Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:14 PM

Tech Insight: Database Security -- The First Three Steps

Protecting sensitive data means locating and enumerating the information in your databases -- and finding the right method to secure it

A Special Analysis For Dark Reading: First of two articles

One of a security professional's biggest challenges is to keep an organization's most sensitive data out of harm's way. When it comes to the huge volumes of information stored in databases, however, that's no simple task.

Protecting sensitive information means finding and securing it in any location, from corporate headquarters to branch locations to mobile devices. Such data isn't always easy to locate -- it may be stored in a variety of formats, from small Excel files on a CFO's laptop to enormous databases that contain critical inventories or customer information.

Frequently, databases hold the "crown jewels" of the organization -- the largest and most mission-critical data. This means a database breach can have serious consequences, whether it comes from an employee with authorized access or from a hacker who comes in via vulnerabilities in poorly written Web applications that are linked to the database.

Complying with regulations, like PCI DSS or SOX, has helped many organizations become more aware of their most sensitive data repositories, but it is easy to lose track of what network resources exist when these repositories are spread across multiple office locations. To prevent this sort of oversight, we should look at database security and compliance as a three-stage process: locating your databases, enumerating the data, and securing the critical database servers.

The first stage -- locating the databases themselves -- can be achieved through a couple of different methods. The easiest, but often less fruitful, method is to consult the documentation. If you're lucky, then there will be an extensive, searchable repository containing the information you're looking for. Otherwise, you'll be digging through a lot of docs. This is where sysadmins and developers can help fill in the missing gaps.

When documentation fails, the best method for locating databases is scanning the network with Nmap to find hosts that are running database services and actively listening for connections. For even better coverage, use Nessus with administrative credentials to audit your hosts for installed and running applications -- this will help you find the database servers that are running but not listening on the network.

The second stage to securing your database environment is to enumerate the data contained in the databases you found in the first stage. Not all database servers will need the same level of protection. A test database containing bogus data for use by developers, for example, will obviously not need the same level of defense as a production database server containing customer information and front-ended by a Internet-exposed Web application.

Documentation, developers, and database administrators (DBAs) should provide insight into the database's contents -- but they aren't always as accessible or helpful as they could be. To get the full picture of what's in your databases, you may need to look into data discovery products, like Identity Finder, or discovery features included in data leakage prevention (DLP) and database activity monitoring (DAM) tools.

The discovery process will be straightforward -- as long as the tool you're using properly understands how to access the databases in your organization. If you haven't purchased a product -- or if you have a DLP/DAM solution already -- then be sure what you choose will work with all of the technologies you discovered in the first stage.

The third stage is to secure the database servers themselves and ensure they comply with corporate configuration policies. Manually checking database server settings is a monotonous, tedious task best-suited for automation. Free and commercial tools are available that make the process easier, so it can be done enterprisewide with little effort.

The most important part of the third stage is to ensure you have a well-defined database security configuration policy; hopefully, this was created and refined well before you started this process. The policy should be based on best practices, while meeting the needs and required security level of your environment.

Next, choose an auditing tool that suits your database environment. The CIS Security Benchmark tool and Nessus vulnerability scanner come with customizable configuration files that can be edited to match your security policies. You can also get configuration files from groups like DISA, which can serve as a basis for your auditing.

Though the CIS tools are free, Nessus is a good upgrade to consider because it can scan for vulnerabilities in the database server and underlying operating system. Also, remember that they don't both support the same number of database server types, so be sure to confirm the one you're using can work with all, or at least most, of the software types that run your critical data.

For truly comprehensive database security, you must also consider secure network design, DLP and DAM technologies, secure application development, and proper backup and disaster recovery. However, if you execute these first three stages properly, then you'll be well on your way to securing your most sensitive database information, and you can add additional security capabilities later.

Second article: Tech Insight: It's About DAM Time

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...