Database Security Discussion Lacking at RSA Conference

Tuesday, March 01, 2011

Alexander Rothacker



Earlier this month I got to attend the RSA conference for the first time. I won an all-access pass to the show thanks to the folks at Infosec Island (thanks guys!) and had the opportunity to attend some thought-provoking sessions.

My biggest takeaways from the RSA Conference: As someone working in data security, I was shocked and disappointed at how little the data security experts actually discussed database security. The playing field still seems undefined. 

The discussions focused on tagging and fingerprinting data so that the data can be tracked, relying on database vendors for logging to protect sensitive information and even relying on the vendors for the security of sensitive data.  While logging is better than nothing, it’s definitely not a replacement for Database Activity Monitoring (DAM.)  

DAM allows for proper configurations, the ability to monitor for malicious activity at a granular level, and if done right can also log privileged user activity. In addition, why would you trust your database vendor to protect your databases if their main product is riddled with security vulnerabilities that they are unable to remediate in a timely manner?

Nobody talked about how to properly harden your database configuration or how to do regular vulnerability assessments. Everybody is patching their OS, but databases still only get patched once or twice a year – and in some cases never. Some organizations are running database management systems (DBMS) that have been out of support for several years. 

In this scenario, patches are no longer being produced by the vendors. These unpatched vulnerabilities are the way to attack an organization’s crown frakels – the databases holding critical information. Once a patch is released, the details on it are public information and it’s easy enough for a hacker to reverse engineer the patch and compromise the database.

This industry needs to wake up. Organizations need to get the DBAs, IT Managers, and CISOs involved in a positive way. They need to work together with the security teams and start improving database security. And there remains a need for education on the best practices for securing sensitive information. The database is nearly always the target of hacks. According to Verizon Business (PDF), the database server accounted for 92% of all compromised records.

Additional Takeaways from RSA

On Monday, I attended a leadership development track for security professional. I took away some informative tips on how to be a security champion in your organization and how to initiate much needed attitude changes.

Redefining ROI when it comes to the lack of security investments, by highlighting the ‘Risk of Incarceration’ is a good first step.  Most CISOs don’t have an MBA and traditional management background; instead they typically have some kind of background in IT, as a DBA or similar role. Getting out of their technology comfort zone is hard and it requires effort and practice.

This track also provided a role play for ‘what happens when you get breached’ – which was one of the most disappointing parts of the session. The key takeaways were: Duck, Hide and Run. The session recommended that organizations get lawyers involved, don’t disclose anything, keep the breach quiet as long as possible, and even suggested that law enforcement will stay quiet if you work with them.

I don’t believe in these methods.  Breach disclosures warn other organizations and allow them to take precautions to ensure that they are not taken down by the same schemes.  If done properly, notification can help organizations earn back their customers trust.

Later during the conference, Brian Krebs hosted a session titled, “Up-to-the-Minute Hacking Threats”. The session provided some great insight from Wade Baker of Verizon Business and Jeremiah Grossman of WhiteHat Security.

One of their main topics was how data gets stolen – by breaking through the perimeter layers using SQL Injection, escalating privileges and then cleaning out the database. It happens time and time again.

What puzzles me is that most organizations are protecting the endpoint and the desktops, but not the database. Why don’t they protect the database? It seems incredibly obvious, but it’s clearly not happening as often as it should be.

Hopefully next year’s RSA Conference provides more education on database security – after all, that’s where sensitive information spends 99% of its lifecycle.

Cross-Posted from

Possibly Related Articles:
Patching RSA Storage Databases TeamSHATTER Database Activity Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.