The latest data breach figures reported by HMRC show that a total of 1,993 security breaches occurred between October 29, 2007 and the end of April 2008.
Despite the Government’s public statements of committing to tightening security measures after the highly public loss of 25 million records by the HMRC, it doesn’t seem that a comprehensive data-centric security plan has been put in place. Security breach figures within the HMRC have actually increased following the disc loss, jumping from eight to ten breaches a day!
Despite the fact that no links have been made officially to any data theft in this case, its unknown if the ‘lost’ data has been used maliciously. That said, data loss can be a catalyst to data theft, and it’s not limited to simply government entities and consumers – large global enterprises are the most often breached data centers. Just because lost or stolen data hasn’t been used yet doesn’t mean that it won’t be when the dust settles.
With any sensitive personal data being of paramount value to criminal groups, organizations and government agencies have to realize that what attackers are going for is the data – and that data almost always resides in the database. Criminals are more organised than they were previously, and they’re developing more sophisticated methods of attacking databases. An organisation that is known for having poor data security controls can become an easy target.
There are a few easy steps organizations can take that will put them on the path toward shoring up their data security measures:
1. Discovery of data – too many organizations don’t even know where their database applications reside within their overall network. The discovery process is integral for determining where data sits, and often, unknown databases turn up.
2. Assessing - assess the overall environment, checking default IDs and PW’s so that you can create an overarching view of your organization or agency’s database assets, what’s been deployed/what hasn’t to secure data already.
3. Prioritisation – prioritising your data security needs is key so that you can simply get started. For example, you can begin by securing a core group/cluster of databases, and then extend protections later.
4. Fix – where there have been unprotected databases, fix it. Deploy a vulnerability assessment solution that can scan multiple database applications with automated processes built in to scan for known vulnerabilities across the database environment.
5. Monitor – while you are deploying patches and fixes, which are time-consuming to any IT organisation, monitor your networks during the ‘patch-gap’ period so that you can track privileged activity and potential insider misuse.
Data security needs to be a top priority for all organisations. Protecting data where it lives, in the database, and realistically assessing the organisations’ challenges are two steps in the right direction. Just because an organization or agency hasn’t been breached per se, it doesn’t mean they aren’t vulnerable, or that they aren’t in the process of having data taken out from under their noses…
Written by George Fyffe, Director, EMEA Operations at Application Security, Inc. (www.appsecinc.com) which provides database security solutions for the enterprise. Its products proactively secure databases and delivers up-to-date database protection that minimizes risk for companies.