Most organizations, whether public or private sector, are facing exponential increases in the amount of information and data that they need to continuously track, manage, and protect to ensure organizational success, continuity of operations and long-term viability.
While many attackers still focus on denial of service attacks, cybercriminals often target the database because that is where sensitive information resides that would interest someone looking to steal credit card information or personal identities. With so much at potential risk, those involved with responsibility and control over the resources required to secure the databases must assume the role of stewards of the data and ensure that business operations are not threatened.
Here are a few best practices that can assist all organizations, regardless of industry or size, to secure their databases to make potential attackers move on to an easier target:
1. Separate the Database and Web Servers
Always keep the database server separate from the web server.
Most vendors try to make things easier by having the database created on the same server that the application is installed. This also makes it easier for an attacker to access the data because they only need to crack the administrator account for one server to have access to everything.
Recommendation: Install the database on a separate database server located behind a firewall, not in the DMZ with the web server. While this makes for a more complicated setup, the security benefits outweigh the additional technical efforts required.
2. Encrypt Stored Files and Backups
The stored files of a web application often contain information about the databases that the software needs to connect to. This information, if stored in plain text like many default installations do, provide the keys an attacker needs to access sensitive data.
Not all data theft or destructions happen as a result of an outside attack. Sometimes employees who were once trusted can be compelled to steal or destroy data as well. In addition, data that contains regulated information (HIPAA, SOX, DoD, etc.) must be encrypted if the storage media is ever out of your security authority.
Recommendation: Encrypt any files that have value to the organization and are stored on the application or database server. If they have value to your organization, they are of value to an attacker.
3. Use a Web Application Firewall (WAF)
Many people are under the misconception that protecting the web server has nothing to do with the database. This is not true. In addition to protecting a site against cross-site scripting vulnerabilities and website vandalism, a good application firewall can thwart SQL injection attacks as well. By preventing the injection of SQL queries by an attacker, the firewall can help keep sensitive information stored in the database away from attackers.
Recommendation: Employ web application firewalls.
All web applications are available to customers/constituents—as well as attackers—24x7x365. For this reason, traditional IT security systems, such as firewalls or IDS/IPS, may be unable to guard against these attacks or do not offer comprehensive protection.
4. Keep Patches Current
Websites that utilize third-party applications, components, and various other plug-ins and add-ons are more susceptible to an exploit than those that have been patched.
Recommendation: Keep patches current to the most recent release.
5. Enable Security Controls
Though most databases enable security controls by default, administrators should always check the security controls to ensure that this is the case. It is important to remember that though most organizations may rely on a web developer to create a secure system, the DBA is ultimately responsible for ensuring that security is maintained once development and the implementation are complete.
Recommendation: Enable security controls on all databases and do not assume that this is the default. Ensure that there are corresponding business processes in place.
DBAs Play a Key Role in Security
DBAs play an increasingly crucial role in security. The consequences of not safeguarding data or failing to comply with regulations for data security can include significant fines and jeopardize business operations and the reputation of your organization.
John Matelski is CIO and director of information technology for DeKalb County Government (Georgia) as well as president of the Independent Oracle Users Group.