Business growth demands multi-level leadership development strategies
— By Karen White
Businesses establish a presence online so that they can communicate with their customers using the many web based applications like Web apps, forums, blogs and social media pages. The online interaction between businesses and customers has raised the quality of customer service and increased revenues. However, the same business and customer online interface features that brings these advantages also heighten the risk of database security breaches. The frequency of web launched attacks is increasing with regularity, so it is critical that all sized companies address database protection without reducing the ability to maintain web-based business systems. It is a fine line that businesses must walk to maintain online openness while reducing vulnerabilities as much as possible.
The 2012 Verizon Data Breach Investigations Report (DBIR) published this year contained some fascinating, though disturbing, information. Typical major database hackers are young activists trying to make a political or social statement by interrupting business operations. Hackers are defined as people using stolen credentials to gain access to a computer system or who get into a computer system by figuring out access codes or passwords and then steal records. Verizon’s research indicated the hackers committing the largest thefts are normally not doing it for personal gain. However, data breaches are also carried out by cybercriminal gangs, individuals testing their computer savvy or hoping for financial spoils, and even foreign governments. Verizon DBIR reviewed 855 breaches reported by officials in the U.S., Australia, the UK and Dutch countries. The hackers managed to steal 100 million records out of 174 million. They tend to get into the larger databases, steal as many records as possible in a short period of time, and then get out. However, smaller businesses are not exempt. In the case of hackers getting into small business systems, large scale, automated attacks are typical in which records are stolen over a long period of time.
One of the most recent trends is the growth in malnets. Malnets are server-side infrastructures built and maintained by criminals and are largely used to infect personal computers and botnets. The sophistication of the cybercriminals is growing each year, making it imperative for businesses to utilize outside experts who track criminal trends and develop current security measures.
Coming in Through the Backdoor
Thieves breach databases in three main ways by accessing web applications, remote access services, and backdoors. A backdoor is computerized access to a program that allows the user to bypass security systems. They were intended for use by programmers troubleshooting software, but the backdoors were soon opened by cybercriminals and hackers. The commonalities among the three methods of database access is the fact the intruders did not find the process difficult, the large majority involved servers, most took weeks to discover, and outside auditors or other third party persons discovered the breaches.
System vulnerabilities are due to the fast evolving nature of applications today, making it difficult and/or expensive to maintain state-of-the-art security. In addition, database systems now consist of layers of applications, user systems and networked programs. Unfortunately, small to medium sized businesses are trying to operate these sophisticated systems with limited resources that do not include adequate budgets for computer security. There are also misconceptions about security and web based applications. Business owners may mistakenly believe that their applications are providing the necessary database security when they are actually creating the access to the database.
Business owners may mistakenly believe that their applications are providing the necessary database security when they are actually creating the access to the database.
A common approach to instituting security used by budget restricted businesses has been piecemeal and involves identifying vulnerabilities and securing them before theft occurs, followed by security measures added in response to attempted or actual intrusions into the computer system. Another approach is to secure the data at each step of collection, access, use, sharing, archiving and destruction. This approach is best suited for businesses managing different databases, in which the steps are not in sync. Companies managing virtual data centers or cloud database deployments are likely to use this approach to provide multi-layer security.
Naturally, it is ideal to build a security system that can address the application and the database with equal vigor. Security experts have developed several approaches to protecting both, and the most cost effective choices depend on the size of the business and the complexity of the databases. In some cases, it may be possible to install web app firewalls along with security monitoring of the databases. However, this is not a practical approach when there are hundreds or thousands of web apps already installed. For companies that installed legacy applications, it may be the only truly effective security approach.
Point-of-Sale Systems a Security Hotspot
Small businesses using Point-of-Sale (POS) applications are particularly vulnerable to hackers. Restaurants, hotels and retailers are common targets because of the ease of getting into the systems. A New Hampshire indictment revealed that Romanian hackers had been stealing credit and debit card data from unsecured Subway restaurant POS systems since 2008. The hackers are estimated to have stolen over $10 million from more than 80,000 customers at 150 different franchises plus other small businesses. The criminals found access into the POS system via a back door on systems running remote desktop access software. The retailers were not using two-factor authentication on the applications running the remote POS access, as recommended by security experts.
Surprisingly, businesses are still using administrative passwords that are easy to guess. Administrative passwords used by system managers needs to be strong and periodically updated also. Implementing firewalls, maintaining updated antivirus and security software, and making sure that POS systems are only POS systems and cannot be used as web browsers will also help keep hackers and cyber thieves out. Any business using POS systems needs to verify their applications comply with the PCI Security Council Standards.
Though hackers and thieves are busy looking for ways into databases, simple measures can go a long way towards protecting systems. The one thing a business cannot afford to do is ignore the security system because there are plenty of people who are ready to pay it the wrong kind of attention.