Database security experts warn IT managers of impending security threats to data and urge them to get to grips with their database now or face the consequences in 2007.
Secerno, the innovator in database and application assurance for the protection of online digital assets, urges IT managers to shift their focus inwards, take control of their databases and be prepared for the next wave of external and internal threats facing them in 2007.
A combination of recent high profile breaches and forthcoming legislative requirements, such as the Payment Card Initiative framework for securing transactional data, is driving attention to the implementation of effective data security.
Online banking is expected to increase as more than 16 million people continue to login to private financial data via websites. More than 26.4 million people now shop online with an estimated 372 million transactions undertaken last year.
Secerno chief executive, Paul Davie said: ‘It is fair to say that the security sector has now come to terms with the fact that they are dealing with highly financially motivated, technologically advanced and professional database infiltrators. The years of spam and simple phishing scams targeted at the naïve PC user are no longer our major concern. Any company that stores data needs to shift its focus inwards.”
In 2006, the UK saw attacks on the storage and security of confidential financial data rise. Davie draws particular attention to the latest threat: ‘‘SQL Injection attacks – examples of which include hackers exposing hundreds of thousands of credit card numbers worldwide – certainly will increase sharply. In 2007, SQL injection will be recognized as the number one attack vector on internet-facing systems. In fact, SQL injection attacks have been increasing at a rate of more than 250% per year for the last few years.
He said recent statistics from the Secret Service and the US’ Computer Emergency Response Team (CERT) show 86% of computer sabotage is done by savvy IT staff within the organisation. Expert penetration testers see success rates of targeted attacks on databases approach 100%, when initiated from inside the organisation.
In 2007, for the first time, the number of published security breaches to confidentiality through database attack is expected to exceed those from lost back-ups and laptops.
Davie said: ‘We regularly see the database administrator (DBA) working with ‘blindsight’ – a DBA inherits a database and takes responsibility for managing and upgrading it, without concise and clear knowledge of its abilities, its strengths and its weaknesses. This approach to database management will be very costly in the long run, as it will affect the performance, scalability, future capabilities, usability and, naturally, the security of the critical business data.”
He urged IT directors to detect and prevent application intrusion, by removing the ‘blindsight’ approach, by understanding and becoming familiar with the behaviour of the database and its usage.