Legitimate Privilege Abuse

Users may abuse legitimate database privileges for unauthorized purposes. Consider a hypothetical rogue healthcare worker with privileges to view individual patient records via a custom Web application. The structure of the Web application normally limits users to viewing an individual patient’s healthcare history – multiple records cannot be viewed simultaneously and electronic copies are not allowed. However, the rogue worker may circumvent these limitations by connecting to the database using an alternative client such as MS-Excel. Using MS-Excel and his legitimate login credentials, the worker may retrieve and save all patient records.

It is unlikely that such personal copies of patient record databases comply with any healthcare organization’s patient data protection policies. There are two risks to consider. The first is the rogue worker who is willing to trade patient records for money. The second (and perhaps more common) is the negligent employee that retrieves and stores large amounts of information to their client machine for legitimate work purposes. Once the data exists on an endpoint machine, it becomes vulnerable to, Trojans, laptop theft, etc.

Mitigation

  • User Rights Management

Aggregate Access Rights: Scan databases for both granted and privileged user rights and extract details such as the actual access right (e.g. SELECT, DELETE, CONNECT, etc), who granted them, who received those rights, and objects to which rights have been granted. Aggregating user rights into a single repository helps streamline the reporting and analysis of user access to sensitive data.

Enrich Access Rights Information with User Details and Data Sensitivity: Adding information related to user roles and their database behavior adds considerable value to user rights analysis and helps zero-in on the abuse of privileges. Collect and append contextual details to user rights information including the user name, department, database object sensitivity, and last time accessed. This allows you to focus your analysis on the access rights that represent the highest business risk.

Identify and Remove Excessive Rights and Dormant Users: Identify users that have too many privileges and users who don’t use their privileges. This helps determine if user access rights are appropriately defined, find separation of duties issues, and remove excessive rights that are not required for users to do their job. Hackers use access rights to impersonate users and go after sensitive data stores. Therefore, reducing excessive rights helps protect against malware compromise.

  • Monitoring and Blocking

Real-Time Alerting and Blocking: Monitor all database access activity and usage patterns in real time to detect data leakage, unauthorized SQL transactions, and protocol and system attacks. When attempts to access unauthorized data occur, generate alerts or terminate the user session. Use a solution that leverages policies – both pre-defined and custom – that inspect database traffic to identify patterns that correspond to known attacks, such as DoS attacks, and unauthorized activities. Security policies are useful for not only detecting excessive privilege abuse by malicious, compromised, or dormant users, but also for preventing most of the other top ten database threats.

Detect Unusual Access Activity: Establish a comprehensive profile of each database user’s normal activity. These baselines provide the basis for detecting DoS, malware, SQL injection, and anomalous activities. If any user initiates an action that does not fit their profile, log the event, generate an alert or block the user. Creating activity-based user profiles increases the likelihood of detecting inappropriate access to sensitive data.