How to protect databases from exfiltration by Super Users
Databases are hacked every minute due to a weak security system. Yes, most of the leaks you read about on our site occur precisely because of the disregard for Internet security rules.
So, in the middle of 2020, Spyse specialists scanned port 9200 and discovered 436.83 TB of databases stored in the public domain. Among the companies whose data was in the public domain were Amazon, Digital Ocean, Google, Microsoft, ESPN, etc.
If such large companies neglect the security system, then what about the rest of the IT organizations?
Dark forums are teeming with reports of database sales, and buyers are willing to pay exorbitant sums to leak information.
Well, the time has come to a stop to this chaos. Let's take care of the security of the databases right now!
Table of Contents
The superuser is not a hero from the Marvel movies at all. Although, no doubt, he is still endowed with a specific power.
So, a superuser is a database administrator who has many privileges:
- removing processes owned by other users
- changing global system variables
- enabling/disabling logging
- performing updates even with read permissions for system variables
- starting/stopping replication on standby servers, etc.
The database creator can choose a trusted person (superuser) who will be allowed to manage the database with him. Such a user will have access to all tables in the database and will be able to grant rights to other users.
But here's the bad luck: a superuser is an ordinary person who can make mistakes and make bad decisions. So let's take a look at some of the most common mistakes database administrators make.
The database is the backbone of any organization. The database often becomes an Achilles' heel, so it is essential to take care of its security during the development phase.
I analyzed the problem of database leaks and collected the top 5 most common mistakes that should never be allowed:
- Don’t encrypt the data
Even if your database is stolen, it will not cost a cent if the criminal cannot decrypt the data stored in it. Encryption is our best friend!
Any DB has a reasonably powerful data encryption mechanism; the main thing is to use it for its intended purpose.
The most common database system MySQL has about 14 encryption functions that have been known to cybersecurity professionals since university days:
- AES_ENCRYPT () - AES encryption
- AES_DECRYPT () - AES decryption
- COMPRESS () - return the result in binary form
- DES_ENCRYPT () - DES encryption
- DES_DECRYPT () - DES decryption
- ENCODE () - encrypt the string with a surface password (at the output the cipher word of the original "plaintext" length is obtained
- DECODE () - decryption of the text processed by the ENCODE () function
- ENCRYPT () - encryption using the Unix system call crypt
- MD5 () - calculates MD-5 sum
- SHA1 (), SHA () - SHA-1 count (160-bit)
It is enough to add in the corresponding section of the program code functions AES_ENCRYPT () or DES_ENCRYPT (), which are considered the most reliable in MySQL.
For example, you can do this:
INSERT INTO t VALUES (1, DES _ENCRYPT ('text', 'password'));
Cybercriminals will be frustrated to stare at your encrypting database. Oh yes, it's worth it!
- Don’t Identify critical data
First, you need to analyze the importance of protecting specific information. To decide on the way to save data, you need to understand the logic and architecture of the database.
Not all data is critical or needs protection, so there is no point in wasting time and resources on it.
- Don’t skimp on the audit of the information security
Conduct regular data inventories to keep the databases up to date and secure.
Businesses that neglected security audits have already paid for their mistake − their data has been compromised.
- Don’t control access to the database
Limiting permissions and privileges helps prevent cyber-attacks. In addition to basic system permissions, you must observe the following points:
- Restricting access to confidential data for specific users and procedures that may make inquiries related to confidential information.
- Restricting the use of basic procedures to certain users only.
- Preventing use and access to databases outside of business hours.
Also, I highly recommend disabling all services and procedures that are not in use.
Moreover, databases should host on a server not directly accessible over the Internet to prevent remote access to corporate information.
- Don’t anonymize unproductive databases
The mistake of many companies is that during the development of the project, they make a copy of the original database and start using it in environments with less strict control, thereby disclosing all confidential information.
You can create a similar version with the same structure but with confidential data changed to protect it by masking and anonymizing.
So, you can alter data by mixing, encrypting, character swapping, or word substitution. In other words, ─ what the fantasy is enough. The chosen method of anonymization should make it impossible to obtain the initial data using reverse engineering.
We've covered some of the most common mistakes by database administrators and figured out how to fix them.
Now it's time to answer the main question − how to protect the database from the illegal actions of superusers?
After investigating all the weaknesses of the database architecture, I have compiled a few measures that will help prevent hacking.
This is an essential recommendation that solves most of the problems with data leaks.
You must prevent superusers from granting rights to other users, and also provide administrators with a comfortable working environment. Why is it important?
The motives for stealing data are often personal.
A competitor company can offer an administrator for the desired data an amount equal to his several monthly salaries, so you need to approach the choice of administrators carefully, install CCTV cameras in the office, and, if possible, restrict remote access to the database.
Your company must have a trade secret protection regime.
You need to prepare a documentation base, which will clearly describe what information is a trade secret, who and how is obliged to protect it, transfer it, use it, what sanctions will be applied to those who violated the rules for working with it, etc.
Develop and sign a non-disclosure agreement (NDA) with each employee and contractor − this will help reduce the risk of theft of strategically important information.
Image source -slideshare.net
The DLP devices checks all outgoing operations in real-time, blocks suspicious actions, and immediately notifies about violations.
It's a truly universal solution to the data leak problem, but the program has one drawback − the high cost. However, the result is worth all the money: every mouse click is monitored and verified!
True, in researching the DLP functions, I discovered that the tool couldn’t be installed on the personal devices of company employees. In other words, working remotely, an employee will be able to transmit information uncontrollably.
Image source – wallarm.com
Based on this, to ensure security, it is necessary to apply access control.
One of the simplest but most effective ways to protect valuable information is to delimit access to data and provide information only to the extent that it is necessary for work.
For example, a manager doesn't have to provide access to the entire database since there will be enough customer contacts for full-fledged work.
Now you know that neglect of information security measures leads to severe consequences.
Databases are a tidbit for hackers, so it was vital for me to talk to you about protecting your data online.
It doesn't matter who you are ─ the owner of a large IT company or the average user of the Internet ─ you are responsible for keeping your data safe.
Hope you learned a lot about data protection today! I am glad to be of service to you.
Why do you think some businesses are saving on security audits? In this case, is it possible to remain careless and hope for good luck? Share your opinion in the comments!
Remember safety, friends!
✔️ Advanced information to protect your Internet connection