How to Secure Database System without Specialized Products and Services

Re: How to Secure Database System without Specialized Products and Services

Hi George,

It is fact that, most of the databases nowadays are being attacked using the SQL injection technique. Since, the SQL databases consist of very sensitive data of applications, loss of privacy has become a common issue with SQL Injection. Due to this, it has become necessary for businesses to have a practical approach to the database security. Most of the times the essentials are ignored by many organizations as due to the overwhelming databases and professionals don’t know where to start.

Re: How to Secure Database System without Specialized Products and Services

@ SeanyG, I completely agree with you. Usually, many organizations consider the security measures a waste of time without checking the basic fundaments. Here is one of the steps you can take to defend your databases from common attacks. They may consume time to examine and implement; however they are much effective and easy to implement.

@ George Anderson, One of the most important steps to consider when securing databases is the access controls and authorization. You may think that you already have the access controls implemented, however just having the access control system in place doesn’t make your database system secure. It is highly important to inspect the two systems (i.e. Database authentication and domain authentication) so that the access coordination between them is proper and prevent users from passing the database authorization completely.

For securing your database systems, this should be your first line of defense and it authorizes close inspection to make sure that the accounts are configured properly as well as the database authentication and domain authentication systems are deployed accurately. Also, remember that, the longer period of time the database is utilized, the chances of drifting the access rights increases.

Ensure the following:

1] Ensure to change all the default user passwords when you install the database. Also, make sure that the passwords are not changed to the previous due to the account reset.

2] Lock down the user accounts that are not in use for a specific period of time and if they are of no use, simply remove them. There are a few kinds of users which are packaged with the database (i.e. Testing, tutorials and demo purpose) which may get exploited and provide access to the database.

3] Implement strong password policy based on the domain-level access. It is recommended to keep on the passwords rotating instead keeping them static.

4] If there isn’t any specific case, where you want to public to have access to your databases, then ensure to remove public accounts as well as public access from all the accounts.

5] Always remember that mixing up things usually creates confusion. It is recommended that you choose domain authentication and database authentication for your database users and stick to them.

6] Always restrict administrative functions to users.

7] If your organization has more than one database administrator, then it is better to split the responsibilities of the database administrator. Simply list down the administrative tasks and distribute them among the administrators.

Re: How to Secure Database System without Specialized Products and Services

Another way to secure database is to evaluate the database configuration. This is vital, especially to decide the security and operational integrity.

Evaluate how the databases are configured. This can be done either using the database queries and analysis of config files or you can use the assessment tools that are offered for free. Also, first make sure to remove the modules and services that are not required and once done, remove the packages as well. These services may not be secure; however, by removing them you are closing the open doors for hackers.

Create a document containing standard configuration baseline for databases and ensure that the administrators will follow the guidelines mentioned in the document for database configuration. This document will be very useful or admin’s to detect the incorrectly configured systems. If possible, make the use of scanning tools to discover your databases.

Re: How to Secure Database System without Specialized Products and Services

May be these below things can help you in tightening your database security:

1. Make sure you have disabled the extended or external stored processes.
2. Check and make sure that the database owner account is on the local platform, under which the database is actually installed. Ensure that the domain administrator functions are not assigned to it.
3. Ensure not to assign the database administrator’s role to the domain administrator. Keep them separate.
4. Make sure that the registry entries, import/export utilities properties files and startup scripts are tied to the credentials of the local database owner.

Re: How to Secure Database System without Specialized Products and Services

That is very useful. Thanks for sharing it with us. It will surely help me.

Re: How to Secure Database System without Specialized Products and Services

Another way to secure database system is to secure the communications to the databases. It is always better to ensure that the communications with the database systems are private. You can encrypt all the sessions that are held in between web applications and the database. In addition, you can change the databases’ default port numbers to a random value so that automated attacks are defeated. You can also block the Ad-Hoc connections to your databases. The Ad-Hoc connections are the spur-of-the-moment connections which are created for a particular reason and are shut down immediately when the purpose is completed.

Re: How to Secure Database System without Specialized Products and Services

I have heard that applying patches is also important to maintain the security of almost any software. Is it true, and does it really help in improving the security of that particular software or database?

Re: How to Secure Database System without Specialized Products and Services

Yes, you are right. Installation of patches is highly important in order to maintain the security, whether it’s a software or database. Running the software and database with the latest updates and security patches can lead to a serious security breach which can harm your data. To avoid such issues, administrators can build an atmosphere and implement a stability function check on the database patches prior to production deployment. Never allow individual database administrators to download the patch, instead you can keep centralized, verified and approved copies of available patches. Also, make sure whenever the database vendor releases a patch it is immediately synchronized with your internal patch cycle.

Most of the times, when you patch or alter a function it is not acceptable. In such a case, reconfigure it and see if you can manage to block the threat until a suitable patch is released by the vendor.

Re: How to Secure Database System without Specialized Products and Services

Often, the reason of data breaches could be the lost media. It is always recommended to protect your backup media using the methods that are free from the database vendor which usually doesn’t need modification, processes or application. One of the methods used by many database vendors is Transparent Data Encryption (TDE). TDE provides the encryption at various levels such as column, table, and tablespace. It also encrypts the database on both hard drive and on the backup media as well.