Database Security

Buffer, a social media scheduling service, Buffer, found itself on the receiving end of a data-breach back in October. The culprit behind the breach was the company’s database provider. The breach resulted in the exposure of user account credentials that led to spam posts on user social media sites.

This breach really highlights a couple of key things that service providers and their 3rd party vendors need to be aware of. First, as a service provider that leverages 3rd parties for other services, they really need to ensure that those parties follow the same if not better security practices for overall business continuity and to avoid embarrassing breaches such as this.

But more importantly, securing the database containing user information is critical. It should be encrypted. There are two ways to secure a database, and specifically things like passwords. The first is to encrypt the passwords stored in the database. If the passwords in the database are encrypted with AES 256-bit encryption, the likelihood of a hacker gaining access to the information is near to impossible.

Cracking AES 256-bit encryption is no small task. There’s a great table in the EE Times that demonstrates the complexity of AES encryption and how long it would take to crack. When looking at the chart in the article, you can see it would take billions or trillions of years to crack AES 256-bit encryption.

The other option that is preferred by those with deep security roots is to not store the passwords at all, ever. Instead, passwords should be stored as a cryptographic hash. A strong one-way hash will ensure that there’s really no way for a hacker to figure out what those user passwords are.

Following one of these practices is the most effective way to ensure that customers have less to worry about regarding the security of their database. Had Buffer’s 3rd party database provider done the same, this breach could have potentially been avoided.

Previous Post
Happy Thanksgiving America
Next Post
The Online Evolution – WinMagic.com 3.0

Related Posts

Nothing is ever ‘free’

Last week I attended SC Congress in New York and did a presentation talking about the results of our study with the Ponemon Institute and the cost of data encryption solutions. It was a good event, well attended and there…
Read more

Continuing the Innovation Conversation

A few months back we attended an Innovations Showcase event in Seattle where we met with prospective customers and talked about trends in data security. We were at it again yesterday in Detroit and once again, engaged in good dialogue…

Keeping the random in RNG

Earlier this week my colleague Garry talked about his experiences attending the TCG conference recently and the ‘hallway talk’ about the NSA. It raised some good observations and had me thinking about a recent blog from the NY Times about…
Read more

The Market Consolidation Continues

Market consolidation – it’s a common occurrence within the technology space and happens all the time, albeit less often in the past few years. It would appear this week is no exception and LSI Corp. was acquired by Avago this…
Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu