Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/25/2013
10:54 AM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Configuration Standards

The trouble with database assessment and compliance

"Where do I find database security benchmarks?" That was the question posed to me this week when discussing database security assessment. It's an odd question for database administrators (DBAs) because a "benchmark" is a term we associate with performance. In compliance or security parlance, it means configuration standards, and this customer wanted to know, "Where do I find industry standards for database configuration?" The short answer is, "You don't."

A database security benchmark, or viewed more practically, a database configuration template for compliance has not successfully been done by a reputable third party. A good template, from an independent organization just does not exist. But not for lack of trying: The database vendors, standards organizations, and various government entities have tried and failed.

Standards organizations have provided "best practices" before. They fail because in an effort to provide general concepts that apply to all databases, they provide meaningless security abstractions that give no help to DBAs charged with implementation. Some of my favorite examples are "encrypt sensitive data," "segregate administrative roles," and "ensure users cannot overwrite the stack."

Good ideas, granted, but how you encrypt data will depend on your threat objective. On some databases, it's impossible to provide separation of duties, and -- outside of patching -- it is not the DBAs responsibility to fix database code flaws. In short, there are too many ways to be simultaneously compliant yet totally insecure.

Many organizations produce little more than a list of database security patches and related CERT Advisories, but patching is just one dimension of configuration management. The database vendors typically provide best practices, but they lack specific links to compliance and security objectives, workarounds, and other needed information. DBAs view these lists with disdain because the recommended settings break database deployments, and also because they lack any specific information about what security threats individual settings help address.

Another problem has been the compliance regulations: Ones like PCI-DSS and Sarbanes-Oxley, which are intended to protect data and ensure data accuracy, respectively, don't mention database benchmarks at all. Most firms I speak with use database assessment tools to meet part of their PCI-DSS compliance reporting, and every large enterprise I've spoken with that has database monitoring bought it to provide SOX control reports. In fact, those tools have become critical to the compliance process. But SOX says nothing about database monitoring being an acceptable control, and PCI only describes the need to ensure all database access is authenticated. There is no official mapping of database settings to these compliance standards, nor any of the other half-dozen compliance requirements people use database assessment to address.

For some of you with the time, you may want to sit down and see how the DBAs would address compliance requirements. That's helpful to understand what options are at your disposal to address audit requirements. The problem is the external auditor may not approve of your choices or is afraid to without a recognized independent third party sanctioning the settings. And that's the root of the issue as to why customers want external validation of database settings.

The best sources for database security settings I've come across are user groups and commercial assessment vendors. Database user groups are usually comprised of some very talented database administrators, from different industry verticals, and most of them have some compliance concerns to address. Because user groups usually focus regionally, it's hard to mine this source for information, and most tend not to publish a compendia of database configurations.

If you attend enough meetings, you'll meet users who have to address the same compliance challenges you do, and they are usually willing to share what they do for compliance and security. But it's the database assessment vendors that have taken the time to map compliance requirements to specific database features and settings, and have worked with customers to know what works and what doesn't. Thus far, they are the best source for database compliance and security benchmarks, and usually package policies according to different compliance regulations, broken down by database type. You pay for it, but it's that research and mapping of settings to compliance controls that provides value.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/18/2013 | 1:31:48 PM
re: Database Configuration Standards
Again thanks for the reply. There is also

SANS e.g.
http://www.sans.org/score/chec...

Checklist http://www.checklist20.com/bes...

and project lockdown (oracle only)
http://www.oracle.com/technetw...
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/17/2013 | 3:48:43 PM
re: Database Configuration Standards
Just DISA and you already have that. What I did was mix and match and change settings as required... the STIG has a lot of "information" checks and recommendations but mostly these two tend to be pretty much the same or very close with the only difference being the STIG is designed mostly for DoD and CIS are best practice for public consumption.
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/16/2013 | 12:25:18 PM
re: Database Configuration Standards
Thanks for the reply, have CIS already - any others?
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/11/2013 | 4:59:18 PM
re: Database Configuration Standards
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/7/2013 | 11:08:32 AM
re: Database Configuration Standards
I would substantially agree however the commercial assessment vendors often base their configurations within the context of a Gǣsecurity benchmarkGǥ. For
example the DISA STIGS

http://iase.disa.mil/stigs/app... (Oracle)
http://iase.disa.mil/stigs/app... (SQL Server)

They are therefore still relevant, providing a good reference point which gets you started and thinking.

I am attempting to capture these security benchmarks and other sources of best practice under GǣUser Contributed External LinksGǥ at
http://www.isaca.org/Groups/Pr... and
http://www.isaca.org/Groups/Pr...

I would welcome any additions.
hmmm
50%
50%
hmmm,
User Rank: Apprentice
6/28/2013 | 2:56:32 AM
re: Database Configuration Standards
Adrian, what do you think of the recent DISA STIG or NIST compliance 'checklists'? They seem, to me, to be doing a better job of correlating threat actions and the corresponding settings and checks (albeit for a limited subset of RDBMS vendors). While a DBA still has to think through the implications of individual (and grouped) changes - that is what we get paid the big bucks for.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...