Risk
10/7/2012
01:42 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Eight Steps To Securing Small Databases

Just because your database is in a workgroup or a small business doesn't mean the data isn't valuable. Here are some low-costs steps to keeping it secure

[Excerpted from "Eight Steps To Securing Small Databases," a new report posted this week on Dark Reading's Database Security Tech Center.]

When we talk about database security, we usually begin by talking about mammoth databases maintained by large enterprises. But It can be argued that the biggest database challenges of all are those faced by small and midsize companies struggling to just get basic security in place.

In SMBs, the database administrators bear much of the responsibility for security. Most wear at least three hats: administrator, architect and security expert. Security is woven into the normal operational cycles, and it competes with all other requirements.

The good news is that many security and automation tools are available to help DBAs get their jobs done. The bad news is that these products and services often cost more than smaller companies' budgets will allow for. Indeed, for SMB DBAs, there is always too much to do and not enough money to do it with, so these folks must be creative when looking for solutions.

Under these resource-constricted conditions, how do you approach database security? With small databases dotting your company landscape, which take priority? When you can't afford the latest and greatest tools, where do you focus your efforts? SMBs and workgroups need database security strategies and tools that don't require big budgets or skilled, dedicated security staff.

SMBs looking to tightly secure the data in their care will need to spend a good amount of time planning how they will allocate scarce resources. This means leveraging everything at their disposal, including the security tools included with the products they own, as well as whatever they can leverage from the community at large. Once a plan is in place, these organizations should look at automating as much as possible.

Your goal is to get the basic security systems installed and self-sufficient so you can spend your time on more time-sensitive and critical matters. Your security program will include a number of defensive security measures for the database (such as vulnerability assessment, configuration management and patching systems), controls over data access (including identity management and encryption systems) and -- resources permitting -- detective controls (such as auditing and monitoring system).

The first step in any security program is to do an inventory of what you need to secure, including a list of the servers, databases and sensitive data under your control. You'll need to understand where these resources are deployed on your network and how users access them to do their jobs. This can be tricky for companies that have databases -- including small databases -- distributed across many locations, but this understanding is critical.

Now that you know what systems need to be secured, and what requirements you areresponsible for, how will you secure these databases? It's at this phase of the process that we need to assess risks and requirements and figure out how to address them. Some issues are (relatively) simple, such as patching and reconfiguring a database when a vulnerability has been discovered. Some issues are more complex, such as HIPAA compliance and validating use of information.

The most critical factor in securing your network on a budget is successfully using what you have. Most DBAs are not even fully aware of the tools that come bundled with their databases. Some are not aware that other groups, or even their predecessors, may have acquired tools but never put them into production. Shelfware does not help you get secure, so take an inventory of what you have and put it to use.

For a detailed description of these initial steps -- and for an in-depth description of five additional steps toward securing small databases -- download the free database security report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.