Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/25/2013
10:54 AM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Configuration Standards

The trouble with database assessment and compliance

"Where do I find database security benchmarks?" That was the question posed to me this week when discussing database security assessment. It's an odd question for database administrators (DBAs) because a "benchmark" is a term we associate with performance. In compliance or security parlance, it means configuration standards, and this customer wanted to know, "Where do I find industry standards for database configuration?" The short answer is, "You don't."

A database security benchmark, or viewed more practically, a database configuration template for compliance has not successfully been done by a reputable third party. A good template, from an independent organization just does not exist. But not for lack of trying: The database vendors, standards organizations, and various government entities have tried and failed.

Standards organizations have provided "best practices" before. They fail because in an effort to provide general concepts that apply to all databases, they provide meaningless security abstractions that give no help to DBAs charged with implementation. Some of my favorite examples are "encrypt sensitive data," "segregate administrative roles," and "ensure users cannot overwrite the stack."

Good ideas, granted, but how you encrypt data will depend on your threat objective. On some databases, it's impossible to provide separation of duties, and -- outside of patching -- it is not the DBAs responsibility to fix database code flaws. In short, there are too many ways to be simultaneously compliant yet totally insecure.

Many organizations produce little more than a list of database security patches and related CERT Advisories, but patching is just one dimension of configuration management. The database vendors typically provide best practices, but they lack specific links to compliance and security objectives, workarounds, and other needed information. DBAs view these lists with disdain because the recommended settings break database deployments, and also because they lack any specific information about what security threats individual settings help address.

Another problem has been the compliance regulations: Ones like PCI-DSS and Sarbanes-Oxley, which are intended to protect data and ensure data accuracy, respectively, don't mention database benchmarks at all. Most firms I speak with use database assessment tools to meet part of their PCI-DSS compliance reporting, and every large enterprise I've spoken with that has database monitoring bought it to provide SOX control reports. In fact, those tools have become critical to the compliance process. But SOX says nothing about database monitoring being an acceptable control, and PCI only describes the need to ensure all database access is authenticated. There is no official mapping of database settings to these compliance standards, nor any of the other half-dozen compliance requirements people use database assessment to address.

For some of you with the time, you may want to sit down and see how the DBAs would address compliance requirements. That's helpful to understand what options are at your disposal to address audit requirements. The problem is the external auditor may not approve of your choices or is afraid to without a recognized independent third party sanctioning the settings. And that's the root of the issue as to why customers want external validation of database settings.

The best sources for database security settings I've come across are user groups and commercial assessment vendors. Database user groups are usually comprised of some very talented database administrators, from different industry verticals, and most of them have some compliance concerns to address. Because user groups usually focus regionally, it's hard to mine this source for information, and most tend not to publish a compendia of database configurations.

If you attend enough meetings, you'll meet users who have to address the same compliance challenges you do, and they are usually willing to share what they do for compliance and security. But it's the database assessment vendors that have taken the time to map compliance requirements to specific database features and settings, and have worked with customers to know what works and what doesn't. Thus far, they are the best source for database compliance and security benchmarks, and usually package policies according to different compliance regulations, broken down by database type. You pay for it, but it's that research and mapping of settings to compliance controls that provides value.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/18/2013 | 1:31:48 PM
re: Database Configuration Standards
Again thanks for the reply. There is also

SANS e.g.
http://www.sans.org/score/chec...

Checklist http://www.checklist20.com/bes...

and project lockdown (oracle only)
http://www.oracle.com/technetw...
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/17/2013 | 3:48:43 PM
re: Database Configuration Standards
Just DISA and you already have that. What I did was mix and match and change settings as required... the STIG has a lot of "information" checks and recommendations but mostly these two tend to be pretty much the same or very close with the only difference being the STIG is designed mostly for DoD and CIS are best practice for public consumption.
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/16/2013 | 12:25:18 PM
re: Database Configuration Standards
Thanks for the reply, have CIS already - any others?
ODA155
50%
50%
ODA155,
User Rank: Ninja
7/11/2013 | 4:59:18 PM
re: Database Configuration Standards
Cookei
50%
50%
Cookei,
User Rank: Apprentice
7/7/2013 | 11:08:32 AM
re: Database Configuration Standards
I would substantially agree however the commercial assessment vendors often base their configurations within the context of a Gǣsecurity benchmarkGǥ. For
example the DISA STIGS

http://iase.disa.mil/stigs/app... (Oracle)
http://iase.disa.mil/stigs/app... (SQL Server)

They are therefore still relevant, providing a good reference point which gets you started and thinking.

I am attempting to capture these security benchmarks and other sources of best practice under GǣUser Contributed External LinksGǥ at
http://www.isaca.org/Groups/Pr... and
http://www.isaca.org/Groups/Pr...

I would welcome any additions.
hmmm
50%
50%
hmmm,
User Rank: Apprentice
6/28/2013 | 2:56:32 AM
re: Database Configuration Standards
Adrian, what do you think of the recent DISA STIG or NIST compliance 'checklists'? They seem, to me, to be doing a better job of correlating threat actions and the corresponding settings and checks (albeit for a limited subset of RDBMS vendors). While a DBA still has to think through the implications of individual (and grouped) changes - that is what we get paid the big bucks for.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13151
PUBLISHED: 2020-08-05
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use ...
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...