5 ways to avoid compromised database credentials
- By Steve Hunt
- Jun 09, 2016
The term “insider threat” is widely misunderstood. More often than not, the “insiders” are actually malicious outsiders who have penetrated an organization’s perimeter defenses and are using stolen, yet legitimate, credentials to mine valuable data. An outside attacker with legitimate credentials is now an insider with all of the privileges assigned to that stolen login.
These insider threats have become an enormous risk to enterprises, governments and the military; the 2016 IBM Cyber Security Intelligence Index found that 60 percent of all attacks originated from insiders.
Given that an enterprise’s most important information resides in databases, IT managers are increasingly focused on protecting databases and their infrastructures with specifically designed security measures, rather than relying on porous perimeter security. But once an attacker has stolen database credentials, most organizations still lack the necessary security tools to identify when the attacker has begun using these credentials to access the organization’s information systems.
Following these top five best practices will help enterprises identify and protect databases from bad actors attempting to use stolen database credentials to appear as legitimate insiders.
1. Continuously discover the entire database infrastructure.
Extensive analysis suggests many enterprises possess far more active databases than they believe they have. It is vital, for purposes of both security and compliance, to understand the entire scope of the database environment. Often when previously unknown databases are discovered, they have default credentials enabled, making them easy for an attacker to exploit. Agencies should invest in automated database discovery to continuously identify all databases that are active on their networks.
2. Implement privileged session management.
In environments where there is the possibility of credentials being compromised, a privileged session manager acts as a credential proxy to connect users to systems without exposing privileged credentials to individual users or their endpoints. The privileged session manager monitors and records the session activity to ensure policies are followed and to maintain forensic data.
3. Enforce least-privilege access.
It's more secure to assign users a minimal set of permissions and grant additional access as needed, as opposed to granting comprehensive permissions and tightening them over time. As employees advance and change job responsibilities, they tend to accumulate a variety of user privileges, many of which are no longer required for their present position. If these high-privilege individuals are in IT and have retained access to privileged accounts, then they become a high security risk. Losing just one set of credentials could potentially expose numerous sensitive systems. Enterprises must be vigilant in tracking which users and applications have access to what databases and reclaiming credentials when the user’s job function no longer requires them.
4. Enforce strong passwords.
Lacking proper education and policy enforcement, users will commonly select weak passwords as a matter of convenience. Passwords consisting of few characters with no numbers or any special characters are highly vulnerable to brute-force credential theft via freely available hacking tools. But it’s not enough to simply enforce strong passwords. Enterprises need to make credential management easy for employees. A single sign-on solution with multifactor authentication is recommended as a further step for improving users’ passwords.
5. Implement advanced compromised credential identification.
An automated, machine learning-based security appliance can significantly reduce security operations resources required to accurately identify compromised credentials. Authorized users tend to use databases in a highly predictable way, usually accessing the same tables and from the same endpoint. When intruders gain control of legitimate credentials, their operations will differ significantly from the legitimate users’ baseline activity. By analyzing all of the data flows being exchanged in the infrastructure, an operational model of the stable data flows can be automatically created. Behavioral analysis can compare credential activities against that baseline to identify any credential abuse -- a clear indication of an insider threat.
Today hackers are gaining access to the credentials of what should be the most secure organizations. Although the implementation of best practices will substantially improve security in this area, automation is also required to rapidly and reliably detect credential theft and address the insider threat. With more security awareness, in combination with the best practices above, organizations can immediately identify malicious attackers abusing database credentials and stop today’s most destructive attacks.
Steve Hunt is president and COO of DB Networks.