All storage, structured or unstructured, requires security of some kind, even if it’s simply flipping an on/off switch or pulling the USB plug on a direct-attached external disk.
Database storage security, the subject of this article, can be slightly more complicated than that.
I talked recently with Ted Julian, vice president of consultancy Application Security, about the often-thorny security issues surrounding structured content in databases. Julian drew up a detailed look, in several steps, at what he sees as important in database security, starting with data discovery and moving all the way through how to implement intrusion detection.
The Starting Point: Data Discovery
First of all, you need to know exactly what you are securing.
“This is perhaps one of the easiest, yet most critical, steps in getting started in protecting your data-knowing where it is,” Julian said. “The point being that, if you are looking to shore up protection against attacks on your data, if you aren’t sure where that data resides, chances are that it’s not currently protected. Once you can establish where your databases are residing within your environment, you can get started on assessing your overall environment and taking an inventory of your data assets.”
Julian said database administrators need to inventory all databases, identify the vulnerabilities that are present and create a baseline of current security assets for ongoing comparison.
The ability to track and monitor progress is an important component of most compliance initiatives. This process will help organizations identify common flaws, including unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. The task can be streamlined by utilizing technological solutions to assist with discovery, to establish a security posture baseline and to generate fix scripts to speed along remediation.
A complete database security solution will also include policies to monitor for threats and vulnerabilities in real time, Julian said.
DBAs need to prioritize their most pressing issues up front.
“Comprehensive database security efforts are based on vulnerability and threat data, including vulnerability severity and the criticality of the database information,” Julian said. “Once priorities are documented, an organization should to enact a formal security plan, report on progress and demonstrate ongoing improvement.”
Defend Your Flanks First
Fix or Remediate Known Vulnerabilities
In order to mitigate risk and improve the database security posture, the next step in shoring up security at the database level is to fix or remediate known vulnerabilities. Default passwords should be removed. Misconfigurations should be corrected. Software patches and known workarounds should be applied. Progress should be benchmarked, Julian said.
“Not all vulnerabilities can be eliminated or patched immediately. Customized policies and real-time alerting on suspicious activities allows an organization to proactively respond to threats,” Julian said.
According to Julian, Application Security’s Database Security Lifecycle methodology allows enterprises to extend layered defenses to the repositories of their most critical and confidential information and as a result significantly minimize security risk. These steps are an important component of any compliance effort; they enable organizations to respond promptly and provide informed remediation and notification when necessary, he said.
Database Security 101
Database Security 101
Here are some basic database security steps enterprises can take that will improve their database security postures in just one day.
Change your default passwords. Every database Oracle has ever shipped has come with a set of default accounts and passwords. These user names and passwords are well known and documented.
“Default passwords are problematic, because they leave the front door to your database wide open,” Julian said.
There are currently over 600 known default user name and password combinations and probably a dozen free tools to scan for them, Julian said.
There are also several other free scripts and tools available:
–Checkpwd from Red Database Security
–DPS (Default Password Scanner) from Oracle
–Oracle Security Probe from Pete Finnigan (written by Marcel-Jan Krijgsman)
By the way, Oracle11g includes a built-in DBA view to list default passwords (DBA_USERS_WITH_DEFPWD).
Eliminate easily guessed passwords. One of the most common attack vectors to this day is access via passwords that can be easily guessed. Attackers are aware that people use test/test or other password the same as the user name-even on production databases. There are even password dictionaries that provide common passwords.
Many hackers take advantage of wordlists. These are intended primarily for use with password crackers to gain access to systems.
Require strong passwords. Using and enforcing strong passwords can significantly enhance database security. There are a few keys to developing strong passwords:
Consider the length. Each character that a password includes increases the security of that password. Passwords should be eight or more characters in length; 14 characters or longer is ideal. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an eight-character password that uses characters from the entire keyboard.
Incorporate complexity. Combine letters, numbers and symbols to increase the variety of characters used in the password. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a “pass phrase”). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess. Avoid sequences, repeated characters and look-alike substitutions.
Additionally, for Oracle passwords specifically, passwords must begin with an ASCII letter. From there, ASCII letters a-z, _, #, $, and digits 0-9 are eligible. The space bar is not supported in passwords. Oracle 11g also supports case-sensitive passwords; other versions convert any password into uppercase letters.
Use variety. Use more than one password in your environment; the more you are using, the more difficult it is for malicious users to break them.
Additional steps to take include:
??Ç Set a listener password
??Ç Install the latest service pack
??Ç Lock out accounts that are not in use
??Ç Revoke permissions to PUBLIC that are not explicitly required
While implementing database security takes time and effort, by addressing these items organizations can significantly improve their security posture by eliminating these common areas of risk.
Keep Ahead of the Hackers
Stay Ahead of Vulnerabilities and Mitigate the Risk of Breaches
The following are best-practices tips for staying ahead of database vulnerabilities and for mitigating the risk of an enterprise breach.
Stay patched. Intruders seek out known vulnerabilities and will exploit them when possible. A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real time.
Automate security tasks as a regular part of database maintenance. So much of security relies on regular assessments and validation; the day-to-day work can quickly decline into tedium and get overlooked. Through automation of security processes, security professionals can schedule routine tasks and reports. Today’s database security solutions enable users to schedule tasks, manage tasks concurrently, and issue notifications and alerts. Automated report generation and delivery further simplifies the process of keeping stakeholders (auditors, regulators and security staff) informed.
Keep protections current. Utilizing software that provides regular security updates for patches, new threats and known vulnerabilities is essential to protecting the database and containing risk.
Concentrate on providing multiple layers of security. Protecting data at its source, the database, is essential to preventing breaches and data loss. Even with traditional perimeter security measures in place, the best way to defend against data harvesting (where attackers remove or damage large amounts of data) is to rely on a layered defense model that necessarily includes the database.
Audit systems regularly and address issues as they arise. Conducting regular audits will ensure that security policies are on track and will help to identify irregularities or potential breaches before it’s too late. Utilizing security auditing tools will assist in monitoring and recording what is happening within the database and provide alerts when suspicious or abnormal activity occurs. These best practices help to secure an organization’s databases from internal as well as external threats.
Encrypt data as appropriate. Encryption is an important last line of defense and a requirement of many compliance recommendations. Encryption is particularly important for data in transit, backup files and data stored outside of the database or on mobile devices such as laptops, tapes and memory sticks.
Continuously monitor and maintain systems. Database security is an ongoing process. Security professionals must continually monitor systems to ensure compliance while they evaluate and respond to the changing threat environment. Adhering to a recognized system, like the Database Security Vulnerability Management Lifecycle, can optimize an organization’s ability to understand and mitigate risk, according to Julian.
Implement database intrusion detection and auditing, especially to manage the gap of time between patch release and deployment on your systems. Audits and vulnerability assessments serve to provide an excellent starting point to address security risks. This baseline should be augmented with real-time detection policies. Implementing an alert system that delivers intrusion detection warnings in real time ensures up-to-the-minute security awareness.