PCI DSS – Storing Credit Card Numbers

If you have read the PCI DSS and the requirements for how you must store credit card data, you may be asking for some basic guidance for how to handle credit card numbers in your database systems.

credit-cards

These suggestions cover the basics – the full topic of protecting card data is easily several hundred pages long. These are basic ideas, but you should consult with your compliance team for final guidance.

Continue reading “PCI DSS – Storing Credit Card Numbers”

Advertisements

Preventing a Database Breach

One of the hardest thing to do is prevent something from happening when you don’t know when it might happen or who will try to make it happen. As a Database Administrator, you have to be aware that a data breach might happen and you must take reasonable precautions to prevent them. According to the 2016 study by IBM, 60% of database attacks are insiders (people using approved network credentials) looking to access or steal corporate data.

There are some basic steps you should execute to help prevent unauthorized access to your database environment.

  1. Enforce Privileges – As an employee starts their tenure at a company, they are usually given the exact correct privileges for their position. The longer the employee is with a company, the correct privileges start to vary from the effective privileges, until eventually the employee has the wrong access privileges.  You need to make sure those initial access rights are correct from day one, and that you periodically review the access rights for every employee. If there is any question about the correct privileges, you should contact their supervisor and document the correct level of access.
  2. Database Discovery – People are busy, and don’t always pay attention when new database instances are created. The people who manage the databases are often times not the people who install the software, so this can lead to an environment where there are unauthorized or poorly configured database instances. Database discovery is a crucial first step for avoiding security issues, so you should scan your environment for new database instances as often as possible. The amount of change in your environment will dictate how often you should search for new database instances, but the minimum is annually.
  3. Connection EncryptionEncrypting the connection between the user and the database can help prevent man-in-the-middle attacks.
  4. Strong Password – You should expect the same password strength for your databases as you expect on the network. If possible, use Windows Authentication instead of SQL Server Authentication. This will help enforce the same password strength as your network password, and you must verify that the network settings are using best practice strength requirements.
  5. Detect Compromised Credentials – It is estimated that 60% of companies cannot detect compromised credentials, based on a study by solution vendor Rapid7. Since authorized individuals use databases in a predictable way, abnormal or unauthorized access will be detected and you can be alerted.  There are security appliances that can catch unusual or unwanted user access based solely on algorithm analysis, preventing a possible  data breach.

Security Through Ignorance

 

Security - @SeniorDBA

Some people believe that their computer systems are more secure if the person attacking their systems don’t know some facts, like what port their SQL Server instance is using or by not disclosing the written specifications for critical software functions. Those people believe that if malicious attackers don’t know how the system is secured, security will be better. Although this might seem logical, it’s actually easy to see how it is untrue if you think about if for a few minutes. Insider attacks by employees, one of the most common forms of an attack, will already know the port used or how your software works.

The problem with security through ignorance is it just leads to a false sense of security, which is usually much more dangerous than not doing anything at all. Assume you are working with an intelligent attacker, and that your weak half-attempts to secure your systems will delay the attacker all of about 2 minutes. Spend your time and effort for implementing true security measures and you will sleep better each night.

Selecting a Better Password

 

Password - @SeniorDBA

People continue to pick and use poor passwords to protect their valuable information. You might not think your password is important or sought after by hackers, but it is really the only thing between the entire world and your personal online accounts. If you have a password of eight random letters, there are about 200 billion possible password combinations. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and digits into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of password possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users,  it would take Hashcat an estimated lifetime to work through all the possible combinations.

However, this math does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t too difficult to enter a few times each day. The password also has to work within the limits imposed by the website or application when you created the password. People wanting to crack your password are aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The password cracking programs will just try those more common words and their common alterations first, and that will allow for increased odds of success in a shorter time.

Continue reading “Selecting a Better Password”

Network Design Security Checklist

Network - @SeniorDBA

Network design starts with creating a secure network infrastructure. While it is assumed that network design processes are obvious when it comes to placement and configuration of routers, firewalls, and switches it can often be helpful to document some of the best practices for the less experienced people that might be tasked with this process at their company.

Remember that having an established procedure and setting realistic expectations allow you to provide some consistency into your IT processes. Consistent processes tend to be repeatable and reliable, which also means you reduce the chance of surprises and security headaches.

Firewalls – Generally speaking you want a firewall placed between network segments that require a high degree of security and to keep unauthorized users off your network. This is easily demonstrated when talking about the connection between your company network and the general internet. Since you don’t want uncontrolled traffic between those two network segments, you implement a firewall. A firewall is designed to block all traffic except the specific traffic you wish to allow. You should verify your firewall has the latest vendor updates applied, all unused ports and protocols are blocked by default, and Intrusion Detection is enabled at the firewall.

Continue reading “Network Design Security Checklist”

Blockchain Technology in Plain English

Global - @SeniorDBA

Generally speaking, Blockchain is the digital and decentralized ledger that records transactions. Technically it is an algorithm and distributed data structure for managing electronic transactions without a central administrator. This makes it perfect for transactions among people who know nothing about one another. It was originally designed for the crypto-currency Bitcoin, and was initially driven by the rejection of government-guaranteed money and expensive bank-controlled payment transfers.

Continue reading “Blockchain Technology in Plain English”

Network Account Security Checklist

Hackers - @SeniorDBA

Network security starts with creating and maintaining proper user accounts. While it is assumed that network security processes are obvious when it comes to user accounts, I thought it might be helpful to document some of the best practices for the less experienced people that might be tasked with maintaining this process at their company.

Remember that having an established procedure and setting realistic expectations allow you to provide some consistency into your IT processes. Consistent processes tend to be repeatable and reliable, which also means you reduce the chance of surprises and security headaches.

Unique User Accounts – Users should never be sharing user network accounts. Every user must get a unique network account, usually some combination their first and last name. Each user should be responsible for creating and maintaining their own password and they should know to never share their password with anyone. Remember to provide “least privilege” to each account. If the user requires additional access as their role changes the modification request should be made in writing, when possible, from an authorized supervisor.

Continue reading “Network Account Security Checklist”