Lies We Tell Our CEOs About Database Security

South Carolina government executives response to breach shows how nontech leadership often views security through a distorted lens

Beyond the raw statistics coming out of the
South Carolina state government offices around a breach of its tax records
that exposed the sensitive details of millions, Gov. Nikki Haley and her nontechnical senior executives have tried to dole out a measure of information about the breach and citizen credit remediation through a series of
press conferences
this week. A good faith effort, to be sure, security pundits say, but one whose content may also hint at how South Carolina may have gotten in this mess in the first place.
As investigators continue to unravel the clues around the South Carolina breach at the states Department of Revenue that exposed 3.6 million individual taxpayers Social Security numbers (SSNs), Haley announced more bad news on Halloween with the revelation that tax files for around 657,000 businesses were also stolen. While many details around how the hack went down are being kept under wraps due to law enforcement constraints, the governor and her staff have commented about the technical aspects of the breach. Some security pros argue that the messages and tone set by these comments hint at a dangerous lack of education about database security and threats.
For example, in one instance the governor justified the states failure to encrypt taxpayers SSNs with the comment that most banks dont encrypt them, and that its too complex to do. In another instance, even though the attack was clearly from an outside hacker, she said that this is not someone who came in from the Internet.
Shes getting really bad information from the people beneath her or shes speaking from a completely uneducated perspective, says Mike Murray, managing partner for consulting firm MAD Security. Her version of what database encryption is seemed like it should be in a movie version of what hacking is.
What makes that so dangerous, of course, is that distorted views of security often lead to bad risk decisions. Thats because when senior executives of any public or private organizations dont understand industry best practices or what really constitutes a sophisticated attack, theyll probably fail to properly fund protection measures against securing sensitive databases.
So whether it is through mistruths or miscommunications, security executives should try to eradicate the possibility that their CEOs could hold some of the misconceptions put forward in South Carolina this week, Murray warns.
Encryption Is Too Hard To Do
One of the first telling comments to come from Haley earlier this week was that it is industry standard that most SSNs are not encrypted in databases.
A lot of banks dont encrypt, she said. Its very complicated. Its very cumbersome. Theres a lot of numbers involved with it.
According to Mark Bower, a data protection expert and vice president at encryption firm Voltage Security, from his experience he can categorically state that the leading banks, payment processors, and enterprises are encrypting personally identifiable information such as SSNs.
In fact, many data privacy laws require it, he says.
Whats more, Haleys encryption-is-too-hard excuse is no longer justifiable, Bower argues.
[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]
To suggest that its too hard isnt taking into account the innovations that have taken place in the last 10 years, he says. For example, data-centric security technologies like Format-Preserving Encryption, a NIST-recognized mode of AES and Stateless Key Management, make data-level security very simple to implement, deploy, and manage across hundreds of applications and thousands of databases, even in systems which might date back 30 years.
Only Extremely Intelligent, Sophisticated Crooks Could Possibly Breach Our Defenses
In South Carolina and Gov. Haleys defense, the boilerplate response to just about any executive responding to a recent breach is that an incident came at the hands of a mustache-twirling villain of superior intellect. So the superlatives Haley used to describe the suspected international criminals tactics are hardly surprising.
This was a sophisticated hacker who came in and creatively got into the system. This was no simple breach, she said. This is not something that happens on a day-to-day basis; it is something that is very bizarre.
Its hard to say how creative the crooks really were in this case until details are released, but if common industry speculation proves true that this came as a result of an escalated attack following a standard SQL injection attack, that exceptionalism argument hardly holds water with security pros. The question to be asked is even if Haley could justify a lack of encryption to protect citizen details, where were other protections, such as database activity monitoring?
Maybe lots of people have trouble encrypting Social Security numbers -- I dont really buy that, but maybe they do, Murray says. But those organizations are doing lots of other things to protect their information.
Haleys staff made it clear that the attackers likely had access to systems for at least a month before detection. The state didnt know about the breach until it was informed by the Secret Service.
I didnt get the feeling that they actually had a sophisticated database activity monitoring solution in place, which could have prevented this attack, says George Csaba, product manager for FortiDB at Fortinet.
The technologys rule sets could have detected or blocked unusual activity during an initial incursion into the database, before millions of records were stolen, he added. At the end of the day, even if the hacker came from the outside, they probably used or stole a user ID/password combination in the database, which they were able to utilize to pull that data, Csaba says.
Data Theft Is Inevitable
According to Gov. Haley, there was not one thing or one person in the Department of Revenue that could have avoided this hack.
Her statement suggests a sense of fatalism that, if it persists in the C-suite, will ensure that breach statistics will continue to grow for years to come, experts say. The problem is that while senior executives should get used to the ideas of attacks continuing ad infinitum, theres nothing inevitable about actually losing data.
I think shes right: An attack is inevitable; losing 3.8 million Social Security numbers is not, Murray says. That someone bad is going to keep trying to do something bad to you -- yes, thats absolutely inevitable. That theyre going to be very, very successful like they were here, not so much.
According to Murray, he talks with plenty of clients that deal with attacks every day, but that dont deal with actual data loss every day. And that is an important distinction he believes CSOs need to make to their line-of-business executives.
If were failing to communicate that up to the highest level of the organization, thats a problem, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lies We Tell Our CEOs About Database Security