Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Need for Effective Database Security

Published byAvgusta Bjelica Modified over 6 years ago

Similar presentations

Presentation on theme: "The Need for Effective Database Security"— Presentation transcript:

1 The Need for Effective Database Security

2 Databases: The Ultimate Target
When people think of hacking, they often picture hackers damaging websites. While this is indeed a common occurrence, the ultimate goal of many hackers is to gain access to the wealth of information contained within electronic databases. Information contained within databases can include: Client Personal Information (Name, SSN, credit card numbers) Bank Account Information Sales Revenue for Individual Products Payroll Information A Company Strategic Plans Defense System Information Intellectual Property Test and Performance Results And much, much more…

3 Lack of Database Protection
Only 30% of companies encrypt personal data in their databases 75% of companies lack proper database access controls Only 50% of companies consider database security a high priority ~ 2010 Independent Oracle Users Group Data Security Report “Some data managers feel that their data is secure mainly because databases are not connected to the Internet—a false comfort that may lead to a rude awakening.” ~2010 Independent Oracle Users Group Data Security Report

4 Database Breaches: A Costly Threat
Records Breach: “An event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk.” ~Identity Theft Resource Center 23 million confirmed records breached in the US in 2011 (Identity Theft Resource Center) Cost to company per record breached: $214USD (2010 Cost of a Data Breach Study) 23,000,000 x $214 = $4,922,000,000 Nearly $5 BILLION USD in confirmed losses in the US in 2011

5 Database Breaches: A Costly Threat
According to the Ponemon Institute’s Aftermath of a Data Breach Study, released January 2012, 50% of businesses suffering data breaches suffered a loss of productivity, 41% suffered a loss of customer loyalty, and 34% had legal action taken against them.

6 Recent Victims of Database Hacks
February 2011 HB Gary Federal Hacktivist group Anonymous accessed the HB Gary Federal database via SQL Injection 60,000 confidential s were compromised, and their contents and addresses leaked HB Gary CEO Aaron Barr resigned in March 2011 as a result

7 Recent Victims of Database Hacks
March 2011 In March 2011, malware was introduced into the internal RSA system via a phishing . This enabled hackers to penetrate databases containing proprietary information. In June 2011, RSA admitted that among the data that had been compromised were details pertaining to their SecurID tokens, used by US government defense contractors.

8 Recent Victims of Database Hacks
April 2011 The database hack at US marketing firm, Epsilon, exposed millions of names and addresses belonging to customers of Epsilon clients. Millions of customers have been exposed to potential phishing attacks

9 Recent Victims of Database Hacks
April 2011 Hackers gained access to what Sony described as an “outdated database from 2007” from their PlayStation Network Compromised data included 12,700 customer credit card numbers May 2011 Hackers penetrated 3 Sony Online Entertainment databases 100 million customer accounts were compromised 12 million customer credit card numbers compromised

10 Recent Victims of Database Hacks
January 2012 Using SQL Injection hacking techniques, hackers were able to acquire employee login credentials of US mobile telecommunications giant, T-Mobile. A database belonging to web hosting company DreamHost was hacked, compromising customer passwords.

11 The Insider Threat Today, information security faces increasingly complex challenges caused by insider threats. These threats necessitate security for sensitive internal data that goes beyond typical methods for preventing intrusion from external sources. Typical methods for preventing intrusion from external sources Internal Access Anyone who can access the database from within the organization poses a potential threat. 10 10

12 The Insider Threat “According to a Computing Technology Industry Association survey, while most respondents still consider viruses and malware the top security threat, more than half (53 percent) attributed their data breaches to human error, presenting another dimension to the rising concern about insider threats.  It should serve as a wake-up call to many organizations that inadvertent or malicious insider activity can create a security risk.”

13 The Insider Threat According to the Ponemon Institute’s Aftermath of a Data Breach Study, released January 2012, insiders account for 50% of data breaches. 34% of breaches are caused by insider negligence, and 16% are caused by insiders with malicious intent.

14 Insider Data Breaches in the News
In May 2011, US banking giant Bank of America admitted to an insider data breach, in which a former employee provided confidential BoA information to individuals who used the information to cause $10 million in damages.

15 Insider Data Breaches in the News
CBC News of Canada reported in November 2011 that “Unauthorized access of information by employees was reported by 24 per cent of government organizations.”

16 Insider Data Breaches in the News
January 2012 – An employee at the Loma Linda Medical Center in California was able to access private medical records of 1336 patients.

17 A Secure Database = Regulatory Compliance
Sarbanes-Oxley Act, (USA, 2002) – increased company responsibilities regarding accounting, auditing, and financial disclosures, as well as maintenance of information pertaining thereto. Similar laws: the European Union’s 8th Company Law Directive and Japan’s Financial Instruments and Exchange Law. Fines for violations can go as high as $5million USD, depending on the country and the nature of the violations. Health Insurance Portability and Accountability Act (HIPAA, USA, 1996) – HIPAA’s Privacy Rule tightly regulates the use and disclosure of medical records. Amended in 2009 to include the Health Information Technology for Economic and Clinical Health Act (HITECH Act) which implemented strict new breach control and reporting requirements. Similar laws: Australian Health Records Act and the European Union’s Recommendation on the Protection of Medical Data. Fines for violations of have reached as high as $4.3million USD.

18 Regulatory Compliance
Payment Card Industry Data Security Standard (PCI DSS, 2004) is an international information security standard for companies dealing with electronic payment transactions (credit cards, debit cards, etc.). Requires secure management of cardholder data. Fines for violations can range from $5000-$100,000 USD per month. Federal Information Processing Standard (FIPS) is a set of standards required by the United States Federal Government for use in computer systems used by government agencies and contractors. Well-known FIPS standards include the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). The international equivalent of FIPS is the International Organization for Standardization (ISO).

19 Thank You! Japan Republic of Korea
Penta Security Systems Corporation Ascend Akasaka Bldg. 3F Minato-ku, Tokyo , Japan TEL: : FAX: URL: Republic of Korea Penta Secuirty Sytems Corporation Hanjin Shipping Building 20F Yoido-dong, Youngdeungpo-ku, Seoul, Republic of Korea TEL: : FAX: URL:

Download ppt "The Need for Effective Database Security"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT- 2013 October 20 th, 2012 Information Security.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.

Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works

Security Controls – What Works
Dino Tsibouris (614) 360-1160 Information Security – What’s New In the Law?

Dino Tsibouris (614) Information Security – What’s New In the Law?
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Overview of Cybercrime

Overview of Cybercrime
Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

Similar presentations

Ads by Google