Many organizations have a false sense of confidence when it comes to databases and their vulnerability, believing that if their database is hit by a ransomware attack, it will automatically cease operations to indicate an attack has taken place. Then, they can just restore the last clean version of the database, and everything will be fine.
Sometimes, that will be the case, such as in full database corruption, with a clean backup copy nearby. But cybercriminals are becoming sneakier and have begun deploying more sophisticated attacks that are more difficult to notice.
Most ransomware can encrypt pages within a database—Mailto, Sodinokibi (REvil), and Ragnar Locker—and destroy the database pages. This means the slow, unknown encryption of everything, from sensitive customer records to critical networks resources, including Active Director, DNS, and Exchange, and lifesaving patient health information.
Because databases can continue to run even with corrupted pages, it can take longer to realize that they have been attacked. Most often, it is the wreckage of the attack that is usually found when the database is taken down for routine maintenance, and by that time, thousands of records could be gone.
Databases are an attractive target for cybercriminals because they offer a wealth of information that can be used or sold on the dark web, potentially leading to further breaches and attacks. Industries such as healthcare, finance, logistics, education, and transportation are particularly vulnerable.
The information contained in these databases is highly valuable, as it can be exploited for spamming, phishing, financial fraud, and tax fraud. Additionally, cybercriminals can sell this data for significant sums of money on dark web auctions or marketplaces.
Databases are vulnerable. Cybercriminals can gain access to them through various tactics, including malware, zero-day vulnerabilities or delayed patches, and phishing. Once these bad actors gain access to a database, they can sell the data to other criminals on the dark web, leading to further illicit activity.
For example, a cybercriminal might use emails obtained in the attack to impersonate a company employee or manager.
By using legitimate email accounts, the victim believes they are communicating with a real employee. This can lead to the disclosure of confidential corporate information, unauthorized transfer of funds, or other harmful actions against the organization.
Insider threats are another way criminals can gain access to a database. In this scenario, someone within the organization with malicious intent has access to the database and breaches the sensitive data. They then take that data and sell it to someone else who can further inflict harm.
However, what is most likely the cause of a breach is human error—commonly through weak passwords, password sharing, or corruption of data.
Unmanaged sensitive data is also a problem. If a database that contains sensitive data isn’t properly accounted for, it can become a prime target for hackers.
When new data is added and not inventoried, it can also become a threat issue. All sensitive data in a database should be encrypted, with required controls and permissions assigned to the database. It will also help to run searches periodically for new sensitive data.
An effective ransomware attack strategy to keep databases safe should include several key measures:
- Keep systems up-to-date. First, ensure all software, operating systems, applications, and core system utilities are up-to-date. This helps close security gaps that cybercriminals might exploit. Additionally, it’s essential to verify the safety of all links and attachments before opening them. Educate everyone across the organization about the importance of not opening unverified links and attachments.
- Utilize backups and snapshots. Regularly backing up systems and storing those backups offline or in air-gapped systems is the holy grail in data protection. Avoid leaving database backups in publicly accessible locations and maintain strict controls on who has access. Limiting company-wide access to data and restricting access to sensitive information can also enhance security. Strong password management is another critical aspect. IT departments should work with employees to ensure they select and use robust passwords.
- Validate security capability. It is also important to scrutinize the security practices of all vendors claiming to be securing your databases. Many security tools claim to validate databases, but only look at the container level—not the individual pages. This puts organizations’ valuable data at risk. Question and understand what and how they protect.
- Monitor your data’s integrity. Data integrity is the confidence that your data is free of ransomware corruption and empowers quick restoration of clean data when an attack is successful. Data integrity tools can look deep into database pages to identify page corruption as well as corruption of the internal database content, provide details when corruption occurs, and offer a clear path to recovery.
- Have a plan from testing to recovery. Regular testing of database security should be part of the strategy too. Have a testing plan in place as well as a recovery plan. If an attack occurs, how do you recover? Who is performing the recovery? What tools and processes exist to make sure ransomware isn’t reintroduced into the environment? Have a run book ready so downtime and data loss are minimized.
Data is one of a company’s most important assets. Companies collect massive amounts of data each day, not only organizational data, but the data of clients, vendors, and anyone they work with.
Data breaches can be costly for an organization to manage and can destroy a company’s reputation as well. It is very difficult to earn back the trust of customers once their data is part of a breach. When a database is breached and the information is sold to other bad actors, the result can be devastating.
While many organizations aren’t focusing on database protection as much as they should, now is the time to change that. This is a serious cyberthreat that will only continue to progress across all industries, no matter the size. Data protection must be a critical component of a company’s operating strategy. With robust security measures, access controls, and real-time monitoring, a company can protect its sensitive data from malicious activities.