By Jack Harper, Director of Professional Services at Couchbase
This summer, a spate of cyberattacks in which cybercriminals targeted internet-connected ElasticSearch and other unsecured databases continued to fuel concerns about database security. And the attacks were not only prolific, but they were also more brazen: the “Meow” attacks, in particular, were a series of automated malware that completely destroyed unsecured databases vs. taking the data hostage. It was game over before the ball was even in play.
In 2017, thousands of unsecured instances of MongoDB and ElasticSearch fell prey to attacks by a threat actor using the moniker Krakeno. These types of attacks resurfaced this summer with nearly 30,000 users affected in July. Thousands of businesses lost their data in this mass data hostage event, then the Meow attack came along–accessing unsecured databases– and one-upped the Krakeno-like attacks by completely destroying the data with its automated malware.
The ongoing attacks suggest that database administrators or developers continue to overlook appropriate security in their internet-facing databases (NoSQL) that are at the crux of these attacks, leaving them to fall prey to the likes of Meow. To understand how to implement adequate security in a NoSQL environment, let’s first take a closer look at what a NoSQL database is and better educate ourselves on what tighter security controls in a NoSQL environment actually look like.
A NoSQL Primer
NoSQL databases are a product of the 21st century’s desire to deliver increasingly fast, always-on digital experiences. Unlike their older and better-known ‘relational’ database relatives that require predictable and structured data to operate, NoSQL (Not-Only-SQL) provides an extremely dynamic and cloud-friendly way for organizations to manage real-time, unstructured data. NoSQL databases commonly deployed to be internet-facing, which can allow cybercriminals to poke holes in them if they are unguarded or poorly planned and executed.
The reality is that modern applications need NoSQL databases, which places the onus on the designers and developers to build or use better systems to protect them. The issue can be addressed if vendors create secure-by-default features and users follow security best practices.
Planning is everything
It really is this simple: plan correctly, and your business will be able to prevent vulnerabilities and leaks before they occur. And it starts with choosing the right NoSQL provider. If the vendor sells security as a bolt-on feature that’s not baked into the system, they probably aren’t the right partner to start with. It’s your duty to ask the hard questions around their knowledge of end-to-end security. Check their development logs to see if they have been reporting vulnerabilities in their systems and ask about how easy it is to implement security capabilities around the database. Research can be a tedious step in selecting the right provider, but it’s also imperative. It could make the difference between suffering an attack and not.
Next, think about how your data is secured in transit. Data is never only transferred behind the firewall, a lot of it is going to move outside of your organization, and while this isn’t dangerous in and of itself, it is where the most risk lies. Beyond your network are a host of third parties that may not follow your encryption policies, making it even more important for you to encrypt every dataset – regardless of where it’s stored. Make sure your planning includes securing data both at rest and in transit by investing in SSL connections for client/server and server/server communications.
Your NoSQL database needs to form part of your security planning and must have a visible security roadmap that provides insights into how its developers are ensuring that it is continually updated and secured. As with any new technology, improvements are continuous, making it essential for your teams to regularly check and implement these changes, especially if they have a material impact on your cybersecurity policies or needs.
Nine tips to NoSQL security success
Once the planning is done, now it’s time to put it into practice. Here are nine tips on how to avoid falling prey to cyber-attacks–or becoming “Meow Mix”:
#1 Don’t expose raw databases to the internet. This is a fundamental security rule, and as simple as it sounds, it is important as they come. If you don’t store all your nodes behind a secure database firewall, you risk the security of your sensitive information.
#2 Keep your software up to date. Security professionals will warn that security starts at the weakest link, and this is often out of date server operating systems. So unless you install the latest encryption patches, no data security can be guaranteed. As the WannaCry, Spectre/Meltdown, and now Meow attacks have highlighted, there’s no substitute for responsible patch management.
#3 Delete “default” and sample databases. The word “default” is the playground for cybercriminals. Those who have suffered cyber breaches will know, it can nearly always be replaced with the phrase insecure: default passwords are weak passwords; default settings are unsafe settings. If there is a default anything in your environment – always delete it.
#4 Strong passwords are essential. Again, another seemingly mundane and straightforward action, but one that is the most overlooked. Default or weak passwords attract cybercriminals like bees to honey. Change passwords often, use unique passwords for different projects, make sure passwords are strong, and very importantly, change all default passwords.
#5 Use role-based access control (RBAC) and Active Directory. Control privileges to both administrative activities and data access with fine-grained access control. Also, protect user credentials and manage them at a centrally controlled place with Active Directory.
#6 Encrypt your data in-transit, on the wire, and at rest: Make sure that your data is encrypted as it travels over networks during client-server communications or when it is being replicated within the database server or being replicated between database servers in different data centers/zones/regions. Likewise, you should encrypt the data when it is stored for persistence. These measures prevent unauthorized access to data at all levels.
#7 Use updated TLS Ciphers. Transport Layer Security (TLS) enables secure network communications. This security can be further enhanced by using updated versions of the ciphers and/or by picking customized ciphers. On top, a well-thought-out policy for certification expiration/rotation/revocation should also be implemented.
#8 Limit port access. Allow firewalled access to the minimum set of network ports that are needed for your database to work.
#9 Report security issues immediately. If your database has been breached or you think there may be a security flaw, report it. Immediately. There is a community of people out there that can offer you advice and benefit from this information. Security is always better when we pool resources and work together as an industry – keeping us one step ahead of cybercriminals.
A problem shared
Hackers and cybercriminals are always going to be part and parcel of our business life. It is a bleak reality. We need to invest in education and adopt best practices, and we need to acknowledge that ensuring compliance and adopting good security policies is an industry-wide responsibility.
For those of us deploying, implementing, and developing on databases, this is even more relevant. From web, mobile, and app developers through to C-suite and technology executives, everyone involved in databases has responsibility for ensuring they are secure. NoSQL vendors also have a responsibility to ensure that their systems provide users with the tools to secure themselves better and secure their services by default.
If the recent spate of attacks is anything to go by, it is unrealistic to think that NoSQL data breaches and leaks are a thing of the past. Instead, we need to view each one as a reminder for businesses to take database security seriously.
About the Author
Jack Harper is a leader on the Professional Services team at Couchbase, where he leverages nearly 20 years of experience identifying, mitigating, and resolving technical issues as well as architecting and implementing solutions for customers. His background also includes extensive experience with software testing and QA best practices and methodologies as they relate to various implementations of the SDLC (Agile, XP, RAD, waterfall). Jack is a Certified PMP (Project Management Professional) with 6+ years’ experience working on software development projects.