Exploiting security flaws is one of the major tactics used by cybercriminals to attack organizations. Vulnerabilities are an unfortunate fact of life for operating systems, applications, hardware devices and last, but not least, databases. An attack against a database can easily compromise sensitive and confidential user and customer data. A report released Tuesday by cybersecurity firm Imperva Research Labs examines why databases are vulnerable and offers advice on how to better protect your data from falling into the wrong hands.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Based on analysis covering 27,000 on-premises databases around the world, Imperva found that one out of every two databases contains as least one vulnerability. One drawback here is that organizations typically focus on perimeter and endpoint security with the assumption that their databases and data would be protected. But that approach doesn’t work, according to Imperva.
Organizations don’t regularly patch and update databases as frequently as possible. In analyzing databases, Imperva said it found some vulnerabilities that have gone unpatched for more than three years. The large number of Common Vulnerabilities and Exposures (CVEs) found in most databases present hackers with a tempting and easy target. Criminals can simply use a legitimate search tool like ExploitDB to discover and take advantage of the many flaws.
With so many vulnerabilities to patch, severe ones are often ignored. Most than half of the security holes in databases are ranked as High or Critical, according to guidelines from the National Institute of Standards and Technology. These types of flaws allow hackers to steal or corrupt data and take control of networks.
“This report points out one of the most glaring challenges of on-prem, which is implementing security patches for vulnerable databases and other infrastructure,” said Hank Schless, senior manager for security solutions at Lookout.
“Organizations need to rely on their admins to download and install these patches as they’re made available,” Schless added. “While admins may be diligent in doing so, it’s almost inevitable that they’ll miss a couple of resources. In that case, one vulnerable database is just as bad as one hundred. In addition, on-prem services may reach an age where they’re no longer supported. With few exceptions, this means that they will not receive a patch if additional vulnerabilities are discovered after they’re no longer supported.”
To protect your organization’s databases and data from security exploits, Imperva offers three pieces of advice.
- Inventory your databases. You can’t protect your data unless you know where it resides. This means you need to find and catalog every database in your organization, including rogue ones that may have been established outside the scope of your security. Performing this type of inventory should also entail the deployment of tools to look for anomalies in database activity combined with ways to prevent security flaws from being exploited.
- Prioritize patching for critical vulnerabilities and critical data. Ideally, your IT and security staffers would have time to patch every security flaw as soon as it’s discovered. In the real world, however, that may not be feasible due to limited staffing and limited time. Instead, the trick is to prioritize your patching by focusing not only on the most serious flaws but on the most critical or sensitive data. For this, you’ll need to use tools that can identify which databases hold the most confidential customer or user information, such as credit card numbers or passport details.
- Be aware of the risks of digital transformation. Many organizations are going forward with digital transformation projects to move their data to the cloud. However, managing your on-premises security is difficult enough without the added challenge of securing data transferred to the cloud. As you migrate your data, you need to have a clear and consistent strategy on how to protect it whether it’s on-premises, in the cloud, or both.
Beyond patching critical vulnerabilities, organizations need to implement other measures such as multifactor authentication, according to ThycoticCentrify chief security scientist Joseph Carson.
“Databases can contain sensitive information such as employee data, personal identifiable information, health data, financial details, intellectual property and much more, so it is vital that organizations protect and secure databases with the highest priority,” Carson said. “Patching systems is critical but it is also important to have strong access controls using privileged access security along with detailed auditing and MFA.”