Just saw this on Drudge Report

[Macinnis]

What companoes should do, is encrypt their data inside the database. Then, have their software decrypt it for display purposes on the screen, reports, etc.

that way, even if they were hacked, or some idiot left their laptop with a copy of the database on it at Starbucks, the hackers would also need to figure out the decryption before they had anything, which would be damn near impossible.

 

[ericm979]

The problem with that is that every piece of software that reads/writes to the DB needs to have encryption added to it. That alone is prohibitively expensive unless it's a very simple system. Worse, unless the SW that read/writes the DB is written in house, the company does not have the source code to modify. The other problem is that every DB operation that touches an encrypted field requires a decryption, and that slows the DB. A lot for some operations, often too much.

I've worked in this space for many years and I can remember one company that implemented this. They needed their own security engineers in addition to their own developers. Their system was simple (though it held a lot of data) and entirely written in house except for the actual DB. They were extremely concerned about their data and willing to spend a lot of money to protect it.

Even then it only pushes the problem up one level which is not far enough. The typical stack is DB -> middleware -> web server. The middleware or web server has to have automatic access to the crypto keys in order to operate. But the attackers usually come in through the web server as that is what's accessible. So their exploit code runs as the web server and thus automatically decrypts the data.

Encryption does help with the data on a laptop problem though, IF the laptop's been properly logged out when it's stolen. Often it's not. And of course most corporate databases are too large to fit on a laptop, and are located on a server so many people can access them.

At least in this Deere case the flaw was discovered by a researcher who reported it to the company rather than exploiting it or selling the exploit, and the company fixed it promptly.