Databases have become increasingly sophisticated over the last decades. The relational database is the most common. This technology allows data to be viewed in dynamic ways based on the user’s or administrator’s needs. The most common language used to communicate with databases is Structured Query Language (SQL). SQL allows users to pass queries to database servers in real time. This flexibility causes a major vulnerability when it isn’t securely implemented. Don’t confuse the language SQL with Microsoft’s database product SQL Server, though, like most databases, SQL Server uses Structured Query Language.
Early database systems connected the end user directly to the data through applications. In a private network, physical security was usually all that was needed to protect the data. Now, to improve the performance and security of databases, companies chose one of these models:
NoSQL is a relatively new concept. As noted above, most commercial relational database management systems (Oracle, Microsoft SQL Server, MySQL, PostGres, and so forth) use SQL. A NoSQL database is not a relational database and does not use SQL. These databases are less common than relational databases but often used where scaling is important. Here are some key differences:
|Feature||NoSQL Database||SQL Database|
|Data storage||Stores everything in a single |
nested document, often in XML
|Individual records are stored as |
rows in tables (table-based)
|Benefits||Can handle large volumes of |
structured, semi-structured, and
|Widely supported and easy to |
configure for structured data
|Typical scaling model||Horizontal (add more servers)||Vertical (upgrade the server)|
|Popular vendors/ implementations||MongoDB, CouchDB||Oracle, Microsoft, MySQL|
|Susceptible to SQL injection attacks?||No, but susceptible to similar |
Some organizations store extremely large amounts of data, often many terabytes. This “big data” normally cannot fit on a single server, so instead it is stored on a storage area network (SAN). A SAN is a separate network that is set up to appear as a server to the main organizational network. For example, multiple servers and network storage devices might be configured as a mini-network that has one purpose: to store several terabytes of data. It is connected to the main network so users can access the data in the SAN without being concerned about the complexities involved there. SANs usually have redundant servers, and they are connected via high-speed fiber optic connections or iSCSI running on copper.
One of the issues with big data is that it can reach a size where it becomes difficult to search, store, share, back up and manage it.
File systems are another way to store unstructured data and control how it is retrieved. Without a file system, information placed in a storage medium would be one large body of data with no way to tell where one piece of information stops and the next begins. Separating the data into pieces and giving each piece a name enables the information to be easily isolated and identified.
File systems can be used on many different kinds of media, such as SSDs, magnetic tapes and optical discs. File system types depend on the operating system used; for example, Linux uses file systems such as ext family, xfs and jfs; Windows OS uses fat, fat32 and ntfs; and MacOS uses apfs and hfs+.
To protect data effectively, you need to know exactly what types of data you have. Data discovery technology will scan your data repositories and report on the findings. Then you can organize the data into categories using a data classification process. Data discovery engine usually uses regular expressions for its searches, which is a very flexible thing but quite complicate in creation.
Using data discovery and classification technology helps you control user access to critical data and avoid storing it in unsecure locations, thus reducing the risk of improper data exposure and data loss. All critical or sensitive data should be clearly labeled with a digital signature that denotes its classification, so you can protect it in accordance with its value to the organization. Third-party tools, such as Netwrix Data Classification, can make data discovery and classification easier and more accurate.
As data is created, modified, stored or transmitted, the classification can be updated. However, controls should be in place to prevent users from falsifying the classification level. For example, only privileged users should be able to downgrade the classification of data.
Of course, data classification alone is not sufficient; you need to create a policy that specifies access types, conditions for data access based on classification, who has access to data, what constitutes correct usage of data, and so on. Don’t forget that all policy violations should have clear consequences.
You also need to apply appropriate access controls to your data. Access controls should restrict access to information based on the principle of least privilege: Users have to get only those privileges that are essential to perform their intended function. This helps to ensure that only appropriate personnel can access data. Access controls can be physical, technical or administrative, as explained below.
Administrative access controls are procedures and policies that all employees must follow. A security policy can list actions that are deemed acceptable, the level of risk the company is willing to undertake, the penalties in case of a violation, etc. The policy is normally compiled by an expert who understands the business’s objectives and applicable compliance regulations.
Supervisory structure is an important part of administrative controls. Almost all organizations make managers responsible for the activities of their staff; if an employee violates an administrative control, the supervisor will get held accountable as well.
Personnel education and awareness
Training should be provided to make users aware of the company’s data usage policies and emphasize that the company takes security seriously and will actively enforce the policy. In addition, users should be periodically reeducated and tested to reinforce and validate their comprehension. Security measures are in place to limit what users can do but those tools aren’t perfect. If users open every attachment in every e-mail, chances are high that some zero-day attack or other exploit not listed in your antivirus database will compromise a machine. Therefore, users need to be educated about their responsibilities and best practices for proper computer usage.
Employee termination procedure
Ensuring that each departing employee retains no access to your IT infrastructure is critical to protecting your systems and data. You need to work with HR to develop an effective user termination procedure that protects your organization legally and technologically from former employees. Follow these user termination best practices in order to achieve that goal.
In most cases, users should not be allowed to copy or store sensitive data locally. Instead, they should be forced to manipulate the data remotely. The cache of both systems, the client and server, should be thoroughly cleaned after a user logs off or a session times out, or else encrypted RAM drives should be used. Sensitive data should ideally never be stored on a portable system of any kind. All systems should require a login of some kind, and should have conditions set to lock the system if questionable usage occurs.
User permissions should be granted in strict accordance with the principle of least privileges. Here are the basic file permissions in Microsoft operating systems:
Folders have the same permissions, plus one more — list folder contents, which enables the user to see what is in the folder but not to read the files.
Access control lists
An access control list (ACL) is a list of who can access what resource and at what level. It can be an internal part of an operating system or application. For example, a custom application might have an ACL that lists which users have what permissions in that system.
ACLs can be based on whitelists or blacklists. A whitelist is a list of items that are allowed, such as a list of websites that users are allowed to visit using company computers, or a list of third-party software that is authorized to be installed on company computers. Blacklists are lists of things that are prohibited, such as specific websites that employees are not permitted to visit or software that is forbidden to be installed on client computers.
In the file management process, whitelist ACLs are used more commonly, and they are configured at the file system level. For example in Microsoft Windows, you can configure NTFS permissions and create NTFS access control lists from them. You can find more information about how to properly configure NTFS permissions in this list of NTFS permissions management best practices. Remember that access controls should be implemented in every application that has role base access control (RBAC); examples include Active Directory groups and delegation.
Security devices and methods
Certain devices and systems help you further restrict access to data. Here is the list of the most commonly implemented ones:
Physical security is often overlooked in discussions about data security. Having a poor policy on physical security could lead to a full compromise of your data or even network. Each workstation should be locked down so that it cannot be removed from the area. Also, a lock should be placed so that the case cannot be opened up, exposing the internals of the system; otherwise, hard drives or other sensitive components that store data could be removed and compromised. It’s also good practice to implement a BIOS password to prevent attackers from booting into other operating systems using removable media. Mobile devices, such as smartphones, tablets, laptops, USB flash drives, iPods, and Bluetooth devices require special attention, as explore below.
With laptops, the biggest concerns are loss and theft, either of which can enable malicious parties to access the data on the hard drive. Full-disk encryption should be used on every laptop within an organization. Also, using public wi-fi hotspots is never a good idea unless a secure communication channel such as a VPN or SSH is used. Account credentials can be easily hijacked through wireless attacks and can lead to compromise of an organization’s network.
Mobile device security
Mobile devices can carry viruses or other malware into an organization’s network and extract sensitive data from your servers. Because of these threats, mobile devices need to be controlled very strictly. Devices that are allowed to connect should be scanned for viruses, and removable devices should be encrypted. It is great to use NAC for that purpose.
It is important to focus in on the data, not the form factor of the device it resides on. Smartphones often contain sensitive information, yet less security protection is applied to them than to laptops that contain the same information. All mobile devices that can access sensitive data should require the same-length passwords and have the same access controls and protection software.
Another big data leakage instrument is a smartphone with a camera that can take high-resolution photos and videos and record good-quality sound. It is very hard to protect your documents from insiders with these mobile devices or detect a person taking a photo of a monitor or whiteboard with sensitive data, but you should have a policy that disallows camera use in the building.
Network segmentation involves segregating the network into logical or functional units called zones. Each zone can be assigned different data classification rules, set to an appropriate level of security and monitored accordingly. Segmentation limits the potential damage of a compromise to a single zone. Essentially, it divides one target into many, leaving attackers with two choices: treat each segment as a separate network, or compromise one and attempt to jump the divide. Neither choice is appealing. Treating each segment as a separate network creates a great deal of additional work, since the attacker must compromise each segment individually; this approach also dramatically increases the attacker’s exposure to being discovered. Attempting to jump from a compromised zone to other zones is difficult because, if the segments are designed well, then the network traffic between them can be restricted. There are always exceptions that must be allowed through, such as communication with domain servers for centralized account management, but this limited traffic is easier to characterize.
Monitoring all critical facilities in your company by video cameras with motion sensors and night vision is essential for spotting unauthorized people trying to steal your data via direct access to your file servers, archives or backups, as well as spotting people taking photos of sensitive data in restricted areas.
Locking and recycling
Your workspace area and any equipment should be secure before being left unattended. For example, check doors, desk drawers and windows, and don’t leave papers on your desk. All hard copies of sensitive data should be locked up, and then be completely destroyed when they are no longer needed. Also, never share or duplicate access keys, ID cards, lock codes, and so on.
Before discarding or recycling a disk drive, completely erase all information from it and ensure the data is no longer recoverable. Old hard disks and other IT devices that contained critical information should be physically destroyed; assign a specific IT engineer to personally control this process.
Another security measure is to log all database and file server activities. Login activity has to be maintained for at least one year for security audits. Any account that exceeds the maximum number of failed login attempts should automatically be reported to the information security administrator for investigation. Being able to spot changes to sensitive information and associated permissions is critical. Using historical information to understand what data is sensitive, how it is being used, who is using it, and where it is going gives you the ability to build effective and accurate policies the first time and anticipate how changes in your environment might impact security. This process can also help you identify previously unknown risks. There are third-party tools that simplify change management and auditing of user activity, such as Netwrix Auditor.
Encryption is one of the most fundamental data security best practices, yet it is often overlooked. All critical business data should be encrypted while at rest or in transit, whether via portable devices or over the network. Portable systems should use encrypted disk solutions if they will hold important data of any kind.
For desktop systems that store critical or proprietary information, encrypting the hard drives will help avoid the loss of critical information even if there is a breach and computers or hard drives are missing. For example, the most basic way to encrypt data on your Windows systems is Encrypting File System (EFS) technology. If you use EFS to protect data, unauthorized users cannot view a file’s content even if they have full access to the device. When an authorized user opens an encrypted file, EFS decrypts the file in the background and provides an unencrypted copy to the application. Authorized users can view or modify the file, and EFS saves changes transparently as encrypted data. If unauthorized users try to do the same, they receive an “Access denied” error.
Another encryption technology from Microsoft is BitLocker. BitLocker complements EFS by providing an additional layer of protection for data stored on Windows devices. BitLocker protects devices that are lost or stolen against data theft or exposure, and it offers secure data disposal when you decommission a device.
In addition to software-based encryption, hardware-based encryption can be applied. Within the advanced configuration settings on some BIOS configuration menus, you can choose to enable or disable a Trusted Platform Module (TPM). A TPM is a chip that can store cryptographic keys, passwords or certificates. A TPM can be used to assist with hash key generation and to protect smartphones and devices other than PCs as well. It can also be used to generate values used with whole disk encryption, such as BitLocker described above. A TPM chip may be installed on the motherboard.
Critical business assets should be duplicated to provide redundancy and serve as backups. At the most basic level, fault tolerance for a server means a data backup. Backups are simply the periodic archiving of the data so that if there is a server failure you can retrieve the data. From a security point of view, there are three primary backup types with which we are concerned:
Full backup is the best backup strategy but it has drawbacks. Consider a scenario where you do a full backup at 1 a.m. each morning. You are concerned about the possibility of a server crash before the next full backup, so you want to do a backup every two hours as well. Which type of backup should you choose? Let’s consider each option and what would happen if the system crashes at 5:10 a.m. If you do a full backup every two hours beginning at 1 a.m., then when the system crashes at 5:10 a.m., you simply need to restore the 5:00 a.m. full backup. However, running a full backup every two hours is very time consuming and resource intensive, and it will have a significant negative impact on server performance.
In this scenario, you do a full backup at 1 a.m. and then perform a differential every two hours thereafter. When the system crashes at 5:10 a.m., you have to restore the full backup from 1 a.m. and the differential backup from 5 a.m. This takes just one more step than restoring the full backup. Keep in mind, however, that the differential backups are going to get larger each time you do them and thus more time consuming and resource intensive. Although they won’t have as much impact as the full backups, they will still slow down your network.
In this scenario, you do a full backup at 1 a.m. and then an incremental backup every two hours. When the system crashes at 5:10 a.m., you need to restore the last full backup done at 1 a.m. and then each incremental backup since then — and they must be restored in order. This is much more complex task, but each incremental backup is small and does not take much time or resources to create.
There is no single correct choice of what backup to use. The proper choice depends on your organization’s needs. Whatever backup strategy you choose, you must periodically test it. The only effective way to test your backup strategy is to restore the backup data to a test machine. One of the top best practices is to store your backups in geographically different places to prevent disasters such as acts of nature or accidents (e.g., hurricanes, fires or hard-disk failures) from destroying the business’s IT core. Backups should be performed incrementally across multiple disks and servers, and on different time schedules (daily, weekly and monthly). Preferably, these incremental backups should save a base copy and each modification should reflect only the changes to the base copy, or a closely matching previous version. This allows for proper versioning and can help to serve as a form of data control.
RAID is a fundamental tool for fault tolerance that helps protect against data destruction and system downtime. RAID is a redundant array of independent disks. RAID allows your servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. The primary RAID levels are described here:
RAID does a fantastic job of protecting data on systems (which you then protect further with regular backups), but sometimes you need to grow beyond single systems. Connecting multiple computers to work together as a single server is known as clustering. Clustered systems utilize parallel processing, which improves performance and availability, and add redundancy (but also add costs).
High availability can also be obtained through load balancing. This allows you to split the workload across multiple computers. Those computers are often servers answering HTTP requests (often called a server farm), which may or may not be in the same geographic location. If you split locations, this is called a mirror site, and the mirrored copy can add geographic redundancy (allowing requests to be answered quicker) and help prevent downtime.
Any place where sensitive data could reside, even temporarily, should be adequately secured based on the type of information that system could potentially have access to. This would include all external systems that could get internal network access via remote connection with significant privileges, since a network is only as secure as the weakest link. However, usability must still be a consideration, and a suitable balance between functionality and security must be determined.
The first step to securing your systems is making sure the operating system’s configuration is as secure as possible. Out of the box, most operating systems come with unneeded services running that serve only to give an attacker additional avenues of compromise. The only programs and listening services that should be enabled are those that are essential for your employees to do their jobs. If something doesn’t have a business purpose, it should be disabled. It may also be beneficial to create a secure baseline image OS that is used for the typical employee. If anyone needs additional functionality, those services or programs will be enabled on a case-by-case basis. Windows and Linux operating systems will each have their unique hardening configurations.
Windows is by far the most popular operating system used by consumers and businesses alike. But because of this, it is also the most targeted operating system, with new vulnerabilities announced almost weekly. There are a number of different Windows versions used throughout different organizations, so some of the configurations mentioned here may not translate to all of them. Here are some things that should be done to enhance security:
You can find more Windows hardening best practices in this Windows Server hardening checklist.
The Linux operating system has become more popular in recent years. Even though some claim that it’s more secure than Windows, some things still must be done to harden it correctly:
Web servers are one of the favorite areas for attackers to exploit because of the reach they have. If an attacker can gain access to a popular web server and take advantage of a weakness there, they have the opportunity to reach thousands, if not hundreds of thousands, of users who access the site and their data. By targeting a web server, an attacker can affect all the connections from users’ web browsers and inflict harm far beyond the one machine they compromised.
Web servers were originally simple in design and used primarily to provide HTML text and graphics content. Modern web servers allow database access, chat functionality, streaming media and many other services; this diversity enables websites to provide rich and complex capabilities to visitors. Every service and capability supported on a website is potentially a target for exploitation. Make sure that they’re kept up to the most current software standards. You must also make certain that you give users to have only the permissions necessary to accomplish their tasks. If users are accessing your server via an anonymous account, then common sense dictates that you must make certain that the anonymous account has the permissions needed to view web pages and nothing more.
Two particular areas of interest with web servers are filters and controlling access to executable scripts. Filters allow you to limit the traffic that is allowed through. Limiting traffic to only that which is required for your business can help ward off attacks. A good set of filters can also be applied to your network to prevent users from accessing sites other than those that are business related. Not only does this increase productivity, but it also reduces the likelihood of users obtaining a virus from a questionable site.
Executable scripts, such as those written in PHP, Python, various flavors of Java and Common Gateway Interface (CGI) scripts, often run at elevated permission levels. Under most circumstances, this isn’t a problem because the user is returned to their regular permission level at the conclusion of the execution. Problems arise, however, if the user can break out of the script while at the elevated level. From an administrator’s standpoint, the best course of action is to verify that all scripts on your server have been thoroughly tested, debugged and approved for use.
Email servers provide the communications backbone for many businesses. They typically run either as an additional service on a server or as dedicated systems. Putting an active virus scanner on email servers can reduce the number of viruses introduced into your network and prevent viruses from being spread by your email server. It is worth noting, though, that most scanners can’t read Microsoft’s open files; to scan Exchange mail stores, you need a specific email AV scanner, some of them even try to detect phishing, such technology is based on machine learning engine and has good perspectives combating social engineering attacks.
Email servers are being inundated by automated systems that attempt to use them to send spam. Most email servers have implemented measures to prevent this. The threats, however, are becoming increasingly more sophisticated. You may be able to reduce these attempts to access your system by entering the TCP/IP addresses in your router’s ACL Deny list. Doing so will cause your router to ignore connection requests from these IP addresses, effectively improving your security. Such measures can be also done with spam filters.
File Transfer Protocol (FTP) servers aren’t intended for high-security applications because of their inherent weaknesses. Most FTP servers allow you to create file areas on any drive on the system. You should create a separate drive or subdirectory on the system to allow file transfers. If possible, use virtual private network (VPN) or Secure Shell (SSH) connections for FTP-type activities. FTP isn’t notable for security, and many FTP systems send account and password information across the network unencrypted. FTP is one of the tools frequently used to exploit systems.
From an operational security perspective, you should use separate logon accounts and passwords for FTP access. Doing so will prevent system accounts from being disclosed to unauthorized individuals. Also, make sure that all files stored on an FTP server are scanned for viruses.
You should always disable the anonymous user account. To make FTP use easier, most servers default to allowing anonymous access. However, from a security perspective, the last thing you want is to allow anonymous users to copy files to and from your servers. Disabling anonymous access requires the user to be a known, authenticated user in order to access the FTP server.
The best way to secure FTP is to replace it altogether. The same functionality can be found in more secure services such as Secure File Transfer Protocol (SFTP).
Ensuring that all versions of the applications that reside on your IT environment are up to date is not an easy task but it’s essential for data protection. One of the best ways to ensure security is to make the signatures for antiviruses and patch updates for systems automatic. For critical infrastructure, patches need to be thoroughly tested to ensure that no functionality is affected and no vulnerabilities are introduced into the system. You need to have patching strategy for both your operating systems and your applications.
There are three types of operating system patches, each with a different level of urgency.
Just as you need to keep operating system patches current because they often fix security problems discovered within the OS, you need to do the same with application patches. Once an exploit in an application becomes known, an attacker can take advantage of it to enter or harm a system. Most vendors post patches on a regular basis, and you should routinely scan for any available ones. A large number of attacks today are targeted at client systems for the simple reason that clients do not always manage application patching well. Establish maintenance days where you will be testing and installing patches to all your critical applications.
Organizations continue to spend an exceptional amount of time and money to secure the network at the perimeter from external attacks; however, insider threats are becoming a key cause of data exposure. Many surveys say insider incidents account for more than 60 percent of all attacks; however, many organizations don’t report insider attacks out of fear of business loss and damage to their reputation.
Insider threats come in two forms. An authorized insider threat is someone who misuse their rights and privileges, either accidentally, deliberately or his credentials were stolen. An unauthorized insider is someone who has connected to the network behind the perimeter defenses. This could be someone who plugged into a jack in the lobby or a conference room, or someone who is using an unprotected wireless network connected to the internal network. Insider attacks can lead to data loss or downtime, so it’s as important to monitor activity in your network as activity at the perimeter.
Remote access to corporate networks is also becoming commonplace. Users are working from home at an increasing rate, so it’s critical to secure the connections used for remote access. Strong authentication is essential when connecting remotely. It is also important that the machines users are employing for remote access to the network are also secured properly. In addition, remote sessions should be properly logged or even video recorded.
The endpoints of your network are under attack constantly, so having the endpoint security infrastructure in place to deal with them is crucial to preventing data breaches. Unauthorized programs and advanced malware (such as rootkits) are some of the things to consider in your endpoint security strategy. With the increased usage of mobile devices, the endpoints of the network are expanding and becoming more and more undefined. Automated tools that reside on the endpoint system are essential to mitigating the effectiveness of malware. At a minimum, you should use the following technologies:
Antivirus software should be installed and kept current on all servers and workstations. In addition to active monitoring of incoming files, scans should be conducted regularly to catch any infections that have slipped through, such as ransomware.
Anti-spyware and anti-adware tools are designed to remove or block spyware. Spyware is computer software installed without the user’s knowledge. Usually its goal is to find out more information about the user’s behavior and to collect personal information. Anti-spyware tools work much like antivirus tools; many of their functions overlap. Some antispyware software is combined with antivirus packages, whereas other programs are available as standalones. Regardless of the type you use, you must regularly look for spyware, often identified by the presence of tracking cookies on hosts, and remove any that gets installed.
Pop-ups are not just irritating; they are a security threat. Pop-ups (including pop-unders) represent unwanted programs running on the system, so they can jeopardize the system’s well-being.
Personal firewalls are software-based firewalls installed on each computer in the network. They work in much the same way as larger border firewalls — they filter out certain packets to prevent them from leaving or reaching your system. The need for personal firewalls is often questioned, especially in corporate networks that have large dedicated firewalls that keep potentially harmful traffic from reaching internal computers. However, that firewall can’t do anything to prevent internal attacks, which are quite common and often very different from the ones from the internet; attacks that originate within a private network are usually carried out by viruses. So, instead of disabling personal firewalls, simply configure a standard personal firewall according to your organization’s needs and export those settings to the other personal firewalls.
Intrusion detection systems (IDSs) are also available for individual hosts. Host IDSs will monitor only the internals of a computing system. A host-based IDS will look at the system state and check whether its contents are as expected. Most host-based IDSs use integrity verification, which works on the principle that most malware will try to modify host programs or files as it spreads. Integrity verification tries to determine what system files have been unexpectedly modified. It does this with computing fingerprints, in the form of cryptographic hashes, of files that need to be monitored when the system is in a known clean state. It then scans and will issue an alert when the fingerprint of a monitored file changes. The main problem with integrity verification is that it detects the malware infection after the fact and will not prevent it.
Vulnerability assessments usually consist of port scanners and vulnerability scanning tools such as nmap, OpenVas and Nessus. These tools scan the environment from an external machine, looking for open ports and the version numbers of those services. The results from the test can be cross-referenced with known services and patch levels that are supposed to be on the endpoint systems, allowing the administrator to make sure that the systems are adhering to the endpoint security policies.
Penetration testing is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. The main objective of penetration testing is to identify security weaknesses. Penetration testing can also be used to test an organization's security policy, its adherence to compliance requirements, its employees' security awareness, and the organization's ability to provide security incident response and identification. Organizations should perform pen testing regularly — ideally, once a year — to ensure more consistent network security and IT management. Here are several of the main pen test strategies used by security professionals:
As you have seen, data protection encompasses a lot of topics and areas. It’s critical for good network administrators and security professionals to keep all their security tools up to date and to use good policy management. With so many policies to enforce and applications to keep up to date, this can seem like a daunting challenge for any security team.
Another challenge with data protection is minimizing the impact on the end user. Unfortunately, programs like antivirus software, personal firewalls and threat detection systems tend to sap bandwidth and processing power from important end-user functionality. For this reason, when deciding what programs to use to protect end users, look carefully at how big a footprint the program uses and its memory utilization.