Dec 19 2008
How to prevent database from hackers:
Hacker attacks that bring down the network get a lot of attention, so companies
concern themselves with protecting against those threats. But if your
organization is focusing on this type of security only, it a little like putting
all your efforts into preventing a bomber from blowing up the building but
neglecting to worry about the burglar who sneaks in through a back door and
makes off with all your valuables.
Unfortunately, the same security
precautions that prevent DoS attacks, viruses and worms, and other high profile
attacks may not be addressing a much more insidious problem: theft of company
data for corporate espionage or other purposes. Yet the disclosure of your trade
secrets to a competitor or the release of private company information to the
media could, in some cases, result in a much greater loss than network downtime.
Lets look at what you should be doing to keep your data from walking out the
door.
1: Practice the principle of
least privilege
There are two opposing
philosophies by which you can
set your network access
policies. The first, the all
open policy, presumes that all
data is available to everyone
unless you explicitly restrict
access. The second, the at least
privilege policy, operates on
the assumption that all data is
off-limits to a given user
unless that user is explicitly
given access to it. The latter
is like the need-to-know
policies of government
intelligence agencies: Unless a
user has a demonstrated need to
have access to a particular
file, he or she can access it.
2: Put policies in writing
You may think it should be
obvious that your employers are
not to copy important company
information and take it home or
e-mail it outside the internal
network without permission.
However, unless you put such
policies in writing and have
workers sign for receipt, you
may be hard pressed to penalize
them for violating that policy.
Unwritten rules are much more
difficult to enforce.
Your policies should be
specific and give examples of
what prohibited. Workers may not
understand, unless you spell it
out, that e-mailing a company
document as an attachment to
someone outside the network (or
even to their own home account)
is just as much a violation of
policy as copying that document
to a USB drive and physically
taking it out the door.
Wording of the policy,
however, should make it clear
that the prohibition is not
limited solely to the examples
you give.
3: Set restrictive
permissions and audit access
The first step in protecting
data is to set the appropriate
permissions on data files and
folders. It goes without saying
that data on Windows networks
should always be stored on
NTFS-formatted drives so you can
apply NTFS permissions along
with any share permissions. NTFS
permissions are more granular
than share permissions and apply
to users accessing the data on
the local machine as well as
over the network.
Give users the lowest level
of permissions possible for them
to get their work done. For
example, give Read Only
permissions to prevent users
from modifying files.
You can also set up auditing
on files and folders that
contain sensitive data, so that
you can see who accessed it and
when.
4: Use encryption
Another advantage of storing
data on NTFS-formatted drives is
that you can apply Encrypting
File System (EFS) encryption.
EFS is supported by Windows 2000
and later operating systems and
will prevent other users from
opening the file even if they
have NTFS permissions. With
Windows XP/2003 and later,
encrypted folders can be shared
with other users by assigning
them special permissions through
the encryption dialog box.
One way data can be stolen is
by stealing the entire computer,
especially if it a laptop. With
Vista Enterprise and Ultimate
editions, you can use BitLocker
full drive encryption to protect
data in case of theft of the
computer. Read more about using
EFS and BitLocker to protect
against data theft.
5: Implement rights
management
Some data theft can be
prevented by keeping the wrong
people from being able to access
that data using the methods
above. However, what about theft
by people that you need to give
access to? You can use Windows
Rights Management Services (RMS)
and the Information Rights
Management (IRM) feature in many
versions of Office 2003 and
Office 2007 to prevent users
from forwarding, copying, and
otherwise misusing e-mail
messages and Office documents
(Word, Excel, and PowerPoint
files) that you send to them.
Find out more about RMS/IRM
6: Restrict use of removable
media
One of the most popular ways
to sneak digital information out
of an organization is by copying
it onto some sort of removable
media or device. USB thumb
drives are inexpensive and easy
to conceal, and high capacity
SD, CF, and other flash memory
cards can hold a huge amount of
data. Users can also copy files
to their iPods or other MP3
players or to CD or DVD writers.
You can permanently restrict the
installation of USB devices by
removing the ports physically or
filling them with a substance.
You can also use software to
disable the use of removable
devices on each individual
computer or throughout the
network.
In Vista, you can restrict
use of removable media (USB
devices and CD/DVD burners)
through Group Policy. For other
operating systems, there are
third-party products, such as
Portable Storage Control (PSC)
from GFI.
7: Keep laptops under
control
Another way a user can make
off with files is to connect to
the internal network with a
laptop or handheld computer,
copy the files to its hard disk,
and then take the computer off
premises. You need to maintain
control over what computers
connect to your LAN, not just
remotely but by plugging
directly into a hub or switch
onsite, as well.
You can use IPSec to prevent
computers that are not members
of the domain to connect to your
file servers and other computers
on the LAN.
8: Set up outbound content
rules
Firewalls can do more than
keep undesirable traffic out of
your network. They can also keep
specified traffic from leaving
your network. Your data can walk
out the door physically or can
be sent out a virtual door via
e-mail, peer-to-peer file
sharing, etc. You can set up
your firewall to block certain
types of outbound protocols,
such as those used by P2P
software.
You can also set up your mail
server to block sending of
outbound attachments and block
outbound content by keywords
using content filtering
appliances, software, or
services such as:
9: Control wireless
communications
Even if you block sending of
certain types of data through
your firewall or filtering
systems, a determined person may
be able to connect a company
laptop to a different wireless
network within range, one that
does have blocking mechanisms in
place. Or he or she might
connect the computer to a cell
phone that has Internet access
and use the phone as a modem.
Keep track of wireless
networks that may be available
from your company premises and
if possible, block their
signals.
10: Beware creative data
theft methods formats
Remember that your data can
walk out in many different
formats. A user can print out a
document and carry it out in
paper form or a thief can steal
printed documents from trash
cans if the paper has not been
shredded. Even if you have
implemented a technology such as
rights management to prevent
copying or printing documents, a
person could take a digital or
film photograph of the content
onscreen or even sit and copy
the information by hand. Be
aware of all the ways your data
can leave the premises and take
steps to protect against them
Home 
Webmaster Said:
Thank you.