Justice Department Looks To Lock Down DatabasesJustice Department Looks To Lock Down Databases

The Justice Department Monday said it plans to launch a comprehensive program to inventory all of its databases and examine those applications for vulnerabilities that could be exploited either from the inside or by external attackers.

It's a move that's long overdue, given that many older databases and applications used throughout the government and industry weren't written with security in mind; certainly not security from today's Web-based attacks.

"Now that people are getting better at defending networks with intrusion prevention systems, a lot of attacks are being directed against applications, such as database applications," says Dennis Heretick, Justice Department chief information security officer. "We have a specific requirement to provide database application security."

Firewalls, intrusion prevention systems, and other types of network protection have an important role in any organization's defense strategy, but "application-layer vulnerabilities are really easy to exploit," says Heretick. As chief information security officer since 2003, he oversees such security-related issues as the maintenance of security policies and procedures, the acquisition of security-related products, the establishment of implementation requirements, and the defense of Justice's network environment.

Database developers wrestle with the seemingly paradoxical problem of locking down systems to minimize access and improve security while at the same time needing to let users have access to the data they need to do their jobs. To help make this a workable situation, Justice has purchased a department-wide license for Application Security Inc.'s AppDetective.

AppDetective is scanning technology that's used to find and inventory databases located throughout a company's network and assess those databases for security problems. The security assessment is done by running a series of simulated attacks against the database, after which AppDetective provides a report indicating areas where a database might be misconfigured or contain other vulnerabilities.

Today, only about 30% of the department's databases are scrutinized by AppDetective, which parts of Justice, including the Federal Bureau of Investigation, have been using since February 2004. Heretick hasn't established a timeframe for the completion of this project, as first he wants all of Justice's system administrators trained on AppDetective before the technology is more broadly rolled out.

Each agency within Justice will retain its own information generated by its AppDetective scans, although they will report to Heretick their progress in fixing any database vulnerabilities found. The department's expanded use of AppDetective will allow Justice to for the first time inventory all of the databases used throughout the department and determine its security posture.

Government and businesses alike have proved susceptible to the dangers of poorly managed data security. In March, an employee of defense contractor BAE Systems who worked out of the FBI's Springfield, Ill., office pleaded guilty to four counts of "intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States." In this case, it was the Justice Department, according to court documents. Last month, a judge sentenced the employee, Joseph Thomas Colon, now no longer with BAE Systems, to six months of home detention. He could have received up to 18 years in prison.

During 2004, Colon accessed the FBI's Security Account Manager, a database on the FBI's classified network that contains encrypted user and group account password information for more than 38,000 user accounts. He accessed this four times. Colon's hacks were less a case of a flawed database and more an example of Justice's inability to account for access to its databases. It's a mistake the department wants to avoid repeating.