Security information and event management tools can also be used in combination with DAM tools to combine log data from operating system and network logs along with information from DAM systems tied to the identities of perpetrators of specific actions to provide greater visibility over the network, which is useful for forensic investigation purposes.
Two other essential steps to take for database security are ensuring only strong passwords are used and encrypting data. All too often, default passwords are not changed or users set weak passwords, such as just using the term "administrator" and allowing many users to share such credentials. Not only are such passwords easy to guess, making it easy for an attacker to breach database security, but the sharing of credentials among users makes it all but impossible to tie actions and malicious behavior to a specific individual or to show a secure audit trail. To further protect information in the database from unauthorized access, all data should be held in the database in encrypted form, with access to the encryption keys tightly controlled and monitored.
One further area to consider is that of employee security and awareness training to ensure that all employees are aware of the organization’s security policies and required best practices. Employees should receive training on joining the organization, as well as ongoing training to constantly reinforce the messages. Constantly reinforced training is considered to best practice in averting sensitive information from being compromised through human error, such as by a user being taken in by a phishing attack, along with technology controls such as DAM and auditing.
Security patches and other database tools
Where vulnerabilities are encountered, it is essential that they are eliminated wherever possible. In many cases, this can be achieved by applying security patches. However, technology vendor McAfee cautions that the process of testing and deploying patches is an ongoing, arduous process that results in a time window of system vulnerabilities until IT staff can bring business-critical databases offline and deploy patches. In 2010, Unisphere Research, a division of Information Today, Inc., conducted a survey for the Independent Oracle Users Group ((IOUG) among 430 database administrators, consultants and developers and found that only 37% installed Oracle critical patch updates within three months of their release.
McAfee offers technology for deploying virtual patches for databases to protect data held in databases during the time window between the issuance of vendor-supplied patches and their actual installation. The technology uses a sensor placed on each database server that looks to detect attempts to exploit known vulnerabilities as well as common hacking techniques, issuing alerts, terminating the session, placing the user in quarantine or blocking traffic from specific IP addresses if problems are encountered. Since the virtual patch is read only, it makes no changes to the database software, requires no downtime and does not need the same level of testing as physical patches.
Organizations should also look closely at configurations. It is recommended that they remove all database functions and options that are not actually used. To check that configurations remain in a good state, change auditing tools are available that compare configuration snapshots and provide alerts when misconfigurations are encountered that affect the overall security posture. Many such tools allow organizations to revert to the original hardened configuration.
About the Author
Fran Howarth is a principal analyst with Bloor Research, a European IT research company. A member of "Who's Who in e-Business" and a past judge for the Codie awards in security categories, Ms. Howarth has worked as a consultant and analyst for 20 years, including at the Aberdeen Group, KPMG Consulting, the Economic Intelligence Unit, and Quocirca Ltd. She is a frequent contributor to Faulkner's Security Management Practices publication, and may be reached via email: fhowarth@gmail.com.
This article is based on a comprehensive report published by Faulkner Information Services, a division of Information Today, Inc., that provides a wide range of reports in the IT, telecommunications, and security fields. For more information, visit www.faulkner.com.
To subscribe to the Faulkner Information Services, visit www.faulkner.com/showcase/subscription.asp.
Copyright 2013, Faulkner Information Services. All Rights Reserved.