Database Security Best Practices

August 1, 2005
/ Print / Reprints /
ShareMore
/ Text Size+
Thus far, 2005 has proven to be the year of database security breaches gone public. No organization seems too large or too small to feel the effects of database intruders and thieves. You need only look at the front page of your local newspaper to know the threat is real – Citigroup, LexisNexis, Polo Ralph Lauren, Tufts University, DSW, MasterCard – unfortunately, the list of victims reads like a laundry list of well-known enterprises.

The effects of a publicized security breach are palpable – business reputations are dragged through the mud, while consumers are growing more wary that their private data is being pilfered, spurning concerns of identity theft and credit fraud. While it is important to be wary of sensationalism in the media and among vendors, it is also important to ensure you are implementing the best security practices to ensure that your databases are kept safe and secure.

Data theft protection

What can an organization do to ensure that they don’t make the data theft headlines? Fortunately, there are several steps a security practitioner can take to help ensure his or her databases remain secure. Implementing the suggestions below will help keep you on the fast track to security success.

1. ESTABLISH A BASELINE.

An important first step is to assess your current level of database security and to establish a baseline for future comparisons.

2. UNDERSTAND VULNERABILITIES.

In order to understand vulnerabilities, it is important to be aware of the different kinds:

A. Vendor bugs are buffer overflows and other programming errors that result in users executing the commands they are allowed to execute. Downloading and applying patches usually fix vendor bugs. To ensure you are not vulnerable to one of these problems, you must stay aware of patches, and install them immediately when they are released.

B. Poor architecture is the result of not properly factoring security into the design of how an application works. These vulnerabilities are typically the hardest to fix because they require a major rework by the vendor. An example of poor architecture is when a vendor utilizes a weak form of encryption.

C. Misconfigurations are caused by not properly locking down databases. Many of the configuration options of databases can be set in a way that compromises security. Some of these parameters are set insecurely by default. Most are not a problem unless you unsuspectingly change the configuration. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting REMOTE_OS_AUTHENT to true, you are allowing unauthenticated users to connect to your database.

D. Incorrect usage refers to building applications utilizing developer tools in ways that can be used to break into a system. SQL INJECTION is an example of incorrect usage.

3. MONITOR & MAINTAIN.

Monitor your progress to ensure baseline compliance and to evaluate the threat environment. Review permissions granted into the database and limit access.

4. STAY PATCHED.

Rest assured that possible intruders are paying attention to known vulnerabilities; are you? A crucial part of securing your database is to ensure that you are up to date with all patches and are monitoring any known vulnerabilities that could affect your security efforts.

5. REGULAR AUDITS.

Conducting regular audits will ensure your security policies are on track and will help you identify any irregularities or potential breaches before it’s too late.

6. VULNERABILITY ASSESSMENT & SECURITY AUDITING.

Utilizing security auditing tools will assist you in monitoring and recording what is happening within your database and alert you to suspicious or abnormal activity. With these practices you are not just guarding your database from the outside, but from any inside intruders.

7. REAL-TIME INTRUSION DE-TECTION.

While audits and vulnerability assessment serve as a great base-lining tool, the best offense is real-time detection. Implementing an alert system in real-time ensures you up-to-the-minute security awareness.

8. ENCRYPTION.

Encryption is considered the last line of defense against an intruder. If security auditing and vulnerability assessment practices have somehow failed to protect your database from potential abuse, an encryption tool can protect your most critical data from being exploited.

9. MAINTAIN PERIMETER SE-CURITY.

Steps one through eight are meant to protect data at its source, the database, but they are not intended to replace more traditional perimeter security measures. Firewalls and other perimeter security measures are still an important aspect of your security strategy. It is important to remember that today’s threats are more dynamic and thus require a multi-tiered approach to prevention. To put it another way, just because you have guards in the castle it doesn’t mean you want to skimp on the moat.

10.INSULATE THE DATABASE FROM THREAT SOURCES.

Last but not least, don’t overlook the obvious. Make sure that all passwords have been changed from their defaults and that they are updated regularly. Lock user accounts that aren’t being used, and educate your employees. Ensuring that everyone on your team understands the necessary steps and expectations for proper security will help your security policies run smoothly.

Maintaining regulatory and security best practices is not an easy task, but with a well thought out security plan, you and your security team can keep your organization’s sensitive data out of harm’s way.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13