Академический Документы
Профессиональный Документы
Культура Документы
1. Establish a Baseline
Assess the current level of database security and establish a baseline for future comparison. This simple effort will pay large dividends by allowing an organization to benchmark and demonstrate progress moving forward. Additionally, the ability to track and monitor progress is an important component of most compliance initiatives. This process will help organizations identify common flaws including: unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. The task of establishing baselines can be streamlined by utilizing technology solutions to assist with discovery,
SECURITY NOTE
c. Misconfigurations. Many database configuration options can be set in a manner that compromise security. In fact, in some cases, by default, parameters are set insecurely. In other cases, these issues are not problematic unless the default configuration is changed. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting REMOTE_OS_AUTHENT to true, anyone who can communicate with the database server is blindly allowed to connect to the database. For maximum security, misconfigurations discovered during the baseline assessment must be corrected immediately.
5. Automate Activities
Where much of security involves regular assessments and validation, the day-to-day work can quickly decline into tedium and get overlooked. Through automation of security processes, security professionals can schedule routine tasks and reports. Todays database security solutions enable users to schedule tasks, manage tasks concurrently, correct for system fail-over and issue notifications and alerts. Automated report generation and delivery further simplifies the process of keeping stakeholders (auditors, regulators and security staff) informed.
The database security lifecycle as defined by Application Security, Inc. consists of four simple recurring steps: Assess, Prioritize, Fix, and Monitor. First, Assess the IT environment. Inventory all databases, identify the vulnerabilities that are present, and create a baseline for ongoing comparison. It is impossible to establish formal policies until an organization understands the data that it must protect and the vulnerabilities that threaten it. Next, Prioritize database security efforts based on vulnerability and threat data including vulnerability severity and the criticality of the database information. Once priorities are documented an organization should to enact a formal security plan, report on progress, and demonstrate ongoing improvement. Then, Fix or Remediate known vulnerabilities to mitigate risk and improve the database security posture. Default passwords should be removed. Misconfigurations should be corrected. Software patches and known workarounds should be applied. Progress should be benchmarked. IT environments are in a constant state of flux. New hardware and software are added and old resources are retired. Networks are expanded. New employees are hired and others leave the company. A living process, that can grow and change with an organization, is critical to effectively securing this dynamic environment. The vulnerability management lifecycle has been used by organizations for over ten years to secure networks and general purpose hosts. By extending this proven methodology to the database layer, organizations can ensure that security best practices are applied to their most valuable data assets. And finally, Monitor ongoing activity in real-time. Not all vulnerabilities can be eliminated or patched immediately. Customized policies and real-time alerting on suspicious activities allows an organization to proactively respond to threats. The Database Security Lifecycle methodology allows organizations to extend layered defenses to the repositories of their most critical and confidential information and as a result significantly minimize security risk.
SECURITY NOTE
6. Stay Patched
Intruders seek out known vulnerabilities and will exploit them whenever possible. A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real-time.
www.appsecinc.com
575 8th Avenue, Suite 1220, New York, NY 10018
MD-0004-08