Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, September 12, 2008

Keys to Locking Down Storage Security on a Database

Enterprises most often keep their most valued data in structured storage inside a database of some kind, and hackers know it.  Security consultant Ted Julian of Application Security offers a detailed look in several steps at how he believes database security should be implemented, starting with data discovery and moving all the way through the implementation of intrusion detection.

All storage, structured or unstructured, requires security of some kind, even if it’s simply flipping an on/off switch or pulling the USB plug on a direct-attached external disk.  Database storage security, the subject of this article, can be slightly more complicated than that.

I talked recently with Ted Julian, vice president of consultancy Application Security, about the often-thorny security issues surrounding structured content in databases.  Julian drew up a detailed look, in several steps, at what he sees as important in database security, starting with data discovery and moving all the way through how to implement intrusion detection.

First of all, you need to know exactly what you are securing.  “This is perhaps one of the easiest, yet most critical, steps in getting started in protecting your data—-knowing where it is,” Julian said.  “The point being that, if you are looking to shore up protection against attacks on your data, if you aren’t sure where that data resides, chances are that it’s not currently protected.  Once you can establish where your databases are residing within your environment, you can get started on assessing your overall environment and taking an inventory of your data assets.”

Julian said database administrators need to inventory all databases, identify the vulnerabilities that are present and create a baseline of current security assets for ongoing comparison.  The ability to track and monitor progress is an important component of most compliance initiatives.  This process will help organizations identify common flaws, including unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring.  The task can be streamlined by utilizing technological solutions to assist with discovery, to establish a security posture baseline and to generate fix scripts to speed along remediation.  A complete database security solution will also include policies to monitor for threats and vulnerabilities in real time, Julian said.

DBAs need to prioritize their most pressing issues up front.  “Comprehensive database security efforts are based on vulnerability and threat data, including vulnerability severity and the criticality of the database information,” Julian said.  “Once priorities are documented, an organization should to enact a formal security plan, report on progress and demonstrate ongoing improvement.”

In order to mitigate risk and improve the database security posture, the next step in shoring up security at the database level is to fix or remediate known vulnerabilities.  Software patches and known workarounds should be applied.  “Not all vulnerabilities can be eliminated or patched immediately.

Customized policies and real-time alerting on suspicious activities allows an organization to proactively respond to threats,” Julian said.  According to Julian, Application Security’s Database Security Lifecycle methodology allows enterprises to extend layered defenses to the repositories of their most critical and confidential information and as a result significantly minimize security risk.

These steps are an important component of any compliance effort; they enable organizations to respond promptly and provide informed remediation and notification when necessary, he said.

Here are some basic database security steps enterprises can take that will improve their database security postures in just one day.  Every database Oracle has ever shipped has come with a set of default accounts and passwords.  These user names and passwords are well known and documented.  “Default passwords are problematic, because they leave the front door to your database wide open,” Julian said.  There are currently over 600 known default user name and password combinations and probably a dozen free tools to scan for them, Julian said.  By the way, Oracle11g includes a built-in DBA view to list default passwords (DBA_USERS_WITH_DEFPWD).  One of the most common attack vectors to this day is access via passwords that can be easily guessed.  Passwords should be eight or more characters in length; 14 characters or longer is ideal.  A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an eight-character password that uses characters from the entire keyboard.

A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real time.  Automate security tasks as a regular part of database maintenance.  So much of security relies on regular assessments and validation; the day-to-day work can quickly decline into tedium and get overlooked.  Utilizing software that provides regular security updates for patches, new threats and known vulnerabilities is essential to protecting the database and containing risk.

Protecting data at its source, the database, is essential to preventing breaches and data loss.  Even with traditional perimeter security measures in place, the best way to defend against data harvesting (where attackers remove or damage large amounts of data) is to rely on a layered defense model that necessarily includes the database.

Posted on 09/12