ECB’s Part Encryption Not Good Enough
The news of The European Central Bank (ECB) being hacked, with the attackers stealing both email addresses and contact data from the organisation’s public website, is the latest data breach in a line of many.
Whilst the ECB says that no market sensitive data was compromised it also said that most of the data – not all - was encrypted.
Colin Tankard of data security company Digital Pathways says, “ As only a part of the database seems to have been encrypted it looks as if they were only encrypting a row or column and were probably using an encryption programme as part of the database offered by the database vendor.
‘Often only data such as credit card numbers are encrypted but this hack shows that this method is not good enough and that the whole database should be encrypted in order to secure all of the personal private data contained within it.
‘Relying on a vendors single column encryption is only doing part of the job and is often seen as the easy route as companies think it is the only way to hide data from their database administration people.
‘ However, what is needed is the encryption of the total database which will also protect shadow copy and password files within it. Strong access control should be applied to either user or application access to ensure only authorised people or applications can touch the data. Then, independent logging of the database needs to be implemented so that all access to the data, or changes by database administrators, is held outside of the database administrator’s control. In this way, they have nowhere to hide if they touch the database. A common technique is to switch off auditing in the database while the Hack is being done and then switching it on again thus stopping any alerts.
‘Companies really must separate duties between database administration and security management. This is always the best practice.’