7/28/2019 Database Security Best Practices
1/3
SECURITYNOTE
Database Security Best Practices:10 Steps to Reduce RiskIntroduction
Last year database breaches reached an all time high. This
massive acceleration proved that the threat is real and the list
of victims long. No organization large or small was immune to
the effects of database intruders and thieves. In fact, several
companies long respected for their forward-thinking approach
to IT security were among 2007s victims
In the United States alone, the number of records that have been
compromised since February 2005 has ballooned to a staggering
218 million. The effects of a publicized security breach are palpa-
blebusiness reputations are dragged through the mud and
consumers grow wary that their private data has fallen prey to
identity theft and credit fraud. Analysts estimate that the cost to
notify victims and remediate impact post breach have increased
to almost $200 per compromised record.
The experience and knowledge of our technical experts as
well as the lessons learned from over 1,000 installations hasled us to identify 10 Best Practices for Database Security.
By proactively implementing the following 10 steps, an
organization can reduce their risk and ensure that they are
on the fast track to database security success.
1. Establish a Baseline
Assess the current level of database security and establish
a baseline for future comparison. This simple effort will
pay large dividends by allowing an organization to bench-
mark and demonstrate progress moving forward.
Additionally, the ability to track and monitor progress is animportant component of most compliance initiatives. This
process will help organizations identify common flaws
including: unpatched systems, weak or default passwords,
excessive privileges and a lack of system monitoring.
The task of establishing baselines can be streamlined by
utilizing technology solutions to assist with discovery,
establishing a security posture reference and generating
fix scripts. A complete database security solution will also
include policies to monitor for threats and vulnerabilities
in real time.
2. Recognize Vulnerabilities and ExploitationMethodologies
Vulnerabilities fall into many classes some simple and
some complex. The following list describes some of the
more common vulnerability examples:
a. Vendor bugs.Vendor bugs, including program-
ming errors such as buffer overflows, can lead to
users having the ability to execute improper and dan-
gerous commands on the database. As these critical
bugs are discovered, vendors release patches to elim
inate the associated vulnerabilities. However, deploy-ing these patches across broad networks may not be
easy, or even possible in a timely manner due to con-
cerns related to staffing, the management of down-
time, or testing requirements. In these cases, it is criti
cal to have technology in place so that it can monitor
and report on attempts to exploit known vulnerabili-
ties in real time.
b. Poor architecture. If security is not properly fac-
tored into the design of how an application works, the
resulting vulnerabilities are typically very difficult to fix.
Examples of poor architecture include weak forms ofencryption or improper key storage. Weaknesses asso-
ciated with poor architecture are widely known to
attackers and often published on the Web. Once
again, implementing database activity monitoring is
vital to mitigate the associated risks.
7/28/2019 Database Security Best Practices
2/3
c. Misconfigurations. Many database configuration
options can be set in a manner that compromise
security. In fact, in some cases, by default, parame-
ters are set insecurely. In other cases, these issues
are not problematic unless the default configuration
is changed. An example of this in Oracle is the
REMOTE_OS_AUTHENT parameter. By settingREMOTE_OS_AUTHENT to true, anyone who can
communicate with the database server is blindly
allowed to connect to the database. For maximum
security, misconfigurations discovered during the
baseline assessment must be corrected immediately.
3. Prioritize Vulnerability Remediation
Once an organization has established a baseline of its
security posture and understands the severity of the
identified vulnerabilities, it can begin the process of pri-
oritizing fixes and mitigating risk. By analyzing the risk,asset classification, required fix effort, and likelihood of
exploitation, organizations can outline a plan to achieve
the maximum impact with minimal time and effort. Such
a process is a vital step in early the mitigation process.
4. Continuously Monitor & Maintain Systems
Database security is an ongoing process. Security pro-
fessionals must continually monitor systems to ensure
compliance while they evaluate and respond to the
changing threat environment. Adhering to a recognized
system, like the Database Security Vulnerability
Management Lifecycle, can optimize an organizations
ability to understand and mitigate risk.
5. Automate Activities
Where much of security involves regular assessments
and validation, the day-to-day work can quickly decline
into tedium and get overlooked. Through automation o
security processes, security professionals can schedule
routine tasks and reports. Todays database security
solutions enable users to schedule tasks, manage tasks
concurrently, correct for system fail-over and issue notifi
cations and alerts. Automated report generation and
delivery further simplifies the process of keeping stake-
holders (auditors, regulators and security staff) informed
SECURITYNOTEDATABASE SECURITY BEST PRACTICES 2
IT environments are in a constant state of flux. New hardware and
software are added and old resources are retired. Networks are
expanded. New employees are hired and others leave the compa-
ny. A living process, that can grow and change with an organiza-
tion, is critical to effectively securing this dynamic environment.
The vulnerability management lifecycle has been used by organiza-
tions for over ten years to secure networks and general purpose
hosts. By extending this proven methodology to the database
layer, organizations can ensure that security best practices are
applied to their most valuable data assets.
The database security lifecycle as defined by Application Security,
Inc. consists of four simple recurring steps: Assess, Prioritize, Fix,
and Monitor.
First, Assess the IT environment. Inventory all databases, identify
the vulnerabilities that are present, and create a baseline for ongo-
ing comparison. It is impossible to establish formal policies until an
organization understands the data that it must protect and the vul-
nerabilities that threaten it.
Next, Prioritize database security efforts based on vulnerability and
threat data including vulnerability severity and the criticality of the
database information. Once priorities are documented an organiza-
tion should to enact a formal security plan, report on progress, and
demonstrate ongoing improvement.
Then, Fix or Remediate known vulnerabilities to mitigate risk and
improve the database security posture. Default passwords should
be removed. Misconfigurations should be
corrected. Software patches and known workarounds should be
applied. Progress should be benchmarked.
And finally, Monitor ongoing activity in real-time. Not all vulnera-
bilities can be eliminated or patched immediately. Customized
policies and real-time alerting on suspicious activities allows an
organization to proactively respond to threats.
The Database Security Lifecycle methodology allows organizations
to extend layered defenses to the repositories of their most critical
and confidential information and as a result significantly minimize
security risk.
7/28/2019 Database Security Best Practices
3/3
6. Stay Patched
Intruders seek out known vulnerabilities and will exploit
them whenever possible. A crucial element of securing
the database is to ensure that patches are implemented
in a timely manner and known vulnerabilities are moni-
tored in real-time.
7. Audit Systems Regularly and Address Issues as
They Arise
Conducting regular audits will ensure that security poli-
cies are on track and will help to identify irregularities or
potential breaches before its too late. Utilizing security
auditing tools will assist in monitoring and recording
what is happening within the database as well as pro-
vide alerts when suspicious or abnormal activity occurs.
These best practices help to secure an organizations
databases from internal and external threats.
8. Apply Real-Time Intrusion Detection to Critical
Systems
Audits and vulnerability assessments serve as excellent
starting points to address security risks. This baseline
information should be augmented with real-time detec-
tion policies. Implementing an alert system that delivers
intrusion detection warnings in real-time ensures up-to-
the-minute security awareness.
9. Avoid Relying Exclusively on Perimeter Security
to Protect Your Systems
Protecting data at its source, the database, is essential
to preventing breaches and data loss. Even with tradi-
tional perimeter security measures in place, the best
way to defend against data harvesting (where attackers
remove or damage large amounts of data) is to rely on
a layered defense model that necessarily includes the
database.
10. Trust but Verify
Customers, suppliers, contractors and vendors have all
become increasingly connected to the database. While
trusting these business partners and granting them
access to relevant data is essential, it is also necessary
to prevent security risks. Whether malicious or not,
increased database access raises the potential of insid-
er threats. An organization is best served by trusting
those parties with database access while verifying, via
permissions, their access control and defined roles as
well as monitoring in real time that their behavior falls
within authorized activity. As part of the process, the
database security system should alert on suspicious
activity and document suspected violations.
Maintaining security best-practices is not an easy task, but a
well thought out security plan can keep an organizations sen-
sitive data out of harms way.
SECURITYNOTEDATABASE SECURITY BEST PRACTICES 3
www.appsecinc.com
575 8th Avenue, Suite 1220, New York, NY 10018 TOLL FREE 866 9APPSEC MAIN +1 212 947 8787 FAX +1 212 947 8788
ABOUT APPLICATION SECURITY
Application Security, Inc. (www.appsecinc.com) is the leading glob-al provider of database security solutions for the enterprise.DbProtect, the companys flagship offering, is the industrys only
complete database security solution. More than 1,000 demandingorganizations count on DbProtect to ground their security andcompliance efforts where sensitive data lives in the database.The company was named to Inc. Magazines 2007 l ist of AmericasFastest Growing Private Companies (Inc. 500).
MD-0004-08