Database misuse: who watches the watchers?
Misuse of database information by insiders happens everyday, and there's little we can do about it.
Sed quis custodiet ipsos custodies?
Two groups of people will understand the meaning of this phrase. Those classically trained with a few years of Latin at some point during their education will be one group - and then there's the paranoid. I'd venture a guess that there's quite a few paranoid security professionals reading this, since it's a trait that pays great dividends in our line of work. But if you're a paranoid linguist who's stumbled across this column, then Google made a mistake - keep searching.
Last month, I discussed privacy breaches within several major companies. We learned over the span of a few days that hundreds of thousands of consumer identities were potentially compromised when some large companies "lost" the data to both criminals and logistics. The stories were hot topics for major news outlets and bloggers, due to the companies involved and the massive number of compromised records. We're still seeing ripples from these incidents with new references and follow-up articles. Maybe all it will take is some bad press to convince these large companies that privacy is now paramount, on par with price and service - but one can only wish.
What's bothering me now? It's the security and privacy stories that don't make major headlines, and recently I stumbled across two that stuck with me. The first only came my way when the Drudge Report picked it up. A woman in Florida wrote some rather unflattering remarks about a local sheriff in the newspaper. She was then caught off guard after receiving a letter at home from the sheriff himself, using her full name. Inquiries from reporters revealed the fact that the sheriff and his staff had used Florida's driving records system to access personal information about the lady after seeing the letter in the newspaper.
The other story, one seemingly more relevant to our line of work, involved a student changing her grades. I know what you're thinking, "That's the most clichéd hack this side of Wargames, I bet he's going to launch into a diatribe on authentication measures." Wrong! What I found most intriguing about the story was that the girl used private information about two professors which she obtained from a database at her job with a local insurance company. Using that data, she reset their school passwords, logged in illegally and changed her grades. Is this what gets passed off as a hack these days?
What do these stories have in common? One strikes me as a gross violation of power and public trust. Even though the information the sheriff needed may be available via Google, accessing state records in order to address a critical letter is just wrong. The other is a seemingly silly "hack" where someone didn't think the plan fully through. In both cases, we have an insider using privileged access to gain personal and confidential information on "customers".
In the security world, we are constantly worried about the people getting in from the outside. The thought of hackers poking around and stealing information keeps all of us up at night. It's why we read books and articles, buy new products, and install the latest and greatest software. And every security pro worth their salt remembers to address the insider threat. But I think too often we only consider the "big" risks. The salesman duplicating a client contact list before resigning, the engineer copying a crucial algorithm before switching jobs, the customer service rep writing down credit card numbers. Or the whopper - one disgruntled IT worker sabotaging the network!
But what about the little risks? A sheriff looking up a woman's home address using a private system. A student learning her professor's SSN and DOB from the insurance company database. A tech at an ISP browsing a coworker's email. A teller browsing her neighbors' bank accounts. A sys-admin leaking a celebrity's phone cam pics. These little violations are endless in nature and add up to big issues over time.
Compounding the problem is how difficult the monitoring insider activity can be. It's all about someone roaming just a tiny bit outside the normal bounds of their job activity and access, for personal interest or gain. While the arguments can be made that the student shouldn't have access to that type of information in the database, it was realistically part of her job. And what's strange about a sheriff running a name for license plates? A competent DBA would certainly notice someone doing massive, broad database queries, but what about a few stray ones here and there? And virtually every type of entity maintains client records. My customers include accountants, lawyers, schools, retail shops, local government and health organizations, every one of which has the potential for such abuse. Very few, aside from those affected by HIPAA, even consider such threats worth addressing.
So what can we do? Every situation is different, which means there's no easy, all-encompassing answer. One of the more clever security ideas I've seen in a while comes from Lance Spitzer of Honeynet fame - the Honeytoken. Basically they're bogus entities (such as database records, files, spreadsheet entries) that trigger an alarm when accessed. This is a great idea for catching someone doing some rather broad snooping, but it still wouldn't have worked for the scenarios described above. Obviously we can increase access control and audit trails, but reviewing such data for abuse is a daunting, if not impossible task. In an ideal world, restricted information would be encrypted and available only on a need-to-know basis, but I've yet to come across an "ideal" system combining proper authentication, access and audit controls.
I fear that the security business is rapidly becoming just that - a business where mitigating threats is based on ROI, which means that defending against such attacks just isn't feasible for most organizations. And while the occasional privacy violation seems trivial, perhaps even silly to some readers, these abuses really do add up over time. What about the thousands of tiny violations that go unreported or unnoticed? As we've learned from the larger companies failures, they can be costly in terms of lawsuits and publicity when discovered.
Which brings us back to Sed quis custodiet ipsos custodies. "But who is watching the watchers?" The quote used to be a mantra for conspiracy theorists fearing a 1984 style world of government monitoring. But the watchers have turned out to be our own employees, bosses, co-workers and clients. The same people who go to work every day with growing access to internal reports, database queries, privileged communications and more. Every entity has an obligation to protect the private information they hold - either for customers or public citizens. And that means from threats big and small, external and internal.
Sed quis custodiet ipsos custodies? Tu et ego.
But who is watching the watchers? You and I.
Matthew Tanase is president of Qaddisin, a services company providing nationwide security consulting.