Download pdf - Database Security Best Practices

7/28/2019 Database Security Best Practices

1/3

SECURITYNOTE

Database Security Best Practices:10 Steps to Reduce RiskIntroduction

Last year database breaches reached an all time high. This

massive acceleration proved that the threat is real and the list

of victims long. No organization large or small was immune to

the effects of database intruders and thieves. In fact, several

companies long respected for their forward-thinking approach

to IT security were among 2007s victims

In the United States alone, the number of records that have been

compromised since February 2005 has ballooned to a staggering

218 million. The effects of a publicized security breach are palpa-

blebusiness reputations are dragged through the mud and

consumers grow wary that their private data has fallen prey to

identity theft and credit fraud. Analysts estimate that the cost to

notify victims and remediate impact post breach have increased

to almost $200 per compromised record.

The experience and knowledge of our technical experts as

well as the lessons learned from over 1,000 installations hasled us to identify 10 Best Practices for Database Security.

By proactively implementing the following 10 steps, an

organization can reduce their risk and ensure that they are

on the fast track to database security success.

1. Establish a Baseline

Assess the current level of database security and establish

a baseline for future comparison. This simple effort will

pay large dividends by allowing an organization to bench-

mark and demonstrate progress moving forward.

Additionally, the ability to track and monitor progress is animportant component of most compliance initiatives. This

process will help organizations identify common flaws

including: unpatched systems, weak or default passwords,

excessive privileges and a lack of system monitoring.

The task of establishing baselines can be streamlined by

utilizing technology solutions to assist with discovery,

establishing a security posture reference and generating

fix scripts. A complete database security solution will also

include policies to monitor for threats and vulnerabilities

in real time.

2. Recognize Vulnerabilities and ExploitationMethodologies

Vulnerabilities fall into many classes some simple and

some complex. The following list describes some of the

more common vulnerability examples:

a. Vendor bugs.Vendor bugs, including program-

ming errors such as buffer overflows, can lead to

users having the ability to execute improper and dan-

gerous commands on the database. As these critical

bugs are discovered, vendors release patches to elim

inate the associated vulnerabilities. However, deploy-ing these patches across broad networks may not be

easy, or even possible in a timely manner due to con-

cerns related to staffing, the management of down-

time, or testing requirements. In these cases, it is criti

cal to have technology in place so that it can monitor

and report on attempts to exploit known vulnerabili-

ties in real time.

b. Poor architecture. If security is not properly fac-

tored into the design of how an application works, the

resulting vulnerabilities are typically very difficult to fix.

Examples of poor architecture include weak forms ofencryption or improper key storage. Weaknesses asso-

ciated with poor architecture are widely known to

attackers and often published on the Web. Once

again, implementing database activity monitoring is

vital to mitigate the associated risks.


2/3

c. Misconfigurations. Many database configuration

options can be set in a manner that compromise

security. In fact, in some cases, by default, parame-

ters are set insecurely. In other cases, these issues

are not problematic unless the default configuration

is changed. An example of this in Oracle is the

REMOTE_OS_AUTHENT parameter. By settingREMOTE_OS_AUTHENT to true, anyone who can

communicate with the database server is blindly

allowed to connect to the database. For maximum

security, misconfigurations discovered during the

baseline assessment must be corrected immediately.

3. Prioritize Vulnerability Remediation

Once an organization has established a baseline of its

security posture and understands the severity of the

identified vulnerabilities, it can begin the process of pri-

oritizing fixes and mitigating risk. By analyzing the risk,asset classification, required fix effort, and likelihood of

exploitation, organizations can outline a plan to achieve

the maximum impact with minimal time and effort. Such

a process is a vital step in early the mitigation process.

4. Continuously Monitor & Maintain Systems

Database security is an ongoing process. Security pro-

fessionals must continually monitor systems to ensure

compliance while they evaluate and respond to the

changing threat environment. Adhering to a recognized

system, like the Database Security Vulnerability

Management Lifecycle, can optimize an organizations

ability to understand and mitigate risk.

5. Automate Activities

Where much of security involves regular assessments

and validation, the day-to-day work can quickly decline

into tedium and get overlooked. Through automation o

security processes, security professionals can schedule

routine tasks and reports. Todays database security

solutions enable users to schedule tasks, manage tasks

concurrently, correct for system fail-over and issue notifi

cations and alerts. Automated report generation and

delivery further simplifies the process of keeping stake-

holders (auditors, regulators and security staff) informed

SECURITYNOTEDATABASE SECURITY BEST PRACTICES 2

IT environments are in a constant state of flux. New hardware and

software are added and old resources are retired. Networks are

expanded. New employees are hired and others leave the compa-

ny. A living process, that can grow and change with an organiza-

tion, is critical to effectively securing this dynamic environment.

The vulnerability management lifecycle has been used by organiza-

tions for over ten years to secure networks and general purpose

hosts. By extending this proven methodology to the database

layer, organizations can ensure that security best practices are

applied to their most valuable data assets.

The database security lifecycle as defined by Application Security,

Inc. consists of four simple recurring steps: Assess, Prioritize, Fix,

and Monitor.

First, Assess the IT environment. Inventory all databases, identify

the vulnerabilities that are present, and create a baseline for ongo-

ing comparison. It is impossible to establish formal policies until an

organization understands the data that it must protect and the vul-

nerabilities that threaten it.

Next, Prioritize database security efforts based on vulnerability and

threat data including vulnerability severity and the criticality of the

database information. Once priorities are documented an organiza-

tion should to enact a formal security plan, report on progress, and

demonstrate ongoing improvement.

Then, Fix or Remediate known vulnerabilities to mitigate risk and

improve the database security posture. Default passwords should

be removed. Misconfigurations should be

corrected. Software patches and known workarounds should be

applied. Progress should be benchmarked.

And finally, Monitor ongoing activity in real-time. Not all vulnera-

bilities can be eliminated or patched immediately. Customized

policies and real-time alerting on suspicious activities allows an

organization to proactively respond to threats.

The Database Security Lifecycle methodology allows organizations

to extend layered defenses to the repositories of their most critical

and confidential information and as a result significantly minimize

security risk.


3/3

6. Stay Patched

Intruders seek out known vulnerabilities and will exploit

them whenever possible. A crucial element of securing

the database is to ensure that patches are implemented

in a timely manner and known vulnerabilities are moni-

tored in real-time.

7. Audit Systems Regularly and Address Issues as

They Arise

Conducting regular audits will ensure that security poli-

cies are on track and will help to identify irregularities or

potential breaches before its too late. Utilizing security

auditing tools will assist in monitoring and recording

what is happening within the database as well as pro-

vide alerts when suspicious or abnormal activity occurs.

These best practices help to secure an organizations

databases from internal and external threats.

8. Apply Real-Time Intrusion Detection to Critical

Systems

Audits and vulnerability assessments serve as excellent

starting points to address security risks. This baseline

information should be augmented with real-time detec-

tion policies. Implementing an alert system that delivers

intrusion detection warnings in real-time ensures up-to-

the-minute security awareness.

9. Avoid Relying Exclusively on Perimeter Security

to Protect Your Systems

Protecting data at its source, the database, is essential

to preventing breaches and data loss. Even with tradi-

tional perimeter security measures in place, the best

way to defend against data harvesting (where attackers

remove or damage large amounts of data) is to rely on

a layered defense model that necessarily includes the

database.

10. Trust but Verify

Customers, suppliers, contractors and vendors have all

become increasingly connected to the database. While

trusting these business partners and granting them

access to relevant data is essential, it is also necessary

to prevent security risks. Whether malicious or not,

increased database access raises the potential of insid-

er threats. An organization is best served by trusting

those parties with database access while verifying, via

permissions, their access control and defined roles as

well as monitoring in real time that their behavior falls

within authorized activity. As part of the process, the

database security system should alert on suspicious

activity and document suspected violations.

Maintaining security best-practices is not an easy task, but a

well thought out security plan can keep an organizations sen-

sitive data out of harms way.

SECURITYNOTEDATABASE SECURITY BEST PRACTICES 3

www.appsecinc.com

575 8th Avenue, Suite 1220, New York, NY 10018 TOLL FREE 866 9APPSEC MAIN +1 212 947 8787 FAX +1 212 947 8788

ABOUT APPLICATION SECURITY

Application Security, Inc. (www.appsecinc.com) is the leading glob-al provider of database security solutions for the enterprise.DbProtect, the companys flagship offering, is the industrys only

complete database security solution. More than 1,000 demandingorganizations count on DbProtect to ground their security andcompliance efforts where sensitive data lives in the database.The company was named to Inc. Magazines 2007 l ist of AmericasFastest Growing Private Companies (Inc. 500).

MD-0004-08