Database security is critical but often developers are not p

Solution

Guardian jobs database attack demonstrates difficulties of database security

One of the most popular job sites in Britain with more than ten million unique users. Managed by third-party job board software supplier Madgex, the cracked database contained names, e-mail addresses, covering letters and CVs.

Widespread exposure

Every year we share more of ourselves online- Each time we do any of these things, we place our data and our faith in commercial databases - Oracle, Microsoft SQL Server, IBM DB2, Sybase, MySQL - and the overarching security measures taken by the businesses that own these databases.

the Guardian breach has alerted IT and security managers of the need to protect their user data and to consider data security from every angle. Most have already spent time, money and valuable resources securing their network perimeters with firewalls and anti-virus software, and even protecting their laptops with hard disc encryption and DLP solutions. It is a necessary step, but one which can also be guilty of generating a false sense of security.

SQL vulnerability

So how was The Guardian\'s data accessed? Well, all fingers point to an SQL injection vulnerability, a method currently in favour with hackers and data thieves. SQL injection attacks exploit vulnerabilities at the web application layer to access sensitive data in back-end databases. These web-based attacks pass undetected through firewalls and other perimeter defences, including intrusion detection and intrusion prevention systems, then hijack the application server to gain access to underlying database records.

Yet databases remain vulnerable. Which prompts the question, just how many organisations are still open to this type of attack? And how many organisations do not understand that they are at risk.

Continuous monitoring

Until recently, identifying unauthorised or suspicious access to databases was impractical and complex. Logging all activity in the database itself significantly degrades system performance, while at the same time generating massive amounts of transaction records, which creates a \"needle in the haystack\" problem since all of the monitoring data must then be analysed and filtered to identify anomalous activity, typically using home-grown scripts.

Big responsibility

But why access The Guardian\'s job site at all? The answer is the first rule of hacking: because somebody discovered that they could. It may be argued that the theft of names, e-mail addresses, CVs and cover letters is relatively unimportant, almost unthreatening.The definition of sensitive data has broadened. Dates of birth, addresses, personal histories, details of daily lives - all this data is useful to a fraudster, and may be the first steps towards more complete identity theft.

A deliberate attack that resulted in the theft of half a million personal records from a very high-profile organisation is not to be sniffed at. Any enterprise that holds any personal data needs to take every step to safeguard it. But it is not an easy job - just ask The Guardian.

URL:http://www.computerweekly.com/opinion/Guardian-jobs-database-attack-demonstrates-difficulties-of-database-security