No More Tootsie Pop Security
Posted by 
Share this Post
Ensure your organization has something stronger than Tootsie Pop security
I’ve been hearing the term “Tootsie Pop security” a lot recently, particularly over the course of the last couple of days. For those of you unfamiliar with the idea, it is basically the practice of having a hard, crunchy, security exterior filled with firewalls and intrusion prevention system (IPS) devices, but with a soft interior.
If you’re on the offensive in this situation, it’s like breaching castle walls and then just walking around and doing whatever you feel like. So, if I’m an attacker, I just have to get inside.
Attackers are using more social engineering attacks than ever before these days, and social networking sites are a great way to conduct research.
If I’m an attacker, I can go on one of these sites, figure out who your boss is, who your best friend is, who your mom is, make a fake email account using that person’s name, and then send you an email saying, “Hey, need you to take 5 minutes and fill this out.” Considering it appears to be from someone you know and trust, you’ll probably open that file. Now you have malware on your computer.
While phishing is not an example of a database attack, it’s an example of how attackers can breach an organization’s perimeter defenses by going after the users. As a result, organizations need to spend more time focusing on a layered approach to security and on how to improve interior defenses.
We know that databases are where organizations store most of their sensitive information, so we’d assume that most of them have excellent database security controls. That’s not really the case. The volume of breaches has prompted a lot of discussion around database security and it seems that the overwhelming consensus is that many organizations are really just starting to take database security more seriously.
The key to database security, and really all security, is the ability to affect outcomes. It’s not enough to know what’s happening, or even what’s happening right now. You need to know what’s happening right now and what actions you can take to protect yourself and your organization. When it comes to database access controls, this can mean things like masking data on the fly, terminating a connection, or even just sending an alert.
It’s my hope that beginning to put in more advanced database security controls will help some organizations leap frog a few steps in improving their security posture. While this is the next logical step for some organizations, these kinds of controls would actually represent a rather sizeable step forward for others.
The amount of FUD (fear, uncertainty and doubt) in the security world is pretty dramatic right now because of the confluence of these shadowy advanced attackers and higher-profile, politically motivated attackers. It’s hard to know who and what to prepare for, and the number of data breaches from all different classes of attackers has reinforced this sentiment. One of the important things to remember about all this is that the Verizon breach report showed that the majority of these breaches were the result of insufficient foundational controls.
Stop and think about that for a second. There is hope.
This is a critical finding because it should tell you that there are definitely things you can do to dramatically improve your security posture. Today, applying more database access controls is certainly high on that list.
To learn more, check out this whitepaper: Data security and privacy: A holistic approach
This post is part of the Dinner Table Data Security series. Catch up on the full series.
1 Responses »
Trackbacks
Leave a Response
Entries(RSS)