Protect Your Databases by Detecting Suspicious Activity

by Apr 16, 2020

Some of an organization’s most important computing systems are the databases that store its information assets. They may contain multiple types of data that are extremely valuable to the enterprise. In some cases, a database can store sensitive personal information that needs to be protected according to specific guidelines to remain compliant with regulatory guidelines. Other systems may hold proprietary information that gives a company its competitive edge. The business consequences associated with the misuse of this information can be quite severe.

The amount of attention that a database attracts from unauthorized entities is directly proportional to the value and sensitivity of the information it contains. Nobody is going to spend much time or energy trying to break into an SQL Server database that contains publicly available information. Even though the information may be organized in a particular way to address some business requirements, the fact that it can be obtained elsewhere minimizes its potential for being misused.

Using a database without proper authorization entails some risk for the perpetrator. The risk can manifest itself in a variety of ways depending on the identity of the culprit, the data that was compromised, and what was done with the information. It can range from a strongly worded memo from management to a substantial fine and potential criminal charges. The severity of the penalty is often commensurate with the damage done by the database intrusion.

Internal Threats to Your Databases

When considering data breaches and unauthorized use of information resources, the focus is usually on keeping outside actors from accessing the systems. This is usually done with a combination of network and system monitoring techniques that attempt to thwart access by unscrupulous groups or individuals. Monitoring of this kind is considered best practice and forms the first line of defense guarding your databases.

Sometimes overlooked is the threat posed by insiders who may have a certain level of authorization but misuse it either mistakenly or for nefarious purposes. A case in point is the healthcare industry in which 58% of security incidents in 2018 were caused by insiders. These breaches were perpetrated for several reasons.

  • 48% of insider breaches were financially motivated.
  • 31% were done out of curiosity or for entertainment reasons.
  • 10% of internal data breaches occurred over unsecured data handling procedures practiced because they were convenient for users.

Health records are protected by strong security regulations such as HIPAA and their unauthorized use exposes organizations to financial penalties for lack of compliance. The damage done to the individuals whose data was compromised can also be considerable and may impact their lives for years to come.

Another example of insiders using sensitive data inappropriately can be seen in this case of misuse by law enforcement officials in California. Over the last decade, more than 1,000 law enforcement agency workers were found to have misused the state’s California Law Enforcement Telecommunications System (CLETS). In one case, an officer used the database to run criminal background checks on tenants renting apartments from his girlfriend in violation of the department’s usage policies.

Other instances of misuse include officers using information to locate individuals who were later harassed with repeated phone calls to their homes. One officer was caught writing phony tickets to individuals with whom they were involved in past litigation. In many cases, no criminal charges were filed against the officers. The impact of these data breaches included a loss of public confidence in the ability of the department to safeguard sensitive information.

Tightening SQL Server Security

Identifying internal misuse of databases and information assets can be challenging for IT teams. It is not as simple as stopping intruders at the door or network level since they are already inside the organization. The individual misusing data may be authorized to access a particular database for certain reasons and have decided to take advantage of their level of permission. It takes some thinking outside the box for DBAs to discover this type of internal data breach.

IDERA’s SQL Secure can help address the difficulty in stopping internal misuse of SQL Server databases. Using its security analysis and reporting capabilities, DBAs can look at security aspects such as effective rights and database roles permissions that may need to be modified to fully protect their systems. The details of logon and configuration services can be displayed and a security scorecard lists possible issues with your SQL Servers. Built-in and customizable reports can be used for security analysis and compliance evidence.

Understanding the permissions that have been granted to users can identify credentials that need to be modified to conform to security standards. This allows teams to trim the level of permission to minimize the potential of sensitive data being accessed improperly from within the organization. Repeated attempts by certain users to access data for which they are not authorized can point to potential human security weaknesses in the enterprise. Additional scrutiny can be focused on these individuals to prevent the misuse of valuable data resources.