Posts

db database encryption

Debunking 5 DB Encryption Misconceptions

 

db database encryption

Businesses handle an enormous amount of data. All of this data is stored in hundreds or even thousands of databases, so it’s impractical for a database administrator to oversee the security of these databases with only basic access control functions. Instead, businesses are realizing that data encryption is a must-have component to their existing cyber security strategies. DB encryption ensures that a database is being protected even if hackers somehow replicate the database or move it to another location.

While critical to a business’s cyber security strategy, DB encryption isn’t always deployed by businesses. But thankfully, there is a positive trend occurring: in the past few years database encryption usage among businesses in the US has risen from 42% to 61%. This blog post will address five misconceptions that put to rest some concerns businesses may have before implementing DB encryption.

1. I use SSL so I don’t need DB encryption

SSL involves encrypting communication between a web user and web browser, but does not take into account data that is at “rest,” or data that is stored in a database. In other words, SSL ensures secure connection for the data that is in motion (at the time that requests are being made to the web browser). SSL is important for encrypting web traffic but there is also unprotected data that is being stored either on a disk or database which SSL does not take into account and therefore needs added protection.

2. If I use DB encryption, database performance will degrade

The performance of a database is determined by multiple factors such as excessive indexing and inefficient memory allocation. While businesses may be reluctant to incorporate database encryption into their existing security deployments due to performance or latency concerns, businesses should be reminded that it really depends on the type of DB encryption solution a business decides to utilize, whether that be file-level or column-level encryption. Typically, file-level encryption is the least resource intensive and has the least effect on the overall performance of a database.

3. Encrypting the database is enough protection for my website

Even if the security of a database is compromised, the database will be protected if the information inside is encrypted. But this doesn’t mean that the website itself will be safe  should it come under attack. Thankfully, with no access to the decryption key, a hacker cannot read files that are encrypted in a stored database. Businesses can rest assured that their most sensitive data is being protected. However, the website can still be brought down by attacks. In order to protect web applications (i.e. websites) an additional security solution will be needed.

4. DB encryption and key management requires hardware appliances, which is inconvenient

These days it’s pretty common for key management solutions to be available in a variety of both hardware and cloud platforms. But it mostly depends on where a business may be storing company data or what kind of needs they have. Not all businesses have their own data center. Instead, many rely on some kind of Software-as-a-service (SaaS) solution, removing the need to rely on hardware appliances. Therefore, it’s less likely that the traditional key management solution is implemented internally.

5. DB encryption is too complicated and requires modifications to my current operating system

Once a business answers basic questions like what kind of data needs to be encrypted and who should have authorized access to it, database encryption should not be complicated. Encryption is made easy thanks to the readily available tools in the market that cater to the needs of each business. There are plenty of DB encryption solutions that reside beneath the application layer, thereby eliminating the need to make modifications to a business’s operating system or storage. If an encryption engine is supplied for example, then no source code changes to the database environment or application are required.

Businesses should not shy away from using DB encryption due to these common misconceptions. DB encryption is not so much of a trend than it is a security necessity for all businesses. The drivers for using database encryption come down to compliance requirements and businesses recognizing the need to protect specific data types. So whether it’s to meet industry standards or to safeguard sensitive information, DB encryption is here to stay.

bring your own device (BYOD)

Bring Your Own Device (BYOD) Security Pitfalls

bring your own device

The Bring Your Own Device (BYOD) movement is gaining a strong foothold in the US with 72% of organizations already implementing BYOD or planning to do so. In the workplace, BYOD presents an attractive business model to be followed, allowing for greater flexibility and increased productivity among employees. However, there are several security risks that need to be addressed. With personal devices like smart phones and tablets handling corporate data, there is now an enormous burden placed on companies to find a balance between preventing outside intrusion and respecting the privacy of their employees.

SMBs and enterprises alike are responsible for maintaining data security standards and this task can get easily complicated with the introduction of BYOD. To take control of your company’s BYOD policies, consider these associated challenges:

1. BYOD allows personal and business data to intertwine and mix

A big challenge for companies is managing both personal and corporate data on the same device of each employee. This is because the likelihood of employees having the same level of security protecting a company’s internal networks on their personal devices is pretty low. That brings into question potential cyber threats arising from unsecured networks. Logging into a secured company network is one thing but logging into an unsecured public network can be disastrous for both the company and the employee. Furthermore, malicious malware may further corrupt an entire company’s system should an employee accidentally install it onto their device.

2. BYOD increases the risk of data and information leakage

When an organization has a BYOD policy in place, it can open multiple backdoors for hackers to access confidential data, thereby increasing the overall risk of cyber threats against the entire organization. Mobile phones and tablets are more risky than PCs and laptops since they require constant (even daily) updating to patch security bugs. While BOYD has its benefits, companies must realize that personal devices present a weak link to security within the workplace and need special attention.

3. BYOD introduces human error/physical obstruction possibilities

Even if employee devices have password controls, remote lock features, or encryption enabled, there is always the possibility of an employee device being misplaced or stolen. Careless employees might be an IT administrator’s worst nightmare as there is not much they can do to retrieve the device once it has been stolen. One simple but effective measure to prevent outsiders from gaining access to the device is by using a PIN code. However, with hackers becoming increasingly clever at cracking down PIN codes, added protection like a wiping solution may be necessary to eliminate the possibilities of data theft.

4. BYOD makes it harder to keep track of vulnerabilities and updates

Not all mobile devices are created equal. They have different capabilities and operating systems that run different programs and with different levels of security. As more personal devices are added under a BYOD policy, it will become more difficult to keep track of the vulnerabilities and updates of each device. This is because employees are utilizing different applications on their devices and, without proper encryption or other security measures, the risks expand. Worst still, if it is an older device, a different set of unknown or undocumented vulnerabilities may arise, making it all the more dangerous. Security experts may suggest investing in a mobile device management (MDM) platform, but that will require employees to install an agent on their personal devices, which many employees are likely to oppose.

Even before setting up a BYOD policy, a company should research the current security options that are available for them. Single Sign-On (SSO) for example is an effective method for preventing hackers from logging into employee devices. If an organization has one centralized platform to handle identity management, then it becomes easier to handle web application access across the different devices in the network, as employees will log in to this platform only once to have their credentials authenticated and approved. While it is important for thorough BYOD policies and procedures to be put in place to secure employee devices, it’s also vital to educate employees on these basic security practices for protecting their personal devices so security becomes a company-wide effort.

format preserving encryption data security sample vendor

Cited by Gartner in 2016 Hype Cycle for Data Security

Listed as sample vendors for FPE and Database Encryption, Penta Security receives attention for its developments

format preserving encryption data security sample vendorSeoul, Korea: Penta Security Systems Inc., a leading Web and Data security provider in the Asian-Pacific region, announced that it has been listed as a sample vendor for two technologies, Format Preserving Encryption (FPE) and Database Encryption, in the Gartner 2016 Hype Cycle for Data Security.[1] Each year, Gartner, Inc. publishes visual representations of maturity and adoption of various technologies and applications. It cites vendors that are relevant to business development in the particular field. Within the last year, numerous corporations and entities worldwide have had their data breached. This further highlights the need for data security and encryption technologies.

Database Encryption

In 2016’s Hype Cycle for Data Security, Penta Security was cited as a sample vendor for Database Encryption. Database Encryption is in the early stages of mainstream in terms of maturity. Penta Security’s Head of Planning, Duk Soo Kim stated, “After research and development over the course of many years, we’re pleased to see the technology becoming increasingly prevalent in the market. As the industry continues to develop and mature, we will most certainly be keeping up with the latest in database encryption technology.”

FPE (Format Preserving Encryption)

Additionally, Penta Security was listed under Format Preserving Encryption as a sample vendor. Still largely a new field, FPE allows for encrypted data to maintain its structure with minimal modifications. While previously less utilized, its adoption has become more widespread due to NIST (National Institute of Standards and Technology) establishing secure FPE implementation standards. Regarding this listing in the Hype Cycle, Kim remarked, “Technology and security are constantly changing and being challenged. Therefore, being named as a sample vendor for a technology like FPE confirms that we are implementing technologies taken on by early adapters, not just traditionally utilized.”

Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for implementation of encryption technology to sensitive data fields without modification to schema in the database environment.  With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued attention to data security practices is crucial.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Penta Security:

With over 19 years of IT security expertise, Penta Security Systems Inc. (CEO/Founder Seokwoo Lee) is recognized by Frost & Sullivan as 2016’s Asian Cyber Security Vendor of the Year. For more information on Penta Security and its encryption technology, please visit www.pentasecurity.com. For partnership inquiries, please email info@pentasecurity.com.


[1] Gartner, Hype Cycle for Data Security, 2016 by Brian Lowans, July 13, 2016: https://www.gartner.com/doc/3371735/hype-cycle-data-security-

cafe using public wifi on a laptop

Public Wi-Fi: Stranger Danger

Progress in the IT world have led to a good amount of changes in the past decade. Nowadays, we’re surrounded by technology and it’s a part of our everyday lives. One of these technologies that we don’t even give much thought to anymore is public Wi-Fi.

It certainly has made life a lot easier. We don’t have to consistently rely on the quickly-disappearing amounts of cellular data we have on our mobile phones. Especially in Korea, one of the most connected countries in the world in terms of network infrastructure and #1 in terms of internet speed, free public Wi-Fi is thought of as a given. It’s a win-win situation: Businesses will get more foot traffic from tourists or residents who are seeking a location with a Wi-Fi connection and entertainment, and customers will be connected to the Internet for free without the need to use their precious cellular data.

But the issue here is this: is public Wi-Fi really safe?

Cafes are often a popular place for students and freelancers alike because they provide nice ambiance, open spaces, and most of the time – free Wi-Fi. Many cafes have their Wi-Fi passwords on display at the counter, or written on the receipt. Most of the time it’s something easy like “1234567.” However, when a simple string of characters is on display, it’s no longer fulfilling its original duty of acting as a “secret code” to access a device.

And the fact is that there has been an increase in the hacking of public wireless routers as of late. The most prevalent of these hacking methods is called “wireless sniffing.” Just as the name suggests, wireless sniffers are specifically created to “sniff out” data on wireless networks. A sniffer is a piece of software or hardware that intercepts data when it’s transmitted. This decodes data so that it’s readable for humans.  If a wireless sniffer accesses your connection, your ID or password may be found, or your device could be infected with malware.

Awareness of Public Wi-Fi Security Issues

This is all anxiety-causing information, but we started to wonder two things in terms of application to the real-world. First, how is the security at some of the well-known establishments providing Wi-Fi ? And second, were providers (at cafes, bookstores, etc.) and users aware of security (or the lack thereof) for public Wi-Fi?  

public wifi infographic regarding cafesin seoul

The Public Wi-Fi “Provider”

After surveying 20-odd establishments, we categorized them into three levels of security. In terms of “high” level, authorization and authentication was required in order to gain access. For “average,” a different password was set from the original factory settings, and for “low” – no changes had been made to the router since the point of purchase. Not surprisingly, we found that the larger chains offered higher measures of security than the domestic brands. Independent cafes rarely had the level of security necessary to secure a Wi-Fi connection.public wi-fi awareness by providers of routers

We then conducted a short interview with either the employee behind the counter or the branch manager and found that many locations don’t regularly upgrade their firmware. Upgrading your firmware regularly makes sure that your router is stable and optimized to take on the traffic. Although it can be a tedious process, it’s a necessity. And while some locations changed their password after buying the router, it was often a simple password. Additionally, none of the establishments had been changing their passwords regularly.

Most cafes will have a simple password (or no password at all) because it’s more convenient. However, a few simple steps can set you on the right track to begin protecting your establishment. After all, a business needs to look at customer loyalty and long-term growth. That isn’t going to happen if you or your customers are hacked.

 4 easy steps to secure the public Wi-Fi of your establishment:

  1. Change the ID and password from the default factory settings regularly.
  2. Secure your Wi-Fi by changing settings to WPA (Wi-Fi Protected Access), rather than WEP (Wireless Encryption Protocol). WEP has issues of static encryption keys, making it easier to access..
  3. Block remote access
  4. Update firmware regularly

The Public Wi-Fi “User”

We went on to interview customers who were utilizing the public Wi-Fi at the cafes to get their views on security. However, we were surprised by the users because the knowledge of security issues was better than that of the providers. Although Wi-Fi users are sometimes aware that it may be unsafe, because it’s free and convenient, they ignore the risks and access the network anyway.

So what are the basic steps you can take that won’t take too much of your time/money?

public wi-fi awareness by users

4 Cautionary Steps for Using Public Wi-Fi

  1. Turn off sharing on your computer – make sure that remote login is not possible.
  2. Consider using a VPN (Virtual Private Network) when connecting to public Wi-Fi. Because it will encrypt your data, it can help prevent criminals from sniffing.
  3. Avoid sites that take your ID and password (i.e. banking, online shopping).
  4. Go to a cafe or public Wi-Fi hotspot where you know the security measures the provider takes.

But in all honesty, public Wi-Fi will never be “safe” in the sense that it will be void of any security risks.

And if you must…

It’s not realistic to say that all public Wi-Fi must disappear. In the digitized 21st century, connectivity is inevitable. In fact, it’s already happening. So the best thing you can do as a user and provider is to be cautious. Have these steps ready to execute. Extra steps are also possible with a firewall, anti-malware products, etc. But remember, the first step is the most important.

credit-card-1591492_640

Cyber Attacks on Banks: How Vulnerable is Your Money?

When it comes to online banking, there’s no room for tolerating sloppy data security. You might not lose any sleep if your (hopefully unique) Adobe password is leaked and you may only experience a few minutes of rage if your Dota 2 game is DDoSed. But if your bank goes offline, you had better hope it’s only for a few minutes. Also that your money is safe. Today let’s look at some cyber attacks and what these types of attacks can mean for your savings.

3 Cyber Attacks with Devastating Consequences

Whether we’re talking about large banks or scrappy new fintechs, any financial companies that do business online are vulnerable to security risks, just like anyone else. Here are three major incidents where online banks had their security compromised.

1. American Banks Targeted With Extended DDoS Campaign

Starting in early 2012, a wave of malicious cyber attacks swept over several American banks, targeting banking web applications one at a time. The attacks affected Bank of America, Citigroup, Wells Fargo, Capital One, and HSBC, among others. Rather than targeting customer data or stealing money, the hackers used DDoS attacks to overwhelm online banking websites. This prevented actual customers from accessing bank services.

A group called Izz ad-Din al-Qassam Cyber Fighters took credit for the attacks. Dubbed Operation Ababil, they claimed retribution for an anti-Islam video. But due to the sophistication of the attacks, the US government suspects the group is just a front for the Iranian government, seeking their own retribution for American cyberwarfare attacks.

The campaign was one of the largest cyber attacks in history (a record since surpassed many times). Cyber attacks were carried out in three phases, the final launching in March 2013. More than just a nuisance, a successful DDoS attack costs banks an estimated $100,000 per hour. Worse, any server, web application, device, or IoT device compromised by a botnet can be used in such a DDoS attack.

cyber attack on individual code injection

2. South Korea’s Banking Industry Hit By Massive Coordinated Attack

On March 20, 2013, South Korean citizens were rattled by a far-reaching cyber blackout. This attack froze computer terminals and paralyzed ATMs and mobile payments. At two banks, Windows and Linux computer systems were affected and entire hard drives were wiped. Others such as Woori Bank reported intrusion attempts. They claimed to have fended off the hackers. The attackers also managed to disrupt broadcasts of three major TV stations.

The South Korean government accused North Korean operatives of orchestrating this cyberwarfare campaign from China, where the attacker IP was traced. It is possible either a North Korean cyberwarfare unit was active in China. Another possibility is a China-based mercenary botnet that had already compromised South Korean targets.

This attack was carried out by a relatively unsophisticated malware program known as “DarkSeoul,” and could have been prevented had adequate cyber security measures been put in place. Despite the disruption to services and deletion of data, it is clear the attack was mainly intended to disrupt business and cause chaos. The total cost of the carnage, both through denial of service and data loss,  was calculated at $725 million.

An old-time bank in the Wild West with a woman on horseback.

3. Russian Hackers Pull Off World’s Biggest Bank Heist

A cybercriminal gang has been attributed to a crime spree that launched a diverse repertory of well-planned attacks against as many as 100 banks across 30 countries. The group, dubbed Carbanak by Kaspersky Lab, is believed to consist of Russians, Ukrainians, and Chinese, with their targets being located primarily in Russia, followed by the US, Germany, China, and Ukraine. Their crime spree began in early 2014, peaking in June, and went unaddressed until February 2015.

The hackers used botnets to send out malware-infected e-mails to bank employees, a tactic called spearphishing, and were able to infiltrate many employee accounts. This allowed them to steal many different kinds of sensitive information, including customer data, secret keys used by ATMs to confirm PINs, bank video surveillance, and information on security systems and anti-fraud measures. They could also manipulate account balances and create fake accounts to move stolen money around. Each attack took around two to four months.

One bank was robbed of $7.3 million when the hackers reprogrammed its ATMs. Another bank’s online platform was accessed and the thieves made away with $10 million. Some of these attacks could have been prevented had employees only updated their Microsoft software. The thieves were able to make off with as much as $1 billion, and authorities have been unable to catch them.

So now what?

These three incidents show hackers with varying motivations and means, using differing techniques to achieve their own unique goals. Whether disrupting service or stealing money, or cybercrime or cyberwarfare, cyber threats cannot go unaddressed. And rather than going after only the biggest banks, hackers are increasingly targeting smaller fintech startups with fewer resources and less experience with cyber security. We must cooperate to secure the Internet from these actions, or we’ll pay the price in the end.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

stairs-1229149_1920

Database Encryption: the new trend?

We’ve talked quite a bit about database encryption in this blog, and perhaps you have heard about it on the news or in the media as well. Every other day a company is hacked. Data is everywhere. Cyber security is an unavoidable topic as of late, especially here in Korea.

In Seoul, digitization is the norm, not the exception. Billboards are all in LED format. The majority of any commercial shopping can be done online. Having a mobile application for any activity is an obvious given. Considering how everyday life is inextricably linked to the digital world, it seems inevitable that laws comply with the changing trends.

For example, Korea’s Personal Information Privacy Act (PIPA), requires any commercial entity that deals with private user information to apply encryption to its databases. Otherwise they need to take other precautions to ensure user privacy. If they don’t comply with the act and private records become breached, those responsible could be sentenced for up to 2 years imprisonment and/or a $10,000 fine.

This kind of approach to privacy gives a good push to the information security market.

For the past few years, the database encryption market has seen increased potential due to the Information Communication Act, which is similar to the Privacy Act but much less strict. Moreover, government institutions have been major customers for encryption security in the past. This pressures other enterprises (like insurance companies or financial firms) to join in the fun. The potential for this market is $50 million – not a small amount.

Database Encryption for the “IT Crowd”

For example, since the privacy act became enforced, Korean IT-security firm Penta Security Systems has shown consistent and significant annual sales increases. In 2013, sales increased to 75% in terms of revenue, and 70% in terms of the number of customers. It was as if clients in the government sector had become “the IT crowd,” and other enterprises were lining up to follow the lead in database encryption.

There are countless benefits in utilizing a DB encryption solution, especially for government entities and enterprises. For example, the leading encryption solution in APAC, D’Amo offers access controls for encrypted data, so by distinguishing authorized vs. unauthorized users, the access can be under your control. The administrator can specify user login authority by the IP address, permitted time period, and application program. It also provides an auditing function for important data columns that tracks which users or computers have performed operations. Based on the provided data, it can apply security measures to prevent questionable access or privilege abuse.

Trends and policies come and go… Encryption is here to stay

Lately, the hot topic words are “cloud trends” or “database encryption trends.” While it’s a start that these topics are being mentioned – the word “trend” can be misleading. It signifies that there will be a point in time where it is no longer popular to be doing something.

However, database encryption is something that everyone should start to be concerned about. And we should continue to be concerned. While it’s easy to wait for policies to be made in order to adhere to a set standard, corporations and individuals alike do need to remember that at the end of the day, the responsibility of cybersecurity lies with you.

A recent report by Symantec found that up to 60% of cyber attacks target SMBs. In addition, Kaspersky Lab reported that on average, enterprises paid US $551,000 to recover from a security breach. That’s money that would send the budgets of many start-ups or SMBs in the red. Why wait for an attack when you could build a long-term defense?

When looking for an encryption solution, don’t think about it in the short term. Look at what solutions will give you long-term benefits. Countless new vulnerabilities may arise, but a company should be able to give you optimized solutions for what you need at any given time. It shouldn’t send you into a panic attack every time a new cyber threat makes its way into the digital world.

For more information on encryption solutions, head to the D’Amo Overview page, or contact us at info@pentasecurity.com

profile

Blocking Web Application Attacks: New Technology Patented

Penta Security Systems has been granted a patent in Japan for its unique algorithm-based analytical engine for detecting and blocking web application attacks. This technology enables Penta Security’s web application firewall to provide a high level of defense against complex web application attacks.

Penta Security Systems Inc. is a leading provider of Application Security Solutions in Japan and South Korea. It was announced today that the Japan Patent Office  granted Penta Security a patent for its unique method on December 28th, 2011. The method detects attacks that target web applications.

WAPPLES, the web application firewall product of Penta Security, utilizes this method to analyze and determine whether or not Internet traffic constitutes a threat to the web applications under its protection. It will defend against such threats intelligently and accurately. Currently, WAPPLES is the only product in Japan to hold a patent pertaining to methods of detecting web attacks.

“This one-of-a-kind patented technology utilizes analytical algorithms, rather than the old, maintenance-intensive system of pattern matching that typically generates many false positive attack alerts. With this new technology, WAPPLES has been able to achieve a near-zero false positive rate while lowering system maintenance costs. Administrators no longer need to add patterns manually on a daily basis. Web attack detection and response through the logic analysis of this patented technology have made WAPPLES the new paradigm of web application security,” said John Kirch, Vice President of Penta Security.

WAPPLES can detect complex web attacks like SQL injection, which caused several serious incidents of personal information leakage last year. The patented technology can also help save bandwidth (up to 50 percent), by eliminating malicious web traffic.

“WAPPLES is a commercially proven and tested solution with more than 1,100 customers, including government, SMBs and Large Enterprises; our success is based on our patented technology and our relentless commitment to satisfying our clients’ needs,” said John Kirch. He continued, “Recent cyber attacks in Japan have clearly demonstrated the importance and value-add that WAF can contribute in detecting and protecting organizations from application-layer cyber attacks. Enabling Japanese organizations and their clients worldwide to safely sell and buy Japanese products/services could make a tremendous contribution to enhancing Japan’s economic status.”

For more information about WAPPLES, please visit: https://www.pentasecurity.com