5 Key Steps to Ensuring Database Security

<< back Page 2 of 2

Security information and event management tools can also be used in combination with DAM tools to combine log data from operating system and network logs along with information from DAM systems tied to the identities of perpetrators of specific actions to provide greater visibility over the network, which is useful for forensic investigation purposes.

Two other essential steps to take for database security are ensuring only strong passwords are used and encrypting data. All too often, default passwords are not changed or users set weak passwords, such as just using the term "administrator" and allowing many users to share such credentials. Not only are such passwords easy to guess, making it easy for an attacker to breach database security, but the sharing of credentials among users makes it all but impossible to tie actions and malicious behavior to a specific individual or to show a secure audit trail. To further protect information in the database from unauthorized access, all data should be held in the database in encrypted form, with access to the encryption keys tightly controlled and monitored.

One further area to consider is that of employee security and awareness training to ensure that all employees are aware of the organization’s security policies and required best practices. Employees should receive training on joining the organization, as well as ongoing training to constantly reinforce the messages. Constantly reinforced training is considered to best practice in averting sensitive information from being compromised through human error, such as by a user being taken in by a phishing attack, along with technology controls such as DAM and auditing.

Security patches and other database tools

Where vulnerabilities are encountered, it is essential that they are eliminated wherever possible. In many cases, this can be achieved by applying security patches. However, technology vendor McAfee cautions that the process of testing and deploying patches is an ongoing, arduous process that results in a time window of system vulnerabilities until IT staff can bring business-critical databases offline and deploy patches. In 2010, Unisphere Research, a division of Information Today, Inc., conducted a survey for the Independent Oracle Users Group ((IOUG) among 430 database administrators, consultants and developers and found that only 37% installed Oracle critical patch updates within three months of their release.

McAfee offers technology for deploying virtual patches for databases to protect data held in databases during the time window between the issuance of vendor-supplied patches and their actual installation. The technology uses a sensor placed on each database server that looks to detect attempts to exploit known vulnerabilities as well as common hacking techniques, issuing alerts, terminating the session, placing the user in quarantine or blocking traffic from specific IP addresses if problems are encountered. Since the virtual patch is read only, it makes no changes to the database software, requires no downtime and does not need the same level of testing as physical patches.

Organizations should also look closely at configurations. It is recommended that they remove all database functions and options that are not actually used. To check that configurations remain in a good state, change auditing tools are available that compare configuration snapshots and provide alerts when misconfigurations are encountered that affect the overall security posture. Many such tools allow organizations to revert to the original hardened configuration.

About the Author

Fran Howarth is a principal analyst with Bloor Research, a European IT research company. A member of "Who's Who in e-Business" and a past judge for the Codie awards in security categories, Ms. Howarth has worked as a consultant and analyst for 20 years, including at the Aberdeen Group, KPMG Consulting, the Economic Intelligence Unit, and Quocirca Ltd. She is a frequent contributor to Faulkner's Security Management Practices publication, and may be reached via email:

This article is based on a comprehensive report published by Faulkner Information Services, a division of Information Today, Inc., that provides a wide range of reports in the IT, telecommunications, and security fields. For more information, visit

To subscribe to the Faulkner Information Services, visit

Copyright 2013, Faulkner Information Services. All Rights Reserved.

<< back Page 2 of 2

Related Articles

Enterprises are making a greater effort to monitor and audit data for threats to data security, but organizations that are fully security aware—leaders that practice prevention, detection and administrative controls across their data assets—are still in the minority of enterprises, according to a new survey underwritten by Oracle and fielded among IOUG (Independent Oracle Users Group) members.

Posted January 08, 2014

There's no doubt that the management at Target had a miserable holiday season at the end of last year, between all the bad PR that came out about the online theft of 40 million customers' data records—later revised to be even higher—and the costs of providing disclosures and working with banks, and the headaches of potentially expensive lawsuits that are being filed. Such is every organization's nightmare, the price of openness and accessibility. According to a new survey of 322 data and IT managers, there is a growing awareness among enterprise executives and managers about the potential issues to enterprise data security.

Posted February 10, 2014

Organizations should exercise caution when it comes to implementing new technologies for data governance. Sometimes, the lowest tech solution is the best one and spending money on more software without laying the groundwork actually sets companies up to fail.

Posted March 20, 2014