4 Critical Steps To Address Database Vulnerabilities .

IBM CorporationThought Leadership Article4 Critical Steps to Address DatabaseVulnerabilities Before You Experiencea Devastating BreachUnderstanding and assessing your vulnerability is key to taking a proactive approachDecember 2014

2Four Steps to Improving Data Security Before You Experience a Devastating BreachA data breach can be devastating. The average cost of a databreach is now 3.5 million, according to the latest Costof Data Breach Study by the Ponemon Institute, whichsurveyed IT and security professionals at 314 companiesacross the world. The average cost paid for every lostor stolen record containing sensitive and confidentialinformation is 145.1 The research also reveals that the impact on reputationand the loss of customer loyalty do the most damage to thebottom line—with spiraling costs continuing to affect thebusiness long after a breach has taken place. As noted by thereport: “In the aftermath of a breach, companies find theymust spend heavily to regain their brand image and acquirenew customers.”2Companies struggle with data security and are notmature in measuring the success of data securityinitiatives. With the transition from network- anddevice-centric security to data-centric security,Forrester says organizations must undergo a significantcultural shift in order to make their data securitypractices more mature. For many companies, a data breach is only thewake-up call—and a costly one. Following a breach,45% of companies implemented new security controlsand policies. But for many, this was too late: 35% saidthe breach caused a lot of disruption, and 18% saidlayoffs followed a data breach. More often than not,companies are taking action as issues crop up and arejust “hoping for the best.”None of this will surprise IT leaders, CIOs, securityprofessionals or compliance managers. What may besurprising, however, is the fact that, despite worldwideattention focused on data breaches, many organizationsare still not taking a proactive approach in addressing datasecurity and, unfortunately, remain unaware of just howvulnerable they may be.A recent survey by Forrester of 200 security decisionmakers in the U.S., United Kingdom and Germanyrevealed several critical gaps that are making organizationsincreasingly vulnerable to data breaches.3 These include: Firms mistakenly equate compliance with security.As noted by the report: “Compliance is the bareminimum, and not a substitute for robust securitystrategy. Compliance standards take time to change,whereas threats and technology are constantly evolving.As a result, it’s not unusual to see compliant companiesstill getting breached.”Given the potentially disastrous consequences of a breach,it is important for IT and security leaders to be aware thatthere are simple and extremely cost efficient steps that anyorganization can take immediately to improve protectionand reduce risks.How can your organization reduce risk by taking aproactive approach to data security? Here are four key stepsto take:Step No. 1: Understand where—and why—you maybe vulnerable.It is important to recognize that data is the key target forsecurity breaches, and database servers are the primary

IBM Corporationsource of breached data. Database servers contain your mostvaluable information, and the information that is likely tobe of most value to hackers, cybercriminals and anyone elsewho would do harm to your business.Among the information contained in database servers arefinancial records, customer information, credit card andother account records, patient records and personallyidentifiable information. According to one survey, 96% ofall breached records were in database servers, and 98% ofthe records breached within larger organizations were indatabase servers.4While the same survey notes that 97% of breaches wereavoidable through simple or intermediate controls, theunfortunate reality is that many organizations don’t havethe basic controls in place to even identify which databasesand database servers are most at risk.The challenges are exacerbated by explosive growth of dataand the spread/sprawl of databases across an organization.Many database administrators are simply not focused onsecurity, meaning patches are not applied consistentlyand companies are unable to enforce consistent controlsand reporting on systems from a variety of vendors acrossmultiple releases.The best way to start getting your databases undercontrol is to start small, by identifying and addressing thechallenges within your highest risk databases. How do yougo about doing that? Start with Step No. 2, which is 3Step No 2: Conduct a vulnerability assessment.You can use simple-to-use and inexpensive tools toassess the vulnerability of all the databases within yourorganization, and then take remedial steps to address thoseareas where you are most at risk. What can these toolsenable you to do? Among the the key functions and featuresto look for are the ability to: Provide the flexibility to address multiple databaseplatforms: This ensures that your organization cannot only address databases such as IBM DB2, Oracleand Microsoft SQL Server, but it also enables you tolook for vulnerabilities in newer technologies that arecommon in big data analytics, such as NoSQL. Utilize automated tests on all databases to protectagainst every kind of vulnerability problem that isknown to exist. This alleviates already-strained securityand IT resources and ensures that tests are conductedconsistently. Run those automated tests in minutes, withoutany complex or intrusive installations. This eliminatescumbersome installation and configuration processesthat can reduce the willingness of administrators to usesuch a tool. Have the tests kept up to date and refreshedconstantly, using industry-accepted best practices, sothat data protection is an ongoing part of your businessstrategy and you are able to adjust to new types ofthreats on an ongoing basis.

4Four Steps to Improving Data Security Before You Experience a Devastating BreachOrganizations can get started on this type of assessmentquickly and without a significant impact on the IT budget.In fact, at the end of this paper there is a link to a freevulnerability assessment that uses best practices andautomated processes to determine where your organizationmay be vulnerable and what you can do about it.Step No. 3: Address your vulnerabilities, measureyour improvements and replicate your successesacross the entire organization.Knowing where you are vulnerable is, of course, critical. Itprovides a baseline of where you stand. But you also need thetools to help you identify your challenges, fix your problemsand measure your progress. Basically, you want to be able tosee a “before” and “after” view. So, as part of the vulnerabilityassessment, look for a solution that can also: Give you a prioritized report of where you stand withevery database instance.Provide recommendations on how to fix eachproblem.Deliver graphical representations of improvementsover time, with the ability to see what has changed.Include a comprehensive list of entitlements, withlinks to a compliance workflow and database activitymonitoring system to track how changes are enforced.Once you’ve been able to identify and remediate problemsin your most vulnerable databases, you can “socialize” theprocess and benefits throughout the organization. Thisway, you can get business and technology leaders in otherdepartments to address their own vulnerabilities, rather thanwaiting for a breach to inform them.Step No. 4: Implement a proactive strategy toprotect your data.Data protection is not a one-shot deal: It’s an ongoingbusiness strategy. In industries such as financial services,the safety of data and account information is being usedas a competitive differentiator. In other industries, such asretail, high-visibility data leaks have inflicted severe financialrepercussions on several firms and are forcing companies topublicly address their security capabilities.As noted by Forrester: “Good data security and control ismore than just doing what is needed to stop bad things fromhappening. Realize there are real business opportunities forproactive data security. Identify how the business wants to usedata, what data is required, and how to source this data.”5A key step in developing a protection strategy is to hardenyour databases once you’ve verified that existing systemshave been remediated. This means developing systems andprocesses to manage these key areas: Privileges: Manage unnecessarily loose user accesspermissions, while establishing checks for object creationand usage rights, privilege grants to DBAs and users, andsystem-level rights.Authentication: Verify password policies and defaultvendor accounts, ensuring that there are no emptypasswords, remote login parameters, etc.Configuration: Find known configuration weaknesses.Check platform-specific variables such as maximumfailed logins for DBA profiles.Version: Verify appropriate version numbers andpatch levels.

IBM CorporationIn addition to hardening your databases, you will also wantto ensure that you can deliver these key capabilities tostrengthen data security: Real-time data activity monitoring to inspect datausage patterns and enforce security policies.E-discovery preparedness, with the ability to scaninfrastructures for sensitive data/repositories.Data masking and encryption to limit the use ofsensitive data in the event that it is lost or stolen.Assessment Evaluation Edition provides the key featuresand benefits described in this paper, including: The benefits of doing all of these things will stretch beyondsecurity. They will also help to ensure regulatory complianceand give you much more control of your data so that you canuse it more strategically across your business. A sound andproactive approach to data management can be a foundationfor big data analytics that can lead to business innovation,better customer service and improved profitability.Getting StartedGetting your databases and sensitive data secured is abusiness necessity. No organization wants to deal with theramifications of a major breach. As noted by Forrester: “Itwill not be long before we see data security and privacyemerge as a business differentiator. Companies that areproactive in their efforts will have a competitive edge in thisdigital and data-driven economy.”6The best way to get started is to conduct a vulnerabilityassessment to understand where you are vulnerable and whatyou can do to fix your challenges. This can be both simpleand inexpensive, with a free 30-day vulnerability assessmentfrom IBM. The IBM InfoSphere Guardium Vulnerability5Sensitive Data finder to crawl your databases.Database vulnerability scanning, which scans yourdatabases running vulnerability tests.Vulnerability Reporting, which organizes test results andprovides actionable recommendations.Entitlement Management, which tells you who hasaccess to what.Configuration Audit System, which monitors changesat the operating system level that can expose yourorganization to attack.Beyond the vulnerability assessment, IBM offers a wide rangeof capabilities to ensure that your proactive approach todata security addresses your long-term needs. These includeInfoSphere Discovery, an e-discovery solution that can scaninfrastructures for sensitive data/repositories; InfoSphereGuardium Data Activity Monitor, which can monitordatabase activity; InfoSphere Optim Data Privacy, which canmask data; and InfoSphere Guardium Data Encryption.Are you ready to take the first step in improving dataprotection and security? Start by downloading the freeInfoSphere Guardium Vulnerability Assessment.Why IBM?InfoSphere Guardium is part of the IBM Security SystemsFramework and IBM InfoSphere Information Integrationand Governance (IIG), a core component of IBM Watson Foundations, the IBM big data and analytics platform.