Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/25/2013
10:54 AM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Configuration Standards

The trouble with database assessment and compliance

"Where do I find database security benchmarks?" That was the question posed to me this week when discussing database security assessment. It's an odd question for database administrators (DBAs) because a "benchmark" is a term we associate with performance. In compliance or security parlance, it means configuration standards, and this customer wanted to know, "Where do I find industry standards for database configuration?" The short answer is, "You don't."

A database security benchmark, or viewed more practically, a database configuration template for compliance has not successfully been done by a reputable third party. A good template, from an independent organization just does not exist. But not for lack of trying: The database vendors, standards organizations, and various government entities have tried and failed.

Standards organizations have provided "best practices" before. They fail because in an effort to provide general concepts that apply to all databases, they provide meaningless security abstractions that give no help to DBAs charged with implementation. Some of my favorite examples are "encrypt sensitive data," "segregate administrative roles," and "ensure users cannot overwrite the stack."

Good ideas, granted, but how you encrypt data will depend on your threat objective. On some databases, it's impossible to provide separation of duties, and -- outside of patching -- it is not the DBAs responsibility to fix database code flaws. In short, there are too many ways to be simultaneously compliant yet totally insecure.

Many organizations produce little more than a list of database security patches and related CERT Advisories, but patching is just one dimension of configuration management. The database vendors typically provide best practices, but they lack specific links to compliance and security objectives, workarounds, and other needed information. DBAs view these lists with disdain because the recommended settings break database deployments, and also because they lack any specific information about what security threats individual settings help address.

Another problem has been the compliance regulations: Ones like PCI-DSS and Sarbanes-Oxley, which are intended to protect data and ensure data accuracy, respectively, don't mention database benchmarks at all. Most firms I speak with use database assessment tools to meet part of their PCI-DSS compliance reporting, and every large enterprise I've spoken with that has database monitoring bought it to provide SOX control reports. In fact, those tools have become critical to the compliance process. But SOX says nothing about database monitoring being an acceptable control, and PCI only describes the need to ensure all database access is authenticated. There is no official mapping of database settings to these compliance standards, nor any of the other half-dozen compliance requirements people use database assessment to address.

For some of you with the time, you may want to sit down and see how the DBAs would address compliance requirements. That's helpful to understand what options are at your disposal to address audit requirements. The problem is the external auditor may not approve of your choices or is afraid to without a recognized independent third party sanctioning the settings. And that's the root of the issue as to why customers want external validation of database settings.

The best sources for database security settings I've come across are user groups and commercial assessment vendors. Database user groups are usually comprised of some very talented database administrators, from different industry verticals, and most of them have some compliance concerns to address. Because user groups usually focus regionally, it's hard to mine this source for information, and most tend not to publish a compendia of database configurations.

If you attend enough meetings, you'll meet users who have to address the same compliance challenges you do, and they are usually willing to share what they do for compliance and security. But it's the database assessment vendors that have taken the time to map compliance requirements to specific database features and settings, and have worked with customers to know what works and what doesn't. Thus far, they are the best source for database compliance and security benchmarks, and usually package policies according to different compliance regulations, broken down by database type. You pay for it, but it's that research and mapping of settings to compliance controls that provides value.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/18/2013 | 1:31:48 PM
re: Database Configuration Standards
Again thanks for the reply. There is also

SANS e.g.
http://www.sans.org/score/chec...

Checklist http://www.checklist20.com/bes...

and project lockdown (oracle only)
http://www.oracle.com/technetw...
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/17/2013 | 3:48:43 PM
re: Database Configuration Standards
Just DISA and you already have that. What I did was mix and match and change settings as required... the STIG has a lot of "information" checks and recommendations but mostly these two tend to be pretty much the same or very close with the only difference being the STIG is designed mostly for DoD and CIS are best practice for public consumption.
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/16/2013 | 12:25:18 PM
re: Database Configuration Standards
Thanks for the reply, have CIS already - any others?
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/11/2013 | 4:59:18 PM
re: Database Configuration Standards
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/7/2013 | 11:08:32 AM
re: Database Configuration Standards
I would substantially agree however the commercial assessment vendors often base their configurations within the context of a Gǣsecurity benchmarkGǥ. For
example the DISA STIGS

http://iase.disa.mil/stigs/app... (Oracle)
http://iase.disa.mil/stigs/app... (SQL Server)

They are therefore still relevant, providing a good reference point which gets you started and thinking.

I am attempting to capture these security benchmarks and other sources of best practice under GǣUser Contributed External LinksGǥ at
http://www.isaca.org/Groups/Pr... and
http://www.isaca.org/Groups/Pr...

I would welcome any additions.
hmmm
50%
50%
hmmm,
User Rank: Apprentice
6/28/2013 | 2:56:32 AM
re: Database Configuration Standards
Adrian, what do you think of the recent DISA STIG or NIST compliance 'checklists'? They seem, to me, to be doing a better job of correlating threat actions and the corresponding settings and checks (albeit for a limited subset of RDBMS vendors). While a DBA still has to think through the implications of individual (and grouped) changes - that is what we get paid the big bucks for.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29430
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
CVE-2021-29431
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
CVE-2021-29432
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
CVE-2021-29447
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
CVE-2021-30245
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...