Feature
News
9/20/2007
04:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Rolling Review Wrap-up: Database Extrusion Prevention

Today's attackers are gunning for fortune, not fame, and they know the big score lies at the end of a SQL query. We tested five offerings that can provide protection.

When a web server attack exposed Second Life customer data last September, Linden Lab invalidated all user passwords and announced that one lowly SQL injection flaw had enabled attackers to run arbitrary SQL commands on a back-end database. The company admitted that 650,000 names along with contact information, encrypted passwords, and payment data had been compromised.

Fast forward to May, when University of Missouri employees probably wished they were in some alternate universe. IT staff noticed abnormal application behavior on May 3 and the next day discovered a mother lode of errors. One vulnerability was in a Web page used to check the status of help desk issues, and by exploiting a SQL injection flaw, an attacker was able to retrieve names and Social Security numbers the old-fashioned way--one record at a time, using tens of thousands of Web requests.

By the time IT realized what was happening, sensitive data on 22,396 people was long gone.

YOUR MONEY AND YOUR DATA

It's no coincidence that over the past year an increasing number of security breaches have been the result of database compromises, rather than pilfered laptops. Steal a PC from a car and you might get nothing but some hardware and an MP3 collection. Infiltrate a database of customer information and the possibilities are endless. And this trend will only continue as more companies deploy data-rich online services needing database back ends.

InformationWeek Reports

In the case of Second Life, attackers mined personal information on thousands of users who might have ended up the focus of highly targeted phishing scams. For the University of Missouri, affected employees must worry about identity theft because of one insecure Web application and an old database still left in service.

Sure, it would be ideal if secure programming techniques were always followed when developing Web applications. But let's face it, basing your data security strategy on developers producing bulletproof apps is like going to a shootout with one round in your magazine.

A better idea? If Linden Lab and UM had database extrusion prevention systems deployed at the time of the compromises, these breaches could have been prevented. The offerings we reviewed in our DBEP Rolling Review can keep abnormally large numbers of records from being returned, as in the Linden Lab compromise, and block the SQL injection attacks seen in the UM hack.

In the arsenal of IT defenses, DBEP systems have a slight advantage over standard data leakage protection products that sit at the network perimeter or run as endpoint agents in that they can be placed directly in front of your databases. They see traffic before an attacker can obfuscate, transform, or encrypt data to evade detection. With data leak prevention, an attacker can avoid discovery if he gains a level of control over the data before it's shuttled through the network.

Enterprises worried about exposure through attacks against Web servers with database back ends, the database servers themselves, or via misuse by authorized users have protection options--we were generally pleased with the products we reviewed, with only a couple of exceptions. These products aren't one-size-fits-all, but any of the five could have prevented a good number of the breaches that are currently making news.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.