Skip navigation.

Chris Foot

Syndicate content
Remote DBA Experts Blog
Updated: 10 hours 29 min ago

Don’t let database security woes outweigh EHR benefits

Thu, 2014-07-31 01:40

Although the transition from paper to electronic health records hasn't been easy, it's certainly paid off.

Those in the medical industry can now access patient information more easily, allowing them to eliminate mistakes characterized by the use of tangible forms. However, organizations should be wary of the dangers EHR implementations pose to database security.

Eliminating grievous mistakes
That's not to say professionals should abandon EHR technology. The National Institute For Health Care Reform acknowledged how using EHR can eliminate what physicians, hospital administrators and others in the health care sector call "unintended discrepancies." These instances are essentially minor mishaps that can have major repercussions.

Unfortunately, fragmented delivery systems will provide inaccurate information regarding medications, especially when patients are being admitted to and released from hospitals. This can cause doctors to accidentally omit, duplicate or add unnecessary prescriptions. In a worst-case scenario, this could cause a person to overdose.

The benefits
The NIHCR outlined what facilities need to prevent these mistakes from occurring, and it starts with the implementation of an EHR system. Such technology can allow hospitals and personnel to:

  • Aggregate accurate, applicable pre-admission medication data
  • Compare hospital prescription orders to previous medications so physicians can make educated treatment decisions
  • Share relevant lists pertaining to medicines administered for the discharge phase with primary care doctors, nursing facilities and other places

The situation
Obviously, a lot of digital information is being stored and transferred. Some connections may be more secure than others, but the environment is a hacker's dream come true. HealthITSecurity contributor Greg Michaels acknowledged that while exchanging patient intelligence may enable physicians to deliver better care, health care organizations find they can't dedicate enough resources to sanctioning safe delivery.

Michaels advised medical industry participants heavily entrenched in EHR uses to work with a trusted, third-party IT security expert. In addition to communication surveillance, the outsourced entity should be capable of providing remote database management and monitoring as well. Michaels also recommended professionals abide by the following best practices:

  • Audit all partners to see which ones provide their customers with protected health information and identify which IT protection measures they're taking
  • Open communication with third-parties so data breaches affecting multiple organizations can be addressed in a united manner
  • Ensure all partners are compliant with standards outlined by the Health Insurance Portability and Accountability Act
  • Educate in-house personnel on how to take basic security measures

By seeking help from a database administration service and implementing basic protective measures, hospitals will be able to use EHR with limited risk of sustaining an IT disaster.

The post Don’t let database security woes outweigh EHR benefits appeared first on Remote DBA Experts.

Is IoT a boon or a bane for companies?

Tue, 2014-07-29 13:58

The Internet of Things has been a hot topic of conversation among IT professionals as of late. 

Promises of more unique insight into customer behavior have tempted consumer-focused companies to invest in the technology. Manufacturers are looking to implement intelligent devices to achieve higher levels of productivity. However, a number of organizations are ignoring the impact IoT will have database security. 

A hacker's haven 
It turns out cybercriminals are just as interested in IoT as multi-billion dollar corporations are. ZDNet noted a study conducted by Hewlett-Packard's Fortify division, which scanned 10 of the most prevalent Internet-connected devices, discovering about 25 faults per implementation. The source acknowledged some of the most telling discoveries:

  • 90 percent of the devices assessed contained at least one piece of personal information pertaining to an individual
  • Weak credentials and persistent cross-site scripting plagued six out of 10 mechanisms
  • 80 percent of implementations failed to allow users to employ intricate, lengthy passwords
  • 70 percent of devices didn't protect communications with encryption, while 60 percent of such machines lacked the programs necessary to launch encoding tasks

Essentially, it wouldn't be too difficult for even a fledgling hacker to gain access to a company's IoT assets, establish a network connection with its databases and steal information from the business. Database active monitoring can deter such attempts, but a wide distribution of Internet-connected property can make such a task difficult for in-house IT departments to perform. 

Where's the issue?
Consumer-focused IoT devices are particularly vulnerable to sustaining damaging cyberattacks because they're so ubiquitous. Yet again, it's important to ask why IoT implementations are so defensively weak in the first place. 

Re/code contributor Arik Hesseldahl identified two factors as the culprits of IoT instability:

  1. Manufacturers are rushing to get these products to market without giving enough attention to security features. 
  2. The majority of these devices run the Linux operating system, which is already prone to a number of defensive shortcomings.

One of the only ways to guarantee hackers aren't infiltrating these assets is by protecting company databases from malware that may be attempting to enter servers through the mechanisms. Why is this backend surveillance necessary? Because the devices themselves don't have the same protective software PCs, tablets and even many smartphones possess. 

The scale of the problem? Hesseldahl referenced statistics from Gartner, which discovered 26 billion individual devices are going to be online by 2020. Essentially, there's a massive pool of property cybercriminals could exploit in order to steal financial information. 

The post Is IoT a boon or a bane for companies? appeared first on Remote DBA Experts.

The Importance of Documentation

Mon, 2014-07-28 07:05

As a remote data infrastructure services provider, documenting the activities we perform, as well as our customers’ environments, is critical to our success. RDX currently supports thousands (and thousands) of database ecosystems ranging in complexity from simple to “making your hair stand on end.”

My customers hold my organization to extremely high standards. Rightfully so, they have turned over the keys to their most sensitive and mission-critical data stores to RDX. At the end of every email blast I send to our customer base, I end it with, “I personally appreciate you placing your trust in us to administer and safeguard your most valuable data assets. We take that responsibility very seriously here at RDX.” Stating that we take that responsibility seriously is kind of like saying the Titanic sprung a small leak.

Although the importance of a well thought out and detailed documentation library is blatantly obvious, creating documentation is the task most often postponed by an overworked DBA unit.

Documenting processes, procedures and best practices is a task that is often considered to be boring and mundane. Most DBAs would rather perform virtually any other activity than sit in front of a screen using a word processor. As a result, creating documentation is often postponed until the DBA has a little free time to kill. Today’s database administration units are operating with smaller staffs, tighter budgets and ever-increasing workloads. The end result is that the documentation is either never created or created and not kept current.

However, a robust detailed documentation library creates an environment that is less complex, less error-prone, reduces the amount of time DBAs spend learning new database environments and reduces the overall time spent on day-to-day support activities. DBAs are able to spend more time administering the environment rather than finding the objects they are trying to support and the processes and programs used to administer them.

The nature of my business as a remote services provider demands excellent documentation. The majority of environments we administer weren’t designed by my organization. The only way that we can ensure high quality and high-speed administration of these environments is to document them thoroughly. We document everything from initial connectivity and customer contact sheets to detailed information on database and server information, batch job streams and individual program execution (what it does, run-time windows). If we need to be aware of it, we have it documented.

Documentation is also the foundation of many of the other disciplines I will be discussing in future blogs. Let’s continue our discussion with a few helpful hints to get you started.

Understanding the Important Role Good Documentation Plays

We all generally understand the benefits that documentation provides. I think that all readers will see the importance I personally place on documentation in upcoming blogs.

Let me reaffirm my opinion in this one sentence: Good documentation is the foundation that high-quality data infrastructure services are built upon.

Creating an Organizational Environment That Fosters Good Documentation

I’ve been the Vice President of Service Delivery at RDX for 6 years now. It is my responsibility as manager to create an environment that fosters the production of robust and high-quality documentation. Let me describe some of the challenges that I have faced in the past at other organizations and how I have overcome them.

Since I view high quality documentation to be my responsibility as a manager, I ensure that it becomes part of every DBA’s performance appraisal criteria, including my own. If it isn’t on my, and my unit’s, performance appraisal forms, I will ask to have it added or make my own personal addendum and notify both the DBA team and management that I have done so.

I will add time for documentation when I estimate the amount of time it will take me to perform an administrative task during project planning meetings. I don’t settle for “we can do that after the project is complete” as an answer.

If you continuously sell the importance of documentation, sooner or later, you will begin to wear your opponents down. Although I prefer to call it “being relentless,” I’m sure that many of the application development managers (and my own managers) viewed it as “being a ….” (insert your favorite description here).

Every document I have created that provides a list of activities I , or my unit, need to perform during a project has documentation included. It helps to integrate it into the fabric and culture of my organization’s environment.

Making Documentation Second Nature

You also need to ensure that generating documentation becomes a natural part of your daily activities. You must continuously remind yourself that documentation is a primary and integral part of providing high-quality support services to your customers.

You must also remind yourself that it makes your job easier and benefits your fellow DBAs. It is a recipe for disaster when a fellow DBA needs to be out of the office for a time and asks another DBA to “help them out” by performing a complex, application-specific administrative activity and then tries to verbally tell them how to perform the 326 steps it takes to execute it.

Did you ever try to refresh an ERP application test environment from production when that test environment doesn’t have enough space to hold all of production’s data? 4,000 steps later, you begin to second-guess your choice of professions. That was the exact request from one of my fellow DBAs when I first started in this profession, and it quickly taught me the importance of good documentation. Not only did he get me to do the refresh, but I also had to document the process for him along the way. Some call that being a good coworker; I would view that as having a big sucker taped to my forehead.

The moral of this story is this: If you don’t want to be the only one that can perform that 900 step ERP application production to test refresh, document it! If you don’t want to be called by the on-call DBA because he doesn’t know exactly where to add a file in an emergency situation (like someone forgetting to tell you that they were loading 10 million additional rows into that 100 row table), document it! The more you document, the easier your life as a DBA becomes.

I’ve never had a photographic memory. It makes generating documentation easy for me. I also like to write, and that helps, but I will admit that there are times that I would rather perform virtually any other activity than document.

However, it has become easier because I continuously reaffirm to myself the importance of documentation. The more you reinforce that to yourself, the more second nature (and easier) it becomes.

Making Documentation Easy

I’m a huge fan of documentation templates. Here at RDX, we have templates and Standard Operating Procedures for everything we document. If it is repeatable or a complex process, we have an SOP for it. We have templates for documenting connections to our customers’ environments, their backup and recovery environments and their application specific processes, to name a few. If it needs to be documented on a regular basis, we have a template for it. We also have generic templates for documenting environments and activities that don’t fit into other templates.

Word Documents and Templates

Word document templates provide many features that streamline the documentation process and help to improve the quality of the content they store. I try to take advantage of as many features as I can. I use drop-down selection menus, check boxes and radio push buttons to improve the speed and quality of the documentation process. I also take advantage of the help pop-up feature that Microsoft Word provides to create a detailed description of what information is to be entered into that field, check box or radio button.

Wikis

We heavily utilize Wikis to intelligently and securely display information about the environments we are tasked with supporting. A common, menu-driven interface has been designed, tuned and tweaked over our 20 year history. The Wiki’s contents include customer contact and escalation information, detailed database/server information, customer change management procedures, RDX DBAs assigned to the account, on-call team assigned, non-sensitive connection information (VPN type, VPn vendor, etc) and job information. The Wiki page also links to current tickets, current time cards and a history of past problems contained in our problem resolution library.

The Wiki content is controlled by a well-defined change management procedure and relies upon Wiki templates to ensure information is stored and displayed in a common format that adheres to RDX specifications. Once again, templates help improve the quality of content, speed data entry and ensure a uniformity of display pages and menus. We constantly review the Wiki for content and usability as well as leverage new Wiki features as they are released.

Database-Driven Content Managers

There are dozens of software companies that offer content management solutions. Database vendors have also recognized this as a lucrative market. All of the major database vendors now offer advanced content management software, each one trying to outdo the other in the number of bells and whistles that their products offer. Do a quick search on Google for documentation content management software, and you will find out just how many competing products there are.

Content management products offer check-in/check-out features, document versioning, web portal access and advanced workflow capabilities to name just a few of the features designed to improve content management. The competition in the content management market space is fierce to say the least. Content management vendors know that continuously adding new bells and whistles to their products is not just important for increasing market share, but it also is critical for their survival. Product costs can range from thousands to tens of thousands of dollars (or more).

If you have the funds and your management understands the benefits that a full-blown content management package provides, by all means begin a content management product analysis. But if you don’t have the funds, create a shared drive on your network and declare it to be the “DBA Documentation Portal.”

What to Document

By all means, this is not an all-inclusive list of what can be documented. Consider it as a starter kit to help you begin your quest for “documentis nirvanas.” Is some of this overkill for your particular environment? Maybe, but just consider this a general, high-level list. Since most readers will work for a single organization, I’m focusing my recommendations on DBA units that support one corporate environment.

Database Environment Documentation

  • Naming conventions
  • Servers (server names, operating system release, hardware vendor)
  • Databases (vendor, database version, features enabled)

Application-Specific Documentation

  • Application type (i.e. data warehouse, online transaction processing, decision support, third-party application name and functionality it provides).
  • Business unit requirements and related information for supported databases
  • Uptime requirements (i.e. 24 X 7, 8 X 5)
  • Database downtime windows
  • Critical job processes
  • Business unit and application developer contact lists
  • Turnover windows for database changes
  • Problem notification and escalation procedures
  • Security sensitivity- How sensitive is the data?

Process Documentation

  • Repeatable administrative processes (covered in an upcoming blog)
  • Backups – Probably the most critical set of documentation you will ever create- Document how it is backed up, what scripts back it up, where the backup is going to, retention periods and backup message directories. If it is involved with a backup, DOCUMENT IT. Review the document with other units that are involved in the backup and recovery process. It is your responsibility to ensure that you don’t hear an operator say, “What retention period? Nobody told me we were to have a retention on these files” when you are in a recovery situation. Remember that Oracle states that human error, including miscommunications, is responsible for over 90% of failed recoveries. If you want to reduce recovery failures, DOCUMENT THE PROCESS AND REVIEW IT.
  • Anything else you run on a regular basis to support a specific application
  • Change management- I’ll be spending an entire blog, or two, on this
  • A daily monitoring activity checklist to ensure that no activity is missed- We have daily, weekly and monthly activities that are to be performed for each of our customers
  • Complex administrative activities performed regularly
  • Test and reporting database refreshes
  • Data reorganizations
  • Disaster recovery tests- The processes required to perform the recovery AND the criteria that will be used to evaluate whether it was successful or not

Object Documentation

  • DBA-specific stored PL/SQL and TSQL programs
  • Day-to-day support scripts (where they are and what they do)
  • Monitoring scripts (where they are and what they do)
  • Scripts used to perform database administrative changes- I personally utilized specific directories that provide output from critical database changes that I have performed and other directories containing the SQL used to make that change
  • Operating system scripts- Document what the script does in the beginning of each of your scripts. Did you ever try to determine what a 400 line script does that was created by someone who knows much more about UNIX scripting than you do? We have all been in that position at one time or another during our career. Make it easy on your coworkers to understand what the script does by putting comments at the top of the script as well as in the body. Also keep a running history of script changes, what they were and the time they were made

Database Administration Unit Organizational Documentation

  • Contact Information
  • DBA roles and responsibilities- Which applications, databases and tasks they are responsible for supporting
  • DBA unavailability- Allows application developers to plan for a DBA not being available

It is a good practice to distribute this information to all business units supported by the database administration unit.

I hope you enjoyed this blog on documentation and the important role it plays.

The post The Importance of Documentation appeared first on Remote DBA Experts.

How DBA services can help you manage big data

Mon, 2014-07-28 02:11

Effectively being able to store and manage big data is more than simply having a lot of hard disk space. 

The variety and complexity of the information produced by Internet-connected assets has forced database administration services to adapt to new processes and environments. Their focus on accessibility and security hasn't wavered, but the manner in which they approach these priorities has transformed.

Solving the puzzle: structured and unstructured data 
BrightPlanet, a company that specializes in harvesting data from the Internet, outlined the differences between unstructured and structured data. While volume has always challenged databases to hold massive troves of organized intelligence, one of the chief difficulties resides in the act of actually arranging it. 

  • Structured: Pertains to data that is highly constructed and easy to query and is typically held in relational database systems. A spreadsheet is an example of structured information.
  • Unstructured: Applicable to data that doesn't subscribe to a particular architecture and is usually stored in NoSQL databases, which run complex algorithms to create environments capable of managing it. Social media posts are examples of unstructured information. 

What does this mean for remote database services?
According to MongoDB, conventional DBA practices needed to become more agile in order to be able to query large collections of unstructured data, giving birth to NoSQL databases. This access language sanctioned the development of "document" storage, which has spawned the following benefits:

  • Documents are regarded as independent entities, which makes it simpler to transport data across multiple virtual locations.
  • SQL queries don't need to be translated from object to application. 
  • Because a document contains whatever values the software language requires, unstructured data is easy to store. 

In response to this development, DBAs learned the administrative languages and tools needed to launch and manage document-based data environments. 

Different program, same responsibilities 
As one can imagine, DBAs are still expected to perform the same database active monitoring tasks they have been around since the inception of digital information storage. There are also a number of additional responsibilities these professionals are undertaking:

  • Understanding how clients plan on using the data. Are they simply looking to scrutinize it or allow applications to make intelligent decisions with it?
  • Securing firewall access. What tactics are cybercriminals employing in an attempt to penetrate these environments?
  • Managing and monitoring performance. How well are software deployments adapting to unstructured data? 

Outsourcing to DBAs knowledgeable in contemporary enterprise needs and NoSQL databases may be a good tactic for organizations to use. 

The post How DBA services can help you manage big data appeared first on Remote DBA Experts.

Is your mobile network HIPAA compliant?

Wed, 2014-07-23 11:21

As hospital personnel continue to access patient records through mobile devices, health care organizations are taking new approaches to database security.

Assessing initial requirements
The best way for CIOs in the medical industry to measure the performance of their server protection strategies is to ensure all software deployments are compliant with the Health Insurance Portability and Accountability Act. Information Week contributor Jason Wang acknowledged the basic requirements HIPAA obligates mobile applications and networks to possess:

  • Authorized, defended user access to protected health information
  • Encryption features that hide sensitive data from unsanctioned personnel
  • Routine security updates to eliminate bugs or loopholes in the network
  • A remote access data elimination feature that can be activated by administrators in the event a mobile device is lost, stolen or compromised
  • A solid business continuity/disaster recovery framework that can be tested on a regular basis

With these points in mind, health care organizations would greatly benefit from having a third party develop an enterprise-wide mobile application for their facilities. Salesforce CRM in particular is a solid option for those looking to install such an implementation, primarily due to its reputation for having HIPAA-compliant security features.

The risks involved
Many medical professionals believe employing a mobile network will help their subordinates allot more attention to patients. While this concept may be true, there are a number of threats that left unacknowledged could infect such a system. Having a third-party company constantly conduct database active monitoring tasks is imperative to deterring the following dangers:

  • Mobile devices, as well as wearables, are easily misplaced, meaning that those who come across these mechanisms could access private patient information
  • As a number of health care providers are communicating with patients through social media – malware and other Web-based attacks could be funneled through such mediums to infect devices.
  • Because mobile keyboards are rudimentary, users are more likely to use uncomplicated passwords that can easily be unmasked.

Be a smart user
Database administration needs aside, health care companies must also provide personnel with a secure line of communication. HIT Consultant noted that text messaging is a solid way for hospital staff to transfer information quickly and on the go, but the avenue lacks the encryption technology necessary to keep these communications secure.

Installing an encoding program geared specifically toward mobile text messaging is a good move to make. However, employees should also be cognizant of the fact that they should not explicitly share vital information, if they can help it.

The post Is your mobile network HIPAA compliant? appeared first on Remote DBA Experts.

Cybercriminals using more tools, are better connected

Fri, 2014-07-18 12:05

Aside from the techniques they use, the most dangerous tool hackers have at their disposal is the ability to network with organized criminal syndicates.

Constant vigilance
Many experienced deviants who have made an unorthodox, yet profitable career out of unlawful behavior have realized that the Internet provides them with relatively safe avenues to steal money. These figures hold no biases regarding who they target, attacking enterprise servers and consumer computers.

The best way to deter these persistent criminals from succeeding is by employing database activity monitoring, malware detection software and staff members skilled in the craft of information protection. The latter factor is particularly important, as those who have encountered aggressive cyberattacks likely know how to defend networks against them.

The strength of a network
According to PC World, French and Romanian officials razed a cybercriminal organization comprised of Romanian citizens, who used malware to infect the databases of money transfer enterprises in Germany, Norway, the United Kingdom, Austria and Belgium. European law enforcement agency Europol noted the figures used remote access Trojans to infiltrate the systems, allowing them to conduct unsanctioned transactions.

The Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT), reported that the illicit organizations would deliver fictitious money transfers from sham people to real recipients. In one instance, a franchisor lost $800,000 as a result of the scheme.

Government-grade tactics
Cybercriminals are recognizing that enterprises have been tightening database security in response to such attacks, leading them to utilize more sophisticated techniques. ZDNet contributor Charlie Osborne referenced Gyges, a form of espionage malware engineered by government developers, as being one of the most difficult deployments to detect.

She cited a recent report conducted by Sentinel Labs, which surmised that the malicious software likely originated from Russia and is "virtually invisible." The program can remain active for long periods of time, unbeknown to victims. Hackers are now reengineering Gyges to create more advanced ransomware and rootkits, the latter of which are codes that shield covert processes from detection.

One of the characteristics that makes Gyges so tricky is its ability to infiltrate systems when users remain inactive, a significant digression from processes employed by conventional malware. In addition, Gyges is capable of transporting other forms of malicious code that can be initiated once the desired target has been reached.

Between organized criminal networks and government-grade malware at the disposal of cybercriminals, it's safe to say organizations need to find ways to optimize their database protection.

The post Cybercriminals using more tools, are better connected appeared first on Remote DBA Experts.

What to look for in a cloud database security company

Thu, 2014-07-17 12:58

Companies new to the world of cloud computing often express apprehension in regard to security.

Unsure as to how internal teams are supposed to deploy effective protection, a number choose to outsource to database administration services capable of monitoring all network and server activity around the clock. As there are so many such companies to choose from, some enterprises are unclear as to what they should be looking for.

Seek clarification
Gilad Paran-Nassani, a contributor to SYS-CON, acknowledged the puzzle organizations encounter when weighing cloud deployment capabilities with IT defenses. He outlined a number of points leaders should be sure to cover before signing a contract with a database security provider:

  1. Define who can access information: In addition to assigning company personnel the authorization codes, organizations should get a clear idea of who on the DBA end of the operation can obtain and view data. Any opacity in this regard should be thoroughly assessed.
  2. Know how data is encrypted in the cloud: The CIO and managers of the DBA service should sit down and outline how information will be hidden during transfers. Make sure there are no loopholes in the procedure and that it can be adjusted to new security needs.
  3. Conduct a background check: Get into contact with the prospective DBA's customers and ask them questions regarding their own experiences. In addition, ask the business to provide a list of any credentials pertaining to cloud platform protection.

What to look for
When seeking out a company that can provide remote database management for cloud environments, or on-premise solutions for that matter, there are a number of enterprise characteristics businesses should favor. MSPmentor contributor Michael Brown outlined four elements executives should look for when speaking with DBA services face-to-face:

  1. A fundamental concept: If the professionals on the other end of the table have a unique approach to how they tackle security, then they're most likely a sure bet.
  2. Honesty: A cloud security provider that acknowledges past mistakes and explains how it has evolved from those mishaps is filled with motivated, adaptable individuals.
  3. Transparency: When answering tough questions, a DBA should divulge its capabilities and shortcomings so trust can be quickly established.
  4. Commitment: Dedication should go beyond day-to-day security amenities. A DBA must seek ways to improve protection while ensuring system workability on a consistent basis.

As one can observe, selecting the right DBA to protect enterprise cloud environments requires human characteristics as well as technical ability. These considerations will help organizations find the right fit.

The post What to look for in a cloud database security company appeared first on Remote DBA Experts.

Oracle users may require remote database management

Fri, 2014-07-11 10:01

A reputed professional recently discovered a bug in one of Oracle's key security implementations, which may prompt some of its customers to seek active database monitoring solutions. 

A good start, but needs work 
According to Dark Reading, David Litchfield, one of the world's most well-recognized database protection experts, recently discovered a couple of faults in Oracle's redaction feature for its 12c servers. The defensive measure allows database administrators to mask sensitive information from malicious figures.

Although Litchfield regarded the feature as a good deployment, he asserted that a highly skilled hacker would be capable of bypassing the function. He noted that employing a type of Web-based SQL injection is a feasible way for an unauthorized party to gain access to information. Litchfield is expected to demonstrate this technique among others at Black Hat USA in Las Vegas next month. 

"To be fair, it's a good step in the right direction," said Litchfield, as quoted by the source. "Even if a patch isn't available from Oracle, it's going to protect you in 80 percent of the cases. No one really know how to bypass it at this point."

Constant surveillance
Although Oracle is working to mitigate this problem, enterprises need to wonder what's going to protect them from the other 20 percent of instances. Having a staff of remote database support professionals actively monitor all server activity is arguably the most secure option available. 

Specifically, Oracle customers require assistance from those possessing the wherewithal to defend databases from SQL injection attacks. Network World outlined a few situations in which this invasive technique has caused harrowing experiences for retailers:

  • In the winter of 2007, malware was inserted into Heartland Payment Systems' transaction processing system, resulting in 130 million stolen card numbers. 
  • In early November 2007, Hannaford Brothers sustained a malicious software attack that led to the theft of 4.2 million card access codes.
  • Between January 2011 and March 2012, a series of SQL injection endeavors against Global Payment Systems incited $92.7 million in losses. 

Take the simple steps 
Network World acknowledged the importance of treating routine processes as critical features. For example, forgetting to close a database after testing the system for vulnerabilities is negligence that can't be afforded to transpire. 

In addition, it's imperative that enterprises understand the mapping of their database architectures. This protocol can be realized when organizations employ consistent surveillance of all activity, allowing professionals to see which channels are the most active and what kind of data is flowing through them. 

The post Oracle users may require remote database management appeared first on Remote DBA Experts.

Hurricane season: The need for disaster recovery

Wed, 2014-07-09 07:42

As hurricane season gets longer and businesses grow more reliant on technology, having a smart disaster recovery plan in place is essential. A major part of maintaining database security involves ensuring that the system can be rebooted or accessed in the event of a major power outage. 

Not prepared 
Eric Webster, a contributor to Channel Partners Online, referenced a survey of 600 small and medium-sized businesses conducted by Alibaba.com, Vendio, and Auctiva in 2013, noting that 74 percent of respondents have no DR/business continuity plan in place. Another 71 percent of SMBs lack a backup generator to keep the data center running. 

Essentially, this means that a large number of enterprises won't be able to conduct any activities in the event their operations shut down. Because technology is so heavily integrated into day-to-day workflows, professionals don't realize how mission critical databases are until they can't be accessed anymore. 

Battening down the hatches 
So, what can be done to prepare for a data center outage? TechRadar noted that implementing a DR/BC strategy involves a step-by-step process:

  1. If working with a cloud services provider, partner with a company known for building accessible, recoverable infrastructures.
  2. Set up data centers in easily reachable, strategically placed locations to exercise a low risk of failure.
  3. Figure out whether a dedicated communications link or a virtual private network is the best way to connect with databases.
  4. Regularly conduct tests on the system, which should be measured by performance and task completion. 

Outsourcing responsibility 
Webster acknowledged the benefits of hiring a remote database support service to initiate DR/BC tests, manage and organize recovery strategies and monitor databases 24/7/365. 

The key advantage of outsourcing to a managed services provider is that in the event a major storm is forecasted, database administrators can quickly implement backup strategies so that applications, stored information and platforms aren't lost. 

Another "aaS" 
With DBAs in mind, it's important to acknowledge that many such professionals now offer Recovery-as-a-Service, working with cloud environments to launch and maintain DR/BC. Webster outlined how this process works:

  • An enterprise's tangible and/or virtual databases deliver images of their environments to the cloud on a regular basis
  • If a super storm shuts down a data center, its virtual version can be maintained by and accessed through the cloud environment. 

Webster acknowledged that this service model is more affordable than conventional DR/BC strategies. Recovery can occur more quickly and separate hard disks containing data identical to the information in on-premise servers don't need to be used. 

The post Hurricane season: The need for disaster recovery appeared first on Remote DBA Experts.

Malware stirs database security concerns for banks

Thu, 2014-07-03 13:40

In an effort to keep up with the times, many financial institutions have implemented e-banking applications that allow customers to access and manage their finances on the Web or through their smartphones.

Although electronic solutions may boost satisfaction rates and make it easier for account holders to transfer funds, they can cause major database security woes if proper protective measures aren't taken. As of late, there have been two kinds of malware banks have had to contend with.

Attacking the mobile arena
Because it's easy for consumers to get caught up in the luxury of viewing checking information on their smartphones, many forget to follow necessary, defensive protocols. According to ITPro, a new remote access Trojan, named com.II, is targeting Android devices and zeroing in on users with mobile banking applications. 

The source noted that the malware abides by the following process:

  1. Undermines any security software that's installed
  2. Scans the device for eBanking programs
  3. Replaces any such tools with fraudulent ones
  4. Implements fabricated application updates
  5. Steals and delivers short message service notifications to access contact lists.

Combating surveillance
Paco Hope, principal consultant with Cigital, a firm based in the United Kingdom, surmised that the malicious software could infect global banking populations, as it's capable of being manipulated to abide by different languages.

To prevent the program from entering bank accounts and stealing funds, active database monitoring should be employed by enterprises offering e-banking apps. Com.II has the ability to conduct thorough surveillance of individual checking and savings records, allowing the malware's administrators to potentially carry out transactions. 

Under the radar
Many programmers harboring ill intentions have found a way to make malicious software basically unrecognizable. MarketWatch acknowledged a new breed of malware, dubbed Emotet, that tricks people into giving it access to bank accounts. The news source outlined the deployment's protocol.

  1. Spam messages are sent to victims' emails
  2. The contents of those notices detail financial transactions and include links
  3. Upon clicking the link, the malware activates code that sits in browsers
  4. Once a person visits a bank website, the program can monitor all activity

Trend Micro Vice President of Technology and Solutions JD Sherry asserted that the language used within the encoded messages appears authentic. This makes it easy for individuals to fall victim to the scam.

The administrator's side of the equation
Although it's important for e-banking customers to install adequate malware protection programs, the enterprises administering electronic solutions must find a way to defend their accounts. Constant database surveillance needs to be employed so that security breaches don't get out of hand in the event they occur.

The post Malware stirs database security concerns for banks appeared first on Remote DBA Experts.