Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Eight Steps To Securing Small Databases

Just because your database is in a workgroup or a small business doesn't mean the data isn't valuable. Here are some low-costs steps to keeping it secure

[Excerpted from "Eight Steps To Securing Small Databases," a new report posted this week on Dark Reading's Database Security Tech Center.]

When we talk about database security, we usually begin by talking about mammoth databases maintained by large enterprises. But It can be argued that the biggest database challenges of all are those faced by small and midsize companies struggling to just get basic security in place.

In SMBs, the database administrators bear much of the responsibility for security. Most wear at least three hats: administrator, architect and security expert. Security is woven into the normal operational cycles, and it competes with all other requirements.

The good news is that many security and automation tools are available to help DBAs get their jobs done. The bad news is that these products and services often cost more than smaller companies' budgets will allow for. Indeed, for SMB DBAs, there is always too much to do and not enough money to do it with, so these folks must be creative when looking for solutions.

Under these resource-constricted conditions, how do you approach database security? With small databases dotting your company landscape, which take priority? When you can't afford the latest and greatest tools, where do you focus your efforts? SMBs and workgroups need database security strategies and tools that don't require big budgets or skilled, dedicated security staff.

SMBs looking to tightly secure the data in their care will need to spend a good amount of time planning how they will allocate scarce resources. This means leveraging everything at their disposal, including the security tools included with the products they own, as well as whatever they can leverage from the community at large. Once a plan is in place, these organizations should look at automating as much as possible.

Your goal is to get the basic security systems installed and self-sufficient so you can spend your time on more time-sensitive and critical matters. Your security program will include a number of defensive security measures for the database (such as vulnerability assessment, configuration management and patching systems), controls over data access (including identity management and encryption systems) and -- resources permitting -- detective controls (such as auditing and monitoring system).

The first step in any security program is to do an inventory of what you need to secure, including a list of the servers, databases and sensitive data under your control. You'll need to understand where these resources are deployed on your network and how users access them to do their jobs. This can be tricky for companies that have databases -- including small databases -- distributed across many locations, but this understanding is critical.

Now that you know what systems need to be secured, and what requirements you areresponsible for, how will you secure these databases? It's at this phase of the process that we need to assess risks and requirements and figure out how to address them. Some issues are (relatively) simple, such as patching and reconfiguring a database when a vulnerability has been discovered. Some issues are more complex, such as HIPAA compliance and validating use of information.

The most critical factor in securing your network on a budget is successfully using what you have. Most DBAs are not even fully aware of the tools that come bundled with their databases. Some are not aware that other groups, or even their predecessors, may have acquired tools but never put them into production. Shelfware does not help you get secure, so take an inventory of what you have and put it to use.

For a detailed description of these initial steps -- and for an in-depth description of five additional steps toward securing small databases -- download the free database security report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23691
PUBLISHED: 2021-05-14
YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
CVE-2020-18166
PUBLISHED: 2021-05-14
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
CVE-2020-18167
PUBLISHED: 2021-05-14
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu".
CVE-2020-23689
PUBLISHED: 2021-05-14
In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
CVE-2021-25941
PUBLISHED: 2021-05-14
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.