As DBHeroes we like to visit companies 'at home'. After a short inspection of the network, the network products and the databases it happens regularly that we have to conclude that the security 'could do with some improvement'. But that's not even what worries me the most. It's the laconic reactions. An example? "We are not interesting".

That makes the hairs on the back of my neck stand up.

We're not interesting? How do you determine that? Who decides? Someone who has his eye on you finds you interesting. Finds your data interesting, for whatever reason. And it doesn't even have to be your own data. Perhaps you are an entry point to another party. For example, because you are connected to a certain network. We often see this in the government, for example. An unintended government portal for hackers.

Yes, even in government services we still often hear that. "We're not interesting." Maybe not directly, no. But what people forget is that they are connected to a government network, which has to be discreet. This is how it works: if you want to get into a party, you look to see who the weakest link is. And then the information in your database may not be interesting, but it can be a nice shortcut. So if a hacker can get in that way, he's one step further. From there, he can look at how to get further. It's a puzzle and you start at the corners and the outer edges, slowly working towards the goal, the centre. Apart from that, people often don't understand that their data is interesting. And that it is interesting is also confirmed by the new legislation GDPR which forces us to handle our data properly. The Personal Data Authority will also monitor the government, large organizations and healthcare.

It's all a sham in that respect. When I see how often it happens that you enter an organisation and you are immediately domain admin! Then, as an external consultant or intern, you can immediately access everything on the network. Or that product service accounts are domain admin. When I say that this should be changed immediately, the reaction is often very lukewarm - "yes, we do have a project for that, but, well, other things take priority". People are really very laconic about it.

It also happens regularly that people think that everything is secure. The product owner says: "There is only one person who is allowed to access the raw data, we take our security very seriously." And from suppliers we often hear: "at the front it is well arranged! We have programmed the application well". But what they don't tell us is that the application needs a special account for the database. This account is not checked and everyone can just use it. So the whole world can access the data, outside the application. And a little hacker can find this easily. I have no rights, but the product I use can do anything? Then I use that, right?

And in other organisations, everyone has the same rights by default. Because they are all generalists, everyone must be able to do everything, because "we do not want to make a distinction". So everyone can access all data. One database may not be interesting. But combine the data from the different databases and it becomes a lot more interesting.

Under the GDPR, the Data Protection Officer will also provide insight into what information is stored in the databases. And whether this information is minimally necessary for the purpose for which it is stored.

Without exaggeration, data security is therefore of vital importance to companies and organisations. That awareness should really come to the fore now. You are interesting!

For questions or advice please contact Christian Hageraats.

Christian.Hageraats@dbheroes.eu
telephone 088 888 6097

Or contact us via the contact form

[ back ]