Saturday, April 12, 2008

Data Breach: Are You Next? - Part 1

I thought I'd take some time to have a little talk about the growing trend of data breaches at organizations. There's no lack of these in the news, with the most recent being the loss of over 4 million credit cards by Hannaford. This gained a lot of publicity due to the scale of the breach. Just look at this month alone... there's already been 9 reports of data stolen from companies/organizations. I think it makes this an appropriate time to talk openly about breaches like the one at Hannaford, and what options network professionals have to combat these attacks.

If you're on my blog, you're at least starting in the right direction. Not every issue can be solved with money though, and that's the same with IT security. Security isn't something you implement or buy, security becomes a methodology by which you deploy all systems. The most secure networks can be ridden with applications that can leave holes open that firewalls can't protect against. These type of attacks are becoming the fad of data breaching. Previous hacks involved finding a way to DoS (denial-of-service) attack perimeter security measures, then breaching the systems behind them. The latest wave of attacks are much more intelligent and stealthy. These attacks actually target application vulnerabilities and inject malicious code on systems that are trusted by perimeter application servers. A common form of this is SQL injection. SQL injection allows the attacker to execute raw SQL code against backend database servers. Within a few steps from the initial SQL injection attack, the attacker has access to system level commands deep within the backend database servers. The most hardened perimeter ASA (Cisco Adaptive Security Appliance) won't block these ports, as the traffic is passed via standard web ports.

So what can we do? Is the answer to write more secure applications? That's one important change that can happen, but defenses cannot be left to the applications alone. Looks to part 2 of this series where I'll talk more in details about the logistics of these attacks and how you can defend with little investment in current technology. Part 3 will look at how we secure the environment end-to-send, and use MARS to correlate the massive amount of security data into actionable events. Happy defending...

-Mike

No comments: