Database Security Best Practices

Thus far, 2005 has proven to be the year of database security breaches gone public. No organization seems too large or too small to feel the effects of database intruders and thieves. You need only look at the front page of your local newspaper to know the threat is real – Citigroup, LexisNexis, Polo Ralph Lauren, Tufts University, DSW, MasterCard – unfortunately, the list of victims reads like a laundry list of well-known enterprises.

The effects of a publicized security breach are palpable – business reputations are dragged through the mud, while consumers are growing more wary that their private data is being pilfered, spurning concerns of identity theft and credit fraud. While it is important to be wary of sensationalism in the media and among vendors, it is also important to ensure you are implementing the best security practices to ensure that your databases are kept safe and secure.

Data theft protection

What can an organization do to ensure that they don’t make the data theft headlines? Fortunately, there are several steps a security practitioner can take to help ensure his or her databases remain secure. Implementing the suggestions below will help keep you on the fast track to security success.


An important first step is to assess your current level of database security and to establish a baseline for future comparisons.


In order to understand vulnerabilities, it is important to be aware of the different kinds:

A. Vendor bugs are buffer overflows and other programming errors that result in users executing the commands they are allowed to execute. Downloading and applying patches usually fix vendor bugs. To ensure you are not vulnerable to one of these problems, you must stay aware of patches, and install them immediately when they are released.

B. Poor architecture is the result of not properly factoring security into the design of how an application works. These vulnerabilities are typically the hardest to fix because they require a major rework by the vendor. An example of poor architecture is when a vendor utilizes a weak form of encryption.

C. Misconfigurations are caused by not properly locking down databases. Many of the configuration options of databases can be set in a way that compromises security. Some of these parameters are set insecurely by default. Most are not a problem unless you unsuspectingly change the configuration. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting REMOTE_OS_AUTHENT to true, you are allowing unauthenticated users to connect to your database.

D. Incorrect usage refers to building applications utilizing developer tools in ways that can be used to break into a system. SQL INJECTION is an example of incorrect usage.


Monitor your progress to ensure baseline compliance and to evaluate the threat environment. Review permissions granted into the database and limit access.


Rest assured that possible intruders are paying attention to known vulnerabilities; are you? A crucial part of securing your database is to ensure that you are up to date with all patches and are monitoring any known vulnerabilities that could affect your security efforts.


Conducting regular audits will ensure your security policies are on track and will help you identify any irregularities or potential breaches before it’s too late.


Utilizing security auditing tools will assist you in monitoring and recording what is happening within your database and alert you to suspicious or abnormal activity. With these practices you are not just guarding your database from the outside, but from any inside intruders.


While audits and vulnerability assessment serve as a great base-lining tool, the best offense is real-time detection. Implementing an alert system in real-time ensures you up-to-the-minute security awareness.


Encryption is considered the last line of defense against an intruder. If security auditing and vulnerability assessment practices have somehow failed to protect your database from potential abuse, an encryption tool can protect your most critical data from being exploited.


Steps one through eight are meant to protect data at its source, the database, but they are not intended to replace more traditional perimeter security measures. Firewalls and other perimeter security measures are still an important aspect of your security strategy. It is important to remember that today’s threats are more dynamic and thus require a multi-tiered approach to prevention. To put it another way, just because you have guards in the castle it doesn’t mean you want to skimp on the moat.


Last but not least, don’t overlook the obvious. Make sure that all passwords have been changed from their defaults and that they are updated regularly. Lock user accounts that aren’t being used, and educate your employees. Ensuring that everyone on your team understands the necessary steps and expectations for proper security will help your security policies run smoothly.

Maintaining regulatory and security best practices is not an easy task, but with a well thought out security plan, you and your security team can keep your organization’s sensitive data out of harm’s way.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.