, and
6) Share incident information
The full Report is contained in the weblink below. Take time to read it and let me know if you are seeing the same thing happening in the UK?
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Great post Lindsay, this is a very telling study. My own experience of data security, performing audits and also evidence from other work with clients certainly has similar characteristics. I often see data held outside the database. This is crazy when you (** the royal Oracle software license owning you**) spend a lot of money of database software, licenses and implementation but then leave data outside the database effectively outside the security cordon!
Thanks Lindsay
Thanks for blogging the report. In terms of “Take time to read it and let me know if you are seeing the same thing happening in the UK?” I would offer that we do mention demographic origin of cases on pages 9 & 10 – and half were outside of North America, with a significant representation in Western Europe.
This, of course, is *not* represented in the USSS data set (significantly), so interpret where we break out the statistics and findings appropriately.