Analytics
10/9/2009
03:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Six Steps Toward Better Database Security Compliance

Discovery, assessment, and monitoring play key roles in compliance efforts, experts say

In a sea of compliance initiatives, database security is often overlooked. But experts say no matter what the regulations say, securing the database is a critical part of any compliance effort.

"What I've found in my experience is that the database is often the forgotten layer, even though it's the layer where the crown jewels -- the data -- usually resides," says Scott Laliberte, global leader of information security assessment services for Protiviti, which conducts third-party audit assessments for enterprises.

But improving the security of the database as part of a larger compliance initiative is doable, experts say. The trick is to follow six steps toward database compliance. Let's take a look.

1. Database Discovery And Risk Assessment Before organizations can start their database compliance efforts, they must first find the databases -- and where the regulated data resides in them.

"That's a big challenge for a lot of folks. They know where their mainframes are, and they know where a lot of their systems are but...they don't really know which database systems they have on their network," says Josh Shaul, vice president of product management for Application Security, a database security company. "And even the systems they know about, they're not entirely sure which ones contain the sensitive data."

2. Vulnerability And Configuration Management Once an inventory has been developed, organizations need to look at the databases themselves. Before moving forward, they must ensure each database is securely configured and hardened to attack.

"Basic configuration and vulnerability assessment of databases is a key starting point for enterprises," Shaul says.

3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.

The act of managing database accounts and entitlements can range from the simple to the incredibly complex. Laliberte recommends enterprises start with the simpler tasks, which are still ignored in many organizations.

"Sometimes it's as simple as account management, password controls, and removing default accounts," Laliberte says. "Those types of things we typically see not as well controlled at the database level as they are at the operating system or application level."

More complicated is the issue of segregation of duties and entitling permissions based on roles. "It's segregation of duties violations that get organizations every single time [when they're audited]," Shaul says. "Segregation of duties in the end is a cornerstone of the regulations that folks are trying to deal with."

The task of segregating users based on roles means understanding each user's duties, experts say. And it can't be a one-time task. Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.

Take, for example, a payments clerk who gets a promotion to run the accounts payable department. In the new position, that person "owns" the AP system and has the ability to modify and delete checks that have been written. If his ability to write new checks hasn't been revoked, that person now has the ability to commit fraud. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.