According to the Identity Theft Resource Center, over 222 million records were compromised in 2009. So far in 2010, there have been over 500 reported breaches. This breach escalation has proven that the threat is real and the list of victims is getting longer. No organization large or small is immune to the effects of database intruders and thieves. In fact, several companies long respected for their forward-thinking approach to IT security are among the breach victims.
The experience and knowledge of our technical experts as well as the lessons learned from over 2,500 installations has led us to identify the 10 “Best Practices” for Database Security. By proactively implementing the following these 10 steps, an organization can reduce their risk exposure and ensure that they are on the fast track to database security success.
1. Establish a Baseline
Assess the current level of database security and establish a baseline for future comparison. This simple effort will pay large dividends by allowing an organization to benchmark and demonstrate progress moving forward.
2. Recognize Vulnerabilities and Exploitation Methodologies
Vulnerabilities fall into many classes – some simple and some complex. The following list describes some of the more common vulnerability examples:
a. Vendor bugs. Vendor bugs, including programming errors such as buffer overflows, can lead to users having the ability to execute improper and dangerous commands on the database. As these critical bugs are discovered, vendors release patches to eliminate the associated vulnerabilities.
b. Poor architecture. If security is not properly factored into the design of how an application works, the resulting vulnerabilities are typically very difficult to fix. Examples of poor architecture include weak forms of encryption or improper key storage.
c. Misconfigurations. Many database configuration options can be set in a manner that compromise security. In fact, in some cases, by default, parameters are set insecurely. In other cases, these issues are not problematic unless the default configuration is changed.
3. Prioritize Vulnerability Remediation
Once an organization has established a baseline of its security posture and understands the severity of the identified vulnerabilities, it can begin the process of prioritizing fixes and mitigating risk.
4. Continuously Monitor & Maintain Systems
Database security is an ongoing process. Security professionals must continually monitor systems to ensure compliance while they evaluate and respond to the changing threat environment.
5. Automate Activities
Where much of security involves regular assessments and validation, the day-to-day work can quickly decline into tedium and get overlooked. Through automation of security processes, security professionals can schedule routine tasks and reports.
6. Stay Patched
Intruders seek out known vulnerabilities and will exploit them whenever possible. A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real-time.
7. Audit Systems Regularly and Address Issues as They Arise
Conducting regular audits will ensure that security policies are on track and will help to identify irregularities or potential breaches before it’s too late. Utilizing security auditing tools will assist in monitoring and recording what is happening within the database as well as provide alerts when suspicious or abnormal activity occurs.
8. Apply Real-Time Intrusion Detection to Critical Systems
Audits and vulnerability assessments serve as excellent starting points to address security risks. This baseline information should be augmented with real-time detection policies. Implementing an alert system that delivers intrusion detection warnings in real-time ensures up-to-the-minute security awareness.
9. Avoid Relying Exclusively on Perimeter Security to Protect Your Systems
Protecting data at its source, the database, is essential to preventing breaches and data loss. Even with traditional perimeter security measures in place, the best way to defend against data harvesting is to rely on a layered defense model that necessarily includes the database.
10. Trust but Verify
Whether malicious or not, increased database access raises the potential of “insider threats”. An organization is best served by trusting those parties with database access while verifying, via permissions, their access control and defined roles as well as monitoring in real time that their behavior falls within authorized activity.
Maintaining security best-practices is not an easy task, but a well thought out security plan can keep an organization’s sensitive data out of harm’s way.
Founded in 2001, Application Security, Inc. (AppSec) has pioneered database security, risk, and compliance solutions for the enterprise. AppSec empowers organizations to assess, monitor and protect their most critical database assets in real time, while simplifying audits, monitoring risk, and automating compliance requirements.
As the leading provider of cross platform solutions for the enterprise, AppSec’s products – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – deliver the industry’s most comprehensive database security solution. With over 2,500 customers in 130 countries, AppSec is headquartered in New York City and has offices throughout North America and the United Kingdom.
Address: 350 Madison Avenue, New York, NY 10017 www.appsecinc.com 212.912.4100