The database risk level will vary from one organization to another and the sensitivity of the information stored in it. Database security is of great importance for institutions that keep critical data such as users’ credit cards or identity information.
The fact that databases hold such important personal and financial information makes these systems the target of cyber-attacks. Database security is of great importance for institutions because it stores high-value information.
Database vulnerabilities that have been abused for over a decade are SQL injection and buffer overflows. Still, even when patches and workarounds exist, they remain common attack vectors in deteriorating database systems.
Attackers also try to access databases using their default user account names and passwords. Finally, we hear that unencrypted tapes are lost via public violation leaks, or confidential data is routinely transferred to insecure networks.
We are still missing the necessary steps to protect database systems.
So forget about fancy encryption techniques, event correlation, or forensic analysis. Instead, an open, actionable, and pragmatic approach to database security is needed. Unfortunately, the fundamentals are often overlooked in large organizations and seem overwhelming to database professionals who don’t know exactly where to start protection.
Below are the necessary security measures you should take to protect the database from common threats. Data storage can be done in different software other than database applications, but the most crucial difference is that it can manage and change this information efficiently and quickly.
See Also: System Hardening Standards for Complying with PCI DSS
These are programs where large amounts of data can be kept securely, rapid access to information is provided, data can be controlled in integrity, and multiple users can access data simultaneously.
Security breaches are an increasing phenomenon. As more databases become accessible through the internet and web-based applications, their exposure to security threats will increase. The goal is to reduce vulnerability to these threats.
The ways to be based on database security include configuration, data protections, account provisioning, operating system/database interaction, and front-end applications using the database.
Significant attacks against databases and possible measures can be categorized as shown in the figure below.
- Failure to manage user permissions with a suitable control mechanism: Giving users rights over their needs will easily capture the system in case of theft of account information of these users.
- Abuse of user rights: The user’s use of his / her permissions for unauthorized access will result in data breaches.
- SQL vulnerabilities: These are system vulnerabilities that cause SQL injection attacks performed by injecting the exploit code into the web application’s input fields and allowing the attacker to access a whole database.
- Malware infection: The downloading of malicious software and accessing the database system via the user’s computer by phishing e-mail sent to the employee’s mail account.
- The weak system records mechanism: Automated event records are of great importance for database systems’ security. If the records are not kept regularly, it will cause various problems.
- Exposing the storage area: In general, live systems are better protected. However, the security of backup files and backup media is as important as live systems. Attackers can infiltrate the system through an unencrypted backup file.
- DOS attacks: DOS attacks, called denial of service attacks, are a type of attack that denies access to network devices or data. DOS attacks against database systems aim to overload the server and render it inoperable by performing search and request sending operations, which cause a large amount of resource usage in the system.
Implement Database Access Control and Authorization Security Controls
Limiting access to data is the main tool used to secure data. This method; is used with a distinctly different but granular focus on access control through authentication, authorization, and access control.
Different controls are provided to restrict access to the system and prevent unauthorized access. Operations are performed by assigning rights and privileges to specific data objects and data sets. These operations usually include tables, views, rows, and columns within a database.
The first line of defense for database and data security is access control. Scrutiny is required to ensure proper configuration. However, just because you have an access control system does not mean your network is secure.
- Change default user passwords as soon as you set up the database. Regularly verify that default accounts are not returning due to reloading or account reset.
- Lock unused user accounts. Remove unused accounts if you are confident they will never be used.
- Apply stronger passwords. If you use domain-level access to control database authorization, you can set policies for stronger passwords.
- Remove public accounts and public access from all accounts. There is no use case you would like the general public to access your database.
- Choose and stick to domain authentication or database authentication for your database users. Do not confuse the two. Liability confusion will create security gaps.
- Take a closer look at roles and groups. List user permissions, roles, and group participation and review to ensure users have sufficient authority to do their job.
- Protect management functions from regular users. Database vendors list processes, roles, stored procedures, and utilities reserved for administration. Do not delegate these functions to users.
- Divide database administrator duties. Companies with multiple database administrators divide the management tasks among different managers working under other manager accounts.
If you use domain-level access for control in database authorizations, you can set policies for stronger passwords. First of all, don’t use the default and static passwords. Remove public accounts and public access from all accounts. Choose domain verification or database authentication for your database.
Also, passwords’ lifespan should be checked, and a warning message should be given when the expiration period is over. A restriction should be imposed to prevent the reuse of old passwords. A sufficiently complex and lengthy password should be selected.
The number of consecutive incorrect password entries should be restricted to connect to the database. Periodically review access processes to ensure users have sufficient privileges.
Examine Database Configuration Settings
After a database has been created, the database administrator has to grant access to the database and execute specific applications to grant access to other users.
To ensure database security, the administrator must determine who will connect to the database and which applications will run. After the user names and passwords are created, the users are assigned their operations to the database. It is useful to act according to the separation of duties principle in database authorizations.
How your databases are configured through database queries is crucial to determining security and operational integrity.
Take out modules and services or packages you don’t need. Besides, document-approved configuration references should be used for databases. To discover the databases you have, use scanning tools and check the accuracy as configuration settings are added. Explore data masking options for your database and middleware environments.
Apply the Input / Output controls. You need to check the user input for any SQL-specific characters that might cause problems. Does the entered data conform to the data type? Is the data entered within limits?
The program output options should be checked with the necessary error checking functions. Security principles and possible problems should be taken into consideration during application design and programming. Header information and error messages that may cause the information to be collected on the system should not be left open.
Find out how your databases are structured through database queries and analysis of configuration files or free evaluation tools.
- Remove modules and services you don’t need.
- Document the approved configuration basis for databases. The configurations should be used as a reference and as a guide for detecting misconfigured systems.
- When adding configuration settings, use scanning software to discover the databases that you have and be consistent.
Examine Database / Platform Interaction
All databases provide tools to call operating system commands for administrative tasks directly. These functions consist of operating system and database code, run under administrative permissions.
- Disable extended or external stored procedures.
- Make sure the database owner account is on the local platform.
- Make sure that domain administrators are not database administrators.
- Bind import/export utilities, startup scripts, registry entries, or feature files to local database owner credentials.
Establish a Secure Communication
If you make sure the communication with the database is kept confidential, it would be best.
- Encrypt sessions, especially web application connections, between applications and the database.
- Reset database port numbers to a non-default value. For example, moving Oracle’s default port 1521 to a random value prevents automated attacks and makes it difficult for an attacker to search for information.
- Block temporary connections. Instant connections from unwanted locations or unapproved applications can be detected and denied by simple login triggers, database firewalls, and access control systems.
Apply Strict Patch Management
Your goal is to enable them to find and address security issues, leveraging the database vendor’s security knowledge and expertise. This requires regular approval and installation of patches.
- Create patch processes and check database updates.
- Do not allow patches to be downloaded by separate DBAs. Start from centrally approved and verified patches.
- Synchronize internal patch loops with vendor patch releases.
- Reconstruct in cases where modification of patches or functions is unacceptable.
- Back up the current and weak state of the database.
- Rank the updated version of vulnerabilities by CVSS scores.
- Give priority to updating vulnerabilities that can run code on the system and increase authority on the system.
Examine the Application Usage of the Database
Web applications use more than raw data storage using service accounts provided with a wide variety of capabilities.
- Segment authorization between ordinary users and application management accounts.
- Restrict connection pooling when all database users use a single database account.
- If possible, divide application processing into different groups and perform these operations under other database user accounts.
- Change the application-to-database link to allow the association of database queries with an end-user. This facilitates audit analysis and policy implementation.
Establish an Audit Process
Auditing is the monitoring and recording of database actions. Accountability and audit controls are required to ensure physical integrity.
You can investigate real-time solutions that analyze database traffic, detect and block execution, detect unauthorized queries and SQL injections.
Some mechanisms send alerts and reports about these detected threats via e-mail or instant messaging to the people you designate as the administrator.
Although they are considered components of log management and SIEM systems, DAM systems (Database activity monitoring) are independent systems from these technologies and DBMS. It is useful to create a logging policy, determine events and filters, and follow them on DAM. Review logs regularly, focusing on system functions and inputs.
- Log database transactions.
- Establish a logging policy, identify events you don’t need, and filter them.
- Periodically review the logs.
- Focus on failures of system functions and login information indicating system investigation.
- Review the log settings regularly.
Address Media and Backup Security
In today’s computing environment, backing up your data is an essential security step. As data becomes more critical, data loss due to accidental and theft costs hundreds of millions of dollars each year. Taken as a whole, the only exact thing is that you need to protect your data backups.
Maintaining backup media is not optional because lost media is the primary cause of data breaches.
- Use database encryption solutions that do not require any application code changes.
- Conduct a security risk assessment for your entire backup process. Review each step for vulnerabilities and solutions.
- Make multiple copies of your backup data and assign different personnel to perform and manage each backup.
- Set up a monitoring and chain of custody system to ensure you are always aware of the location of backup media and the media that needs to be destroyed.
- Evaluate and monitor the security aspects of any offsite location or service used to store backups.
- Ensure physical access is carefully arranged and facilities are appropriately secured.
- Verify that your agreement allows you to perform security audits and to do them periodically.
- Make sure the service and any transportation services you use have strict background checks on all personnel.
- Dispose of old media safely and promptly by your risk assessment.
- Educate your operational staff on backup safety issues and their importance.
- Evaluate and establish policies that address personal online and cloud backup and storage services.
- Make sure all backup operations are logged so events can be traced back to their source.
- Test the operation periodically to make sure it remains safe.
Know Your Compliance Requirements
If you have valuable data, you likely also have an obligation in your industry or governments. Security standards and compliance requirements are acceptable security practices for everyone, but they are primarily ignored before regulatory pressure, as their implementation requires additional time and money.
The two most commonly stipulated requirements for compliance are auditing and encryption.
Database auditing is used to document the activities of a database used for fraudulent activity identification and forensic checks. All relational database platforms have control features that capture transactions on data and administrative transactions against the database system.
It will be sufficient to collect the necessary data by using standard audit software offered by database vendors, but you will need to create a review process and reports to prove compliance.
Database audit tracking and log management tools are also available to automate these efforts. These tools have prebuilt policies and reports explicitly designed for regulation.
Database encryption is available in many ways. Still, they are typically divided into two families: transparent encryption covering the entire database and requiring no change in business processes. User encryption is applied only to specific objects within the database that require modification of application code.
Transparent encryption is designed to protect data on media such as disk drives and backup tapes from access from outside the database. User encryption can be used for both environmental protection and protection of data from misuse.
Transparent encryption solutions are not sufficient steps to comply with standards such as the Payment Card Industry Data Protection Standard when we address encryption to satisfy legal requirements (PCI DSS). But transparent encryption options meet most state data breach notification law requirements.
As a result, to briefly touch on database security controls;
- Explore your sensitive data and build inventory.
- Block connections from clients of outdated authentication systems.
- When data is lost or stolen, make a plan on what to do.
- Create a disaster recovery plan.
- Get to know the application developers and get their advice and opinions.
- View prebuilt policies and reports explicitly designed for regulations.
- Make sure the traffic between the client-server is encrypted with TLS.
- Make sure users are only connecting through the system they specified.
- Set up policies to manage (create, delete, control) the user.
- Set the user tracking policy.
- Set the user identification method.
- Define threat and security incidents and reporting procedure.
- Evaluate the sensitivity of specific data objects.
- Database servers should be located on virtual/physical systems separate from application/web servers.
- Database administrators should do the management of databases.
- Personal data kept in databases (application, database, table, or column level) should be encrypted. Personal data should not be kept in clear text in databases.
- Regularly sensitive data discovery scanning should be carried out on the database.
- Security updates of database management systems should be made regularly.
- Changes made on database management systems should be recorded.
- Data should be adequately backed up, and the security of backups should also be ensured.
- Servers containing databases should be isolated from the network to allow access to application services and database administrators.
- Database servers’ access to the internet should be restricted.
- The default users on the database should be changed to be specific to each user, and shared users should not be used.
- Logging of internal and external access to data is considered sensitive, and logs should be reviewed.
- Access policies regarding who can access which data sets should be established, and access should be performed as specified in this policy.