Database Security 101

By Chris Preimesberger  |  Posted 2008-09-12 Print this article Print


Database Security 101

Here are some basic database security steps enterprises can take that will improve their database security postures in just one day.

Change your default passwords. Every database Oracle has ever shipped has come with a set of default accounts and passwords. These user names and passwords are well known and documented.

"Default passwords are problematic, because they leave the front door to your database wide open," Julian said.

There are currently over 600 known default user name and password combinations and probably a dozen free tools to scan for them, Julian said.

There are also several other free scripts and tools available:
-Checkpwd from Red Database Security
-DPS (Default Password Scanner) from Oracle
-Oracle Security Probe from Pete Finnigan (written by Marcel-Jan Krijgsman)

By the way, Oracle11g includes a built-in DBA view to list default passwords (DBA_USERS_WITH_DEFPWD).

Eliminate easily guessed passwords. One of the most common attack vectors to this day is access via passwords that can be easily guessed. Attackers are aware that people use test/test or other password the same as the user name-even on production databases. There are even password dictionaries that provide common passwords.

Many hackers take advantage of wordlists. These are intended primarily for use with password crackers to gain access to systems.

Require strong passwords. Using and enforcing strong passwords can significantly enhance database security. There are a few keys to developing strong passwords:

Consider the length. Each character that a password includes increases the security of that password. Passwords should be eight or more characters in length; 14 characters or longer is ideal. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an eight-character password that uses characters from the entire keyboard.

Incorporate complexity. Combine letters, numbers and symbols to increase the variety of characters used in the password. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a "pass phrase"). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess. Avoid sequences, repeated characters and look-alike substitutions.

Additionally, for Oracle passwords specifically, passwords must begin with an ASCII letter. From there, ASCII letters a-z, _, #, $, and digits 0-9 are eligible. The space bar is not supported in passwords. Oracle 11g also supports case-sensitive passwords; other versions convert any password into uppercase letters.

Use variety. Use more than one password in your environment; the more you are using, the more difficult it is for malicious users to break them.

Additional steps to take include:
??Ç Set a listener password
??Ç Install the latest service pack
??Ç Lock out accounts that are not in use
??Ç Revoke permissions to PUBLIC that are not explicitly required

While implementing database security takes time and effort, by addressing these items organizations can significantly improve their security posture by eliminating these common areas of risk.

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel