SECURITY NOTE

Database Security Best Practices:

10 Steps to Reduce Risk
Introduction
Last year database breaches reached an all time high. This massive acceleration proved that the threat is real and the list of victims long. No organization large or small was immune to the effects of database intruders and thieves. In fact, several companies long respected for their forward-thinking approach to IT security were among 2007s victims In the United States alone, the number of records that have been compromised since February 2005 has ballooned to a staggering 218 million. The effects of a publicized security breach are palpablebusiness reputations are dragged through the mud and consumers grow wary that their private data has fallen prey to identity theft and credit fraud. Analysts estimate that the cost to notify victims and remediate impact post breach have increased to almost $200 per compromised record. The experience and knowledge of our technical experts as well as the lessons learned from over 1,000 installations has led us to identify 10 Best Practices for Database Security. By proactively implementing the following 10 steps, an organization can reduce their risk and ensure that they are on the fast track to database security success. establishing a security posture reference and generating fix scripts. A complete database security solution will also include policies to monitor for threats and vulnerabilities in real time.

2. Recognize Vulnerabilities and Exploitation Methodologies

Vulnerabilities fall into many classes some simple and some complex. The following list describes some of the more common vulnerability examples: a. Vendor bugs. Vendor bugs, including programming errors such as buffer overflows, can lead to users having the ability to execute improper and dangerous commands on the database. As these critical bugs are discovered, vendors release patches to eliminate the associated vulnerabilities. However, deploying these patches across broad networks may not be easy, or even possible in a timely manner due to concerns related to staffing, the management of downtime, or testing requirements. In these cases, it is critical to have technology in place so that it can monitor and report on attempts to exploit known vulnerabilities in real time. b. Poor architecture. If security is not properly factored into the design of how an application works, the resulting vulnerabilities are typically very difficult to fix. Examples of poor architecture include weak forms of encryption or improper key storage. Weaknesses associated with poor architecture are widely known to attackers and often published on the Web. Once again, implementing database activity monitoring is vital to mitigate the associated risks.

1. Establish a Baseline
Assess the current level of database security and establish a baseline for future comparison. This simple effort will pay large dividends by allowing an organization to benchmark and demonstrate progress moving forward. Additionally, the ability to track and monitor progress is an important component of most compliance initiatives. This process will help organizations identify common flaws including: unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. The task of establishing baselines can be streamlined by utilizing technology solutions to assist with discovery,

DATABASE SECURITY BEST PRACTICES

SECURITY NOTE

c. Misconfigurations. Many database configuration options can be set in a manner that compromise security. In fact, in some cases, by default, parameters are set insecurely. In other cases, these issues are not problematic unless the default configuration is changed. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting REMOTE_OS_AUTHENT to true, anyone who can communicate with the database server is blindly allowed to connect to the database. For maximum security, misconfigurations discovered during the baseline assessment must be corrected immediately.

4. Continuously Monitor & Maintain Systems

Database security is an ongoing process. Security professionals must continually monitor systems to ensure compliance while they evaluate and respond to the changing threat environment. Adhering to a recognized system, like the Database Security Vulnerability Management Lifecycle, can optimize an organizations ability to understand and mitigate risk.

5. Automate Activities
Where much of security involves regular assessments and validation, the day-to-day work can quickly decline into tedium and get overlooked. Through automation of security processes, security professionals can schedule routine tasks and reports. Todays database security solutions enable users to schedule tasks, manage tasks concurrently, correct for system fail-over and issue notifications and alerts. Automated report generation and delivery further simplifies the process of keeping stakeholders (auditors, regulators and security staff) informed.

3. Prioritize Vulnerability Remediation

Once an organization has established a baseline of its security posture and understands the severity of the identified vulnerabilities, it can begin the process of prioritizing fixes and mitigating risk. By analyzing the risk, asset classification, required fix effort, and likelihood of exploitation, organizations can outline a plan to achieve the maximum impact with minimal time and effort. Such a process is a vital step in early the mitigation process.

The database security lifecycle as defined by Application Security, Inc. consists of four simple recurring steps: Assess, Prioritize, Fix, and Monitor. First, Assess the IT environment. Inventory all databases, identify the vulnerabilities that are present, and create a baseline for ongoing comparison. It is impossible to establish formal policies until an organization understands the data that it must protect and the vulnerabilities that threaten it. Next, Prioritize database security efforts based on vulnerability and threat data including vulnerability severity and the criticality of the database information. Once priorities are documented an organization should to enact a formal security plan, report on progress, and demonstrate ongoing improvement. Then, Fix or Remediate known vulnerabilities to mitigate risk and improve the database security posture. Default passwords should be removed. Misconfigurations should be corrected. Software patches and known workarounds should be applied. Progress should be benchmarked. IT environments are in a constant state of flux. New hardware and software are added and old resources are retired. Networks are expanded. New employees are hired and others leave the company. A living process, that can grow and change with an organization, is critical to effectively securing this dynamic environment. The vulnerability management lifecycle has been used by organizations for over ten years to secure networks and general purpose hosts. By extending this proven methodology to the database layer, organizations can ensure that security best practices are applied to their most valuable data assets. And finally, Monitor ongoing activity in real-time. Not all vulnerabilities can be eliminated or patched immediately. Customized policies and real-time alerting on suspicious activities allows an organization to proactively respond to threats. The Database Security Lifecycle methodology allows organizations to extend layered defenses to the repositories of their most critical and confidential information and as a result significantly minimize security risk.

DATABASE SECURITY BEST PRACTICES

SECURITY NOTE

6. Stay Patched
Intruders seek out known vulnerabilities and will exploit them whenever possible. A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real-time.

10. Trust but Verify

Customers, suppliers, contractors and vendors have all become increasingly connected to the database. While trusting these business partners and granting them access to relevant data is essential, it is also necessary to prevent security risks. Whether malicious or not, increased database access raises the potential of insider threats. An organization is best served by trusting those parties with database access while verifying, via permissions, their access control and defined roles as well as monitoring in real time that their behavior falls within authorized activity. As part of the process, the database security system should alert on suspicious activity and document suspected violations. Maintaining security best-practices is not an easy task, but a well thought out security plan can keep an organizations sensitive data out of harms way.

7. Audit Systems Regularly and Address Issues as They Arise

Conducting regular audits will ensure that security policies are on track and will help to identify irregularities or potential breaches before its too late. Utilizing security auditing tools will assist in monitoring and recording what is happening within the database as well as provide alerts when suspicious or abnormal activity occurs. These best practices help to secure an organizations databases from internal and external threats.

8. Apply Real-Time Intrusion Detection to Critical Systems

Audits and vulnerability assessments serve as excellent starting points to address security risks. This baseline information should be augmented with real-time detection policies. Implementing an alert system that delivers intrusion detection warnings in real-time ensures up-tothe-minute security awareness.

9. Avoid Relying Exclusively on Perimeter Security to Protect Your Systems

Protecting data at its source, the database, is essential to preventing breaches and data loss. Even with traditional perimeter security measures in place, the best way to defend against data harvesting (where attackers remove or damage large amounts of data) is to rely on a layered defense model that necessarily includes the database. ABOUT APPLICATION SECURITY
Application Security, Inc. (www.appsecinc.com) is the leading global provider of database security solutions for the enterprise. DbProtect, the companys flagship offering, is the industrys only complete database security solution. More than 1,000 demanding organizations count on DbProtect to ground their security and compliance efforts where sensitive data lives in the database. The company was named to Inc. Magazines 2007 list of Americas Fastest Growing Private Companies (Inc. 500).

www.appsecinc.com
575 8th Avenue, Suite 1220, New York, NY 10018
MD-0004-08

TOLL FREE 866 9APPSEC

MAIN +1 212 947 8787

FAX +1 212 947 8788