Experts: Test database’s security regularly to uncover weaknesses
KUALA LUMPUR: The Central Database Hub (Padu) requires genuine threat assessments to uncover overlooked vulnerabilities.
Cybersecurity expert Murugason R. Thangaratnam encouraged testing it against genuine threats through audits or penetration tests on the database.
Murugason, who is Novem CS chief executive officer, said this was necessary to uncover additional red flags or warning signs showing vulnerabilities in Padu’s security.
“To make sure the test is comprehensive, get ethical hackers or recognised penetration testing vendors to test its security.
“Penetration testers provide extensive reports listing database vulnerabilities, and it is important to investigate and fix these vulnerabilities,” he said, adding that the test should be done once a year.
Global Centre for Cyber Safety director Associate Professor Datuk Dr Husin Jazri emphasised the importance of managing access rights and fortifying audit trails to address vulnerabilities.
He also underscored the necessity of employing database encryption to mitigate these issues.
However, he said, while a centralised data hub offered advantages, it would become a target for hackers and was more vulnerable to ransomware attacks due to its increased visibility and value compared with a decentralised database.
“Multi-layered defences, constant monitoring, vulnerability management and a skilled team are required to ensure data security and privacy are achieved and maintained.
“The security measures cover various aspects of cybersecurity, physical security and operational procedures.”
He recommended a continuous process of evaluation and adaptation to cope with emerging threats and technological advancements.
In line with this, he proposed the implementation of third-party cybersecurity audits encompassing defensive and red teaming assessments as components of Padu’s cybersecurity policy.
He stressed the enforcement of these measures to strengthen Padu’s security, noting the high maintenance cost and the requirement for a skilled team to operate and safeguard it.
“The use of database encryption as the last layer of defence and to enforce data confidentiality and privacy must be implemented immediately.”
Husin also underscored the necessity for Padu to adopt a multilayered security approach, including defence in depth, zero trust, monitoring and logging, strong data governance, effective threat intelligence, rigorous vulnerability management, penetration testing, security awareness training, and a backup and disaster recovery plan.
Murugason underlined the necessity of configuring every privileged account on a database server with a robust and distinct password.
He said if accounts were no longer required, they should be expired and locked to ensure tightened security measures.
“Ensure that patches remain current.
“Database patch management is crucial as attackers seek new vulnerabilities in databases, with new viruses and malware emerging daily.
“Irrespective of how solid your defences are, there is always a possibility that hackers may infiltrate your system.
“But attackers are not the only threat to the security of your database.”
He said employees too posed a risk, acknowledging the possibility of malicious or careless insiders gaining unauthorised access to sensitive files or data in the system.
“Without an encryption key, they cannot access it, and this provides a last line of defence against intrusions.
“Encrypt application files, data files and backups so that unauthorised users cannot read critical data.”