How to avoid data breaches: fix the basics

The vast majority of data beaches  are caused by a lack of security-focused database setup and configurations. The words “unsecured”, “publically available”, and “cloud” are peppered throughout  press reports. 

Here is a common scenario: a developer needs to get a new app up ASAP. He builds a test environment in his favorite cloud and launches a prototype as a proof of concept. He deploys his favorite database using something readily available. He uses the default setup as it’s not in production and he just needs something quick and dirty. The prototype is a huge hit and management want it "yesterday", so additional features are quickly added and the "app" is moved into production. Security testing and vulnerability scans are ignored in the roll-out to live operation. Not going back to strengthen the underlying database environment or to plug holes or gaps in the system is often a root cause of future security issues.

 

Of course, there are other scenarios that leave databases exposed and subject to theft. But, almost all of them are a result of overlooked or missed steps caused by human error. Many of these issues can be traced back to:

  • Old and under-maintained software. 

  • Misconfigured (or just missing) database configuration settings - most databases are not secure "out of the box".

  • Basic care and maintenance of the database being ignored

  • Front door access left wide open 

  • Vulnerabilities are identified but not addressed

 

No-one sets out to mismanage their databases, but these issues are significantly amplified by:

  • Underqualified and under-trained staff being responsible for maintaining the database and network infrastructure. More and more tooling, automation, and push-button deployments are becoming the new normal. This leads to bad setups, missing the most basic of security (like a password reset). The industry is going towards empowering the developers, but database setup, security, and performance is not normally a top priority for application developers.

  • Overworked staff spread too thin to keep things even remotely up to date. Some studies suggest that 80% of companies are running one or more outdated or buggy releases. Companies are now running 100s or 1000s of databases in their data centers. It is easy to miss a few databases when you are dealing with them at scale. 

 

Although it's easy to be wise after the event most data breaches are preventable. Hackers exploit known weaknesses and common errors and share information on these in their own forums.  The best way to avoid being a victim of a data breach is to ensure that you have the basics covered.

It's also not unusual for organisations to have identified weaknesses via a vulnerability scanner and fail to remediate the identified vulnerabilities. The main reason for this is because the reports produced by the majority of vulnerability scanners, although a comprehensive listing of all vulnerabilities, overwhelm their users with information. Which causes the following challenges.

  • Prioritisation: In a huge list of data it can be difficult to separate the "wheat from the chaff".  It's important to be able to home in on the most important vulnerabilities and get those remediated first.

  • Assigning responsibility: Different segments of the network and different assets may be managed by multiple teams. Vulnerabilities need to be categorised by teams so that everyone knows what vulnerabilities they are responsible for.

  • Verification of remediation: for many organisations, methods of verifying that a vulnerability has been fixed are immature. For many, the only method available is to run another scan and then "eyeball" the results to ensure that vulnerabilities on a previous scan have disappeared.  Unsurprisingly this activity is seldom performed effectively.

  • Identifying poor development / deployment practice: As we outlined above, many data breaches are facilitated by poor development and deployment practice.  Most vulnerability scanning tools show a snapshot of the security configurations at a certain date. To help identify trends in poor practice, it is helpful to be able to identify trends in the recurrence of vulnerabilities such as their re-appearance on specific subnets, platforms or services.

 

To avoid a data breach in your organisation, we recommend this three step approach:

  1. Focus on the basics

  2. Regularly scan for vulnerabilities

  3. Establish a robust process for tracking remediation