Professional Documents
Culture Documents
The Problem
Databases are a key component in information storage for almost every modern business, from the medical industry to the financial industry to national security and because they also are part of the underlying structure for many applications, they are a popular target for malicious attacks. A long list of highly publicized data breaches over the past several years highlights the growing threat to database security in general and illustrates the rise of this type of attack. Even the nations largest and most powerful companies are vulnerable. Well-known examples include the CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, and the TJ Maxx incident in 2005, where 45.7 million credit card numbers reportedly were revealed. Attackers can exploit vulnerabilities in unprotected databases to create malicious files and libraries, to access database administrator-level privileges, to obtain sensitive data, and to cause disruptions in service. Most companies utilize databases heavily, but few have the specialized security knowledge necessary to effectively assess their security levels and prevent threats from materializing. Traditional security solutions, such as perimeter and intrusion-detection systems (IDS), are insufficient, as they show attacks only after they have occurred. At this point, data may already be lost. Intrusion-prevention systems (IPS) often fail because attacks against the database can be cleverly obfuscated. Database encryption, another common approach that protects data at rest, still may not be effective against privileged users or hackers who hijack application servers to reach back-end databases (such as in SQL injection attacks). Without specific database protection, any security system lacks the important element of layered security that further shields their confidential data. Budgetary restraints may prevent organizations from hiring a full-time database security specialist. Many companies turn to network administrators, who may have a limited understanding of the database platform, to secure their entire solution. Hackers and security vulnerabilities always will threaten IT systems, so its essential that database administrators have the right information and a solid strategy to properly secure their databases and to protect their most important data.
www.fishnetsecurity.com
management systems. FishNet Security personnel first gather information to identify weaknesses; next, they utilize the results to test for known issues and to discover any vulnerabilities present; and finally, they provide a vulnerability analysis, which consists of the detailed findings and recommendations needed to secure a companys database.
Finally, FishNet Security analyzes the data collected, aggregating and correlating all data to create a deliverable with pertinent information about discovered vulnerabilities. Within this report, direct feedback and recommendations are provided based on testing data, professional experience, analysis, and input from client technical staff. FishNet Securitys reports explain findings from a causality perspective, focusing on the underlying causal flaws that create database weaknesses and add unnecessary risk. Each findings technical impact and steps required for remediation are explained.
Conclusion
By providing a comprehensive, three-phase assessment conducted by leading experts in database security, FishNet Security offers its clients a cost-effective approach to protecting their confidentiality. A Database Security Assessment from FishNet Security helps companies meet regulatory compliance requirements; helps prevent unauthorized activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle or EDS; and helps avoid exposure of critical information that can cause costly legal issues, identity theft, fraud, disruptions in sales and service, loss of business opportunities, and damage to a companys reputation.
www.fishnetsecurity.com