Another Day, Another Data Leak
Another Day, Another Data Leak
Another day, another data leak — check out this post to make sure you have taken the proper precautionary measures.
Join the DZone community and get the full member experience.Join For Free
In the last few days, there has been information released about yet another alleged data leak, putting “…[the] personal information on hundreds of millions of American adults, as well as millions of businesses” in jeopardy. In this case, the “victim” was Exactis. This is very concerning because data collection and data security are its core business functions.
Some Takeaways From Exactis
Please excuse the pun! In security, we have few chances to chuckle. In fact, as a Security Architect, I sigh deeply when I read about this kind of issue. Firstly, it’s preventable. Secondly, I worry that if an organization like Exactis is not getting it right, what chance does the rest of the world have?
As the Wired article notes, the tool https://shodan.io/ can be revealing and well worth a look. For example, you can see there are still many elasticSearch systems exposed to the public internet here. Why not use shodan to check what everyone else in the world can see openly on your systems?
Databases, themselves, do not need to be at risk, as long as you take the necessary precautions. This was discussed further in a blog post that I co-authored last year.
In this latest alleged gaffe, as far as I can discern, if the setup made use of iptables or a similar feature, then the breach could not have occurred.
With immaculate timing, my colleague Marco Tusa wrote a post last month on how to set up iptables for Percona XtraDB Cluster. If you are not sure if or how that applies to your setup, it is definitely worth a read.
Of course, security does not stop with iptables. Application developers should already be familiar with the need to avoid SQL injection, and there is a decent SQL injection prevention cheat sheet here, offered by The Open Web Application Security Project (OWASP). Even if you don’t fully understand the technical details, a cheat sheet like this might help you to ask the right questions for your application.
For a more in-depth look at MySQL security, I have two talks up on YouTube. The first of these is a twenty-minute presentation on hardening MySQL and the second is on the web application security and why you really should review yours. You could also check out our recorded webinar Security and Encryption in the MySQL world presented by Dimitri Vanoverbeke.
Of course, security challenges are not unique to SQL databases. If you are a MongoDB user, this webinar MongoDB Security: Making things secure by default might be of interest to you. Or, perhaps, this one on using LDAP Authentication with MongoDB? Adamo Tonete presents both of these webinars.
For a more widely applicable view, you could try Colin Charles’ recent webinar too.
There Are Always Consequences
As Exactis are no doubt discovering, managing the fallout from such a breach is a challenge. Some of you will be lucky enough to have someone dedicated to IT security in your organizations. Next time you see them, instead of avoiding their steely stare, why not invite them for a coffee and a chat? It could be enlightening!
Published at DZone with permission of David Busby , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.