This Week in Breaches: Uber
Uber is a ride-hailing service connecting users with drivers, ride shares or private cars. The company foundation is built upon being reliable, cashless and convenient for all customers. Launched directly from your mobile device in minutes, Uber has revolutionized the way generations now use private transportation, but could this service be more risk than reward?
Uber announced a security breach last Friday involving the possible leak of personal information from as many as 50,000 of its drivers. The breach, initially discovered September 17, 2014, has been traced to the suspected incident of an unauthorized third-party access to their database occurring on May 13, 2014.
As the incident is still under investigation, Uber is not yet revealing how the breach was discovered. According to Uber’s managing counsel of data privacy, Katherine Tassi, the security vulnerability leveraged in the breach was immediately patched (here). There have been no reports surfacing regarding the misuse of the driver data in question.
While the actual mechanism of how the breach occurred is unknown, events like this reminds us that perimeter controls are important but so is implementing controls on the actual data itself. Simple, yet best practices for protecting databases are not being followed in many of today’s organizations. There are various products on the market that provide an enterprise reliable solutions, additionally there are many steps that can be performed either utilizing these tools or by other means.
If you are running an application complete with a database backend, here are a few reminders of best practices surrounding database security.
Tighter Roles and Separation of Duties
Limiting access to tables and information within your database is a vital and often overlooked activity by most organizations. This exercise allows for tighter scrutiny on who is granted access and what information is visible to them. Although it seems simple it is rarely being implemented. By limiting the scope of access, organizations can implement monitoring controls built on defined rules or even implement behavioural analysis on the types of activity being performed by users.
Knowing what is happening and by who is crucial in today’s cyber security landscape. DAM (Database Access Monitoring) monitors the activity that is occurring within your databases and provides alerts based on this type of activity. DAMs are useful for quickly understanding if unauthorized activity has transpired. An added benefit of this practice is having data is stored separately, allowing the information that is gathered to be tamper-free. While some recent breaches such as this one has been a quick collection and exfiltration of data, others are long and slow leaks, resulting in a more critical breach. DAM solutions are able to monitor and alert on suspicious activity, often allowing information security departments to prevent a data-leak in progress.
Databases often contain information that should not be viewed by administrators, despite needing to use the data in some way. While the admins need access to the complete database, they should not be permitted to view sensitive data such as customer names, financial data, etc. Data masking garbles the data so that when it is extracted from the database, the format is preserved, but the data is unreadable.
Data masking can be taken one step further for development and testing purposes. Developers and testers need access to the database in order to create new functionality and upgrade the existing functionality. To perform developmental tasks, it’s essential for developers to have database access, however they are not allowed to see actual data. Using dynamic masking, database developers can work on the data and view the format of data without seeing the actual information enclosed. Using static data masking, an entire duplicate database is created and all data is masked to block developers and testers from seeing the account data.
Database encryption is an essential part of protecting your database, and there are two different levels of encryption. First, the entire database can be encrypted using encryption tools. This means that even if an individual had access to the physical database, or was able to tap in some other way, the data would not be readable. It is necessary to have encryption keys when accessing the database.
The second level of data encryption is only relevant outside the database. Every piece of data that leaves the database in any format should be protected from malicious access. Typically, this level of encryption is handled on the transport level by encrypting the channel. It’s important to make sure that your data is properly encrypted wherever it travels outside of the database.
Although written by Microsoft, many of their high level suggestions here apply to other databases as well.
A range of tools are available for database protection. When seeking database security, if you are covered at all of the 4 levels mentioned above, you are in great shape. You may be able to find a single tool to cover all of the areas, or you may want to use a combination of best-of-breed solutions to provide the protection you need. If Uber had followed these steps in database protection, the breach that occurred could have been immediately identified, and remediated before any escalation.
For more information on best practices and or any solutions that might assist we would love to hear from you. To be the first to hear about news, up coming events, and security practices connect with us on Twitter, LinkedIn and follow our blog.