Thursday, June 14, 2012

Even C-Student Hackers Will Succeed When Obvious Security Vulnerabilities Are Overlooked

About 2 months ago, the public got wind of what is thus far one of the largest US data breaches in 2012– and possibly the worst ever suffered by the state of Utah. The state’s Department of Technology Services had some 800,000 personal records (and 280,000 Social Security numbers) compromised in an attack that is believed to have originated somewhere in Eastern Europe.

With all the talk of sophisticated hacks and advanced persistent threats (APTs) these days, it would be perfectly natural to think that this breach might have been planned and executed by a crack team of highly-skilled cyber-criminals. Though it’s not clear exactly how adept the perpetrators were, that detail is pretty much irrelevant when you consider that the breach succeeded because of gaping security holes created in the wake of a few, very easily avoided security management missteps. In other words, someone who snoozed their way through Hacking 101 class could probably have found their way to the organization’s sensitive data.

For starters, servers configured to house some of those highly sensitive records went through an upgrade process outside of the department’s firewall. Furthermore, the passwords that were part of the default configuration were never even changed!

What would have greatly helped avoid such a debacle would have been the security program’s inclusion (and enforcement) of processes to consistently check for known security weaknesses and mitigate risks throughout any upgrades or changes to systems and endpoint configurations. This can be exceptionally challenging in larger organizations, which often see their IT environments go through major change on a routine basis, but familiar vulnerabilities are bound to resurface.

That being said, vulnerability assessment is an indispensable component to any organization’s security program. There are literally thousands of known vulnerabilities inherent to servers, databases, etc., and many of these– weak or default passwords, for example– are obvious and easily remediated. However, given the sheer number of possible exploits, automating the process of database and server hardening is critical, and should be done on a regular basis.

From a strategic perspective, an organization’s approach to security needs to be multi-layered; this is the only way to really dial down the risk of a data breach. In the case of Utah’s Department of Technology Services, the database server might have been adequately protected had it been placed behind a firewall, but in the event that perimeter security falls short, those hundreds of thousands of sensitive records would still be secure if the server were vulnerability-hardened, and the database hardened and fully protected by a dedicated database security solution.

McAfee offers powerful vulnerability assessment capabilities that can be leveraged across an organization’s many endpoints, and even has a dedicated database research team that is constantly testing the major database management systems for possible security weaknesses that the bad guys out there might try to exploit. McAfee Vulnerability Manager for Databases also enables the automation and highly efficient management of this process through the ePolicy Orchestrator console, and generates actionable reports on what to fix in keeping critical, sensitive information secure. Organizations can also build a last line of defense for their sensitive databases with McAfee’s database security solution, which protects against threats across all vectors in real-time.

By Sean Roth