Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

Database Security Best Practices

August 1, 2005
Thus far, 2005 has proven to be the year of database security breaches gone public. No organization seems too large or too small to feel the effects of database intruders and thieves. You need only look at the front page of your local newspaper to know the threat is real – Citigroup, LexisNexis, Polo Ralph Lauren, Tufts University, DSW, MasterCard – unfortunately, the list of victims reads like a laundry list of well-known enterprises.

The effects of a publicized security breach are palpable – business reputations are dragged through the mud, while consumers are growing more wary that their private data is being pilfered, spurning concerns of identity theft and credit fraud. While it is important to be wary of sensationalism in the media and among vendors, it is also important to ensure you are implementing the best security practices to ensure that your databases are kept safe and secure.

Data theft protection

What can an organization do to ensure that they don’t make the data theft headlines? Fortunately, there are several steps a security practitioner can take to help ensure his or her databases remain secure. Implementing the suggestions below will help keep you on the fast track to security success.

1. ESTABLISH A BASELINE.

An important first step is to assess your current level of database security and to establish a baseline for future comparisons.

2. UNDERSTAND VULNERABILITIES.

In order to understand vulnerabilities, it is important to be aware of the different kinds:

A. Vendor bugs are buffer overflows and other programming errors that result in users executing the commands they are allowed to execute. Downloading and applying patches usually fix vendor bugs. To ensure you are not vulnerable to one of these problems, you must stay aware of patches, and install them immediately when they are released.

B. Poor architecture is the result of not properly factoring security into the design of how an application works. These vulnerabilities are typically the hardest to fix because they require a major rework by the vendor. An example of poor architecture is when a vendor utilizes a weak form of encryption.

C. Misconfigurations are caused by not properly locking down databases. Many of the configuration options of databases can be set in a way that compromises security. Some of these parameters are set insecurely by default. Most are not a problem unless you unsuspectingly change the configuration. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting REMOTE_OS_AUTHENT to true, you are allowing unauthenticated users to connect to your database.

D. Incorrect usage refers to building applications utilizing developer tools in ways that can be used to break into a system. SQL INJECTION is an example of incorrect usage.

3. MONITOR & MAINTAIN.

Monitor your progress to ensure baseline compliance and to evaluate the threat environment. Review permissions granted into the database and limit access.

4. STAY PATCHED.

Rest assured that possible intruders are paying attention to known vulnerabilities; are you? A crucial part of securing your database is to ensure that you are up to date with all patches and are monitoring any known vulnerabilities that could affect your security efforts.

5. REGULAR AUDITS.

Conducting regular audits will ensure your security policies are on track and will help you identify any irregularities or potential breaches before it’s too late.

6. VULNERABILITY ASSESSMENT & SECURITY AUDITING.

Utilizing security auditing tools will assist you in monitoring and recording what is happening within your database and alert you to suspicious or abnormal activity. With these practices you are not just guarding your database from the outside, but from any inside intruders.

7. REAL-TIME INTRUSION DE-TECTION.

While audits and vulnerability assessment serve as a great base-lining tool, the best offense is real-time detection. Implementing an alert system in real-time ensures you up-to-the-minute security awareness.

8. ENCRYPTION.

Encryption is considered the last line of defense against an intruder. If security auditing and vulnerability assessment practices have somehow failed to protect your database from potential abuse, an encryption tool can protect your most critical data from being exploited.

9. MAINTAIN PERIMETER SE-CURITY.

Steps one through eight are meant to protect data at its source, the database, but they are not intended to replace more traditional perimeter security measures. Firewalls and other perimeter security measures are still an important aspect of your security strategy. It is important to remember that today’s threats are more dynamic and thus require a multi-tiered approach to prevention. To put it another way, just because you have guards in the castle it doesn’t mean you want to skimp on the moat.

10.INSULATE THE DATABASE FROM THREAT SOURCES.

Last but not least, don’t overlook the obvious. Make sure that all passwords have been changed from their defaults and that they are updated regularly. Lock user accounts that aren’t being used, and educate your employees. Ensuring that everyone on your team understands the necessary steps and expectations for proper security will help your security policies run smoothly.

Maintaining regulatory and security best practices is not an easy task, but with a well thought out security plan, you and your security team can keep your organization’s sensitive data out of harm’s way.

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity-blog

    Information Security Forum Releases Updated Guide to Security Best Practices

    See More
  • boon edam

    Best practices on integrating access control, biometrics with swing doors and security entrances

    See More
  • Supply Chain Security: Best Practices Build Success

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing