Lessons learned and ongoing risks at third anniversary of T.J. Maxx breach
As the third anniversary of the infamous TJX data breach approaches, Slavik Markovich, CTO of Sentrigo, shares his thoughts on how data security has improved, and also discusses some of the hurdles that still need to be addressed.
What has improved
Auditors paying more attention to databases – The T.J. Maxx breach helped auditors realize that relying mainly on perimeter defenses, or performing minimal checks on the database, simply isn’t enough. Rather than focusing solely on process improvement – background checks for privileged users, periodic risk assessments, etc. – organizations are now looking at the database itself and assessing the level of security.
No longer accepting “yes’ – Before, executives would ask the IT managers, “Is our data secure?” and they would reply, “Yes, we have the information in a database, which is secure” – often, this would conclude the conversation and the executive or IT manager would go about their day, confident that data was protected and they had completed their due diligence. Organizations are now taking a harder look at database security, and as a result, information security personnel are becoming more knowledgeable about the threat vectors for databases.
More scanning and vulnerability assessment is occurring, providing organizations with a better picture of their current security posture. However, companies are not consistently addressing discovered vulnerabilities right away, which remains a key issue.
Better auditing – More organizations have some form of auditing implemented, allowing them to review the logs for signs of a breach, but this process is reactive in nature. “While great as a forensics tool, identifying that someone broke in last month and accessed the entire credit card table does little to help the fraud victims now,” says Markovich. “At least it can help determine how broad the scope of your breach was, but the costs of remedying the situation can quickly escalate.”
What still needs to be done
Unfortunately, many organizations didn’t learn enough from the TJX breach, or at least haven’t taken appropriate measures toward protecting their databases and sensitive information from being accessed. Internal and external breaches are still a daily occurrence, allowing unauthorized access to personal and sensitive information.
Patching not up to par – New zero-day attacks represent only a segment of external threats that still exist. Many organizations do not apply vendor database patches in a timely manner, allowing hackers to easily probe for known vulnerabilities using automated tools, and access sensitive data that may be exposed. “Organizations either need to be more diligent in applying patches, or where they cannot do so for various reasons, they need to have some sort of compensating control like virtual patching, as well as warnings when automated tools are scanning the database,” says Markovich.
Install the proper solution – The tools available today have progressed to the point where most of the attacks we are seeing could have been prevented. A marginal number of breaches appear to be the result of new zero-day attacks; however, even many of these would be averted by a well-implemented database security solution utilizing techniques such as real-time intrusion prevention and encryption. The bulk of the breaches are exploiting known vulnerabilities or privileged access, which the more sophisticated database activity monitoring solutions on the market are capable of preventing.
Compliance doesn’t always mean secure – Organizations are still trying to “mark the checkbox’ and meet compliance regulations without necessarily maintaining a high level of security. SQL injection is one of the most dangerous attack vectors, and without proper technology and procedures in place the havoc wreaked by breaches, and the costs of remediation, are only going to increase.
“It is imperative that organizations place an equal amount of importance and focus on ensuring they are both compliant with relevant regulations, and that their sensitive data is secure—this shift in mindset will greatly reduce the number of threats, vulnerabilities and overall data breaches plaguing enterprises today.
While some forward-thinking enterprises have deployed more sophisticated database security technology since the T.J. Maxx breach three years ago, others are still quite vulnerable to similar attacks as many of the recent breaches demonstrate. Organizations should use the anniversary of this catastrophic breach to take an objective look at their own security posture, and to take advantage of the cost-effective solutions currently available on the market — otherwise, another widespread devastating breach could be just around the corner,” Markovich concluded.