What is Database Security?
Database security includes a variety of measures used to secure database management systems from malicious cyber-attacks and illegitimate use. Database security programs are designed to protect not only the data within the database, but also the data management system itself, and every application that accesses it, from misuse, damage, and intrusion.
Database security encompasses tools, processes, and methodologies which establish security inside a database environment.
Database Security Threats
Many software vulnerabilities, misconfigurations, or patterns of misuse or carelessness could result in breaches. Here are a number of the most known causes and types of database security cyber threats.
Insider Threats
An insider threat is a security risk from one of the following three sources, each of which has privileged means of entry to the database:
- A malicious insider with ill-intent
- A negligent person within the organization who exposes the database to attack through careless actions
- An outsider who obtains credentials through social engineering or other methods, or gains access to the database’s credentials
An insider threat is one of the most typical causes of database security breaches and it often occurs because a lot of employees have been granted privileged user access.
Blog: How Insider Threats Drive Better Data Protection Strategies.
Human Error
Weak passwords, password sharing, accidental erasure or corruption of data, and other undesirable user behaviors are still the cause of almost half of data breaches reported.
Exploitation of Database Software Vulnerabilities
Attackers constantly attempt to isolate and target vulnerabilities in software, and database management software is a highly valuable target. New vulnerabilities are discovered daily, and all open source database management platforms and commercial database software vendors issue security patches regularly. However, if you don’t use these patches quickly, your database might be exposed to attack.
Even if you do apply patches on time, there is always the risk of zero-day attacks, when attackers discover a vulnerability, but it has not yet been discovered and patched by the database vendor.
Blog: Imperva Protects from New Spring Framework Zero-Day Vulnerabilities.
SQL/NoSQL Injection Attacks
A database-specific threat involves the use of arbitrary non-SQL and SQL attack strings into database queries. Typically, these are queries created as an extension of web application forms, or received via HTTP requests. Any database system is vulnerable to these attacks, if developers do not adhere to secure coding practices, and if the organization does not carry out regular vulnerability testing.
Buffer Overflow Attacks
Buffer overflow takes place when a process tries to write a large amount of data to a fixed-length block of memory, more than it is permitted to hold. Attackers might use the excess data, kept in adjacent memory addresses, as the starting point from which to launch attacks.
Denial of Service (DoS/DDoS) Attacks
In a denial of service (DoS) attack, the cybercriminal overwhelms the target service—in this instance the database server—using a large amount of fake requests. The result is that the server cannot carry out genuine requests from actual users, and often crashes or becomes unstable.
In a distributed denial of service attack (DDoS), fake traffic is generated by a large number of computers, participating in a botnet controlled by the attacker. This generates very large traffic volumes, which are difficult to stop without a highly scalable defensive architecture. Cloud-based DDoS protection services can scale up dynamically to address very large DDoS attacks.
Malware
Malware is software written to take advantage of vulnerabilities or to cause harm to a database. Malware could arrive through any endpoint device connected to the database’s network. Malware protection is important on any endpoint, but especially so on database servers, because of their high value and sensitivity.
An Evolving IT Environment
The evolving IT environment is making databases more susceptible to threats. Here are trends that can lead to new types of attacks on databases, or may require new defensive measures:
- Growing data volumes—storage, data capture, and processing is growing exponentially across almost all organizations. Any data security practices or tools must be highly scalable to address distant and near-future requirements.
- Distributed infrastructure—network environments are increasing in complexity, especially as businesses transfer workloads to hybrid cloud or multi-cloud architectures, making the deployment, management, and choice of security solutions more difficult.
- Increasingly tight regulatory requirements—the worldwide regulatory compliance landscape is growing in complexity, so following all mandates are becoming more challenging.
- Cybersecurity skills shortage—there is a global shortage of skilled cybersecurity professionals, and organizations are finding it difficult to fill security roles. This can make it more difficult to defend critical infrastructure, including databases.
How Can You Secure Your Database Server?
A database server is a physical or virtual machine running the database. Securing a database server, also known as “hardening”, is a process that includes physical security, network security, and secure operating system configuration.
Ensure Physical Database Security
Refrain from sharing a server for web applications and database applications, if your database contains sensitive data. Although it could be cheaper, and easier, to host your site and database together on a hosting provider, you are placing the security of your data in someone else’s hands.
If you do rely on a web hosting service to manage your database, you should ensure that it is a company with a strong security track record. It is best to stay clear of free hosting services due to the possible lack of security.
If you manage your database in an on-premise data center, keep in mind that your data center is also prone to attacks from outsiders or insider threats. Ensure you have physical security measures, including locks, cameras, and security personnel in your physical facility. Any access to physical servers must be logged and only granted to authorized individuals.
In addition, do not leave database backups in locations that are publicly accessible, such as temporary partitions, web folders, or unsecured cloud storage buckets.
Lock Down Accounts and Privileges
Let’s consider the Oracle database server. After the database is installed, the Oracle database configuration assistant (DBCA) automatically expires and locks most of the default database user accounts.
If you install an Oracle database manually, this doesn’t happen and default privileged accounts won’t be expired or locked. Their password stays the same as their username, by default. An attacker will try to use these credentials first to connect to the database.
It is critical to ensure that every privileged account on a database server is configured with a strong, unique password. If accounts are not needed, they should be expired and locked.
For the remaining accounts, access has to be limited to the absolute minimum required. Each account should only have access to the tables and operations (for example, SELECT or INSERT) required by the user. Avoid creating user accounts with access to every table in the database.
Regularly Patch Database servers
Ensure that patches remain current. Effective database patch management is a crucial security practice because attackers are actively seeking out new security flaws in databases, and new viruses and malware appear on a daily basis.
A timely deployment of up-to-date versions of database service packs, critical security hotfixes, and cumulative updates will improve the stability of database performance.
Disable Public Network Access
Organizations store their applications in databases. In most real-world scenarios, the end-user doesn’t require direct access to the database. Thus, you should block all public network access to database servers unless you are a hosting provider. Ideally, an organization should set up gateway servers (VPN or SSH tunnels) for remote administrators.
Encrypt All Files and Backups
Irrespective of how solid your defenses are, there is always a possibility that a hacker may infiltrate your system. Yet, attackers are not the only threat to the security of your database. Your employees may also pose a risk to your business. There is always the possibility that a malicious or careless insider will gain access to a file they don’t have permission to access.
Encrypting your data makes it unreadable to both attackers and employees. Without an encryption key, they cannot access it, this provides a last line of defense against unwelcome intrusions. Encrypt all-important application files, data files, and backups so that unauthorized users cannot read your critical data.
Database Security Best Practices
Here are several best practices you can use to improve the security of sensitive databases.
Actively Manage Passwords and User Access
If you have a large organization, you must think about automating access management via password management or access management software. This will provide permitted users with a short-term password with the rights they need every time they need to gain access to a database.
It also keeps track of the activities completed during that time frame and stops administrators from sharing passwords. While administrators may feel that sharing passwords is convenient, however, doing so makes effective database accountability and security almost impossible.
In addition, the following security measures are recommended:
- Strong passwords must be enforced
- Password hashes must be salted and stored encrypted
- Accounts must be locked following multiple login attempts
- Accounts must be regularly reviewed and deactivated if staff move to different roles, leave the company, or no longer require the same level of access
Test Your Database Security
Once you have put in place your database security infrastructure, you must test it against a real threat. Auditing or performing penetration tests against your own database will help you get into the mindset of a cybercriminal and isolate any vulnerabilities you may have overlooked.
To make sure the test is comprehensive, involve ethical hackers or recognized penetration testing services in your security testing. Penetration testers provide extensive reports listing database vulnerabilities, and it is important to quickly investigate and remediate these vulnerabilities. Run a penetration test on a critical database system at least once per year.
Use Real-Time Database Monitoring
Continually scanning your database for breach attempts increases your security and lets you rapidly react to possible attacks.
In particular, File Integrity Monitoring (FIM) can help you log all actions carried out on the database’s server and to alert you of potential breaches. When FIM detects a change to important database files, ensure security teams are alerted and able to investigate and respond to the threat.
Use Web Application and Database Firewalls
You should use a firewall to protect your database server from database security threats. By default, a firewall does not permit access to traffic. It needs to also stop your database from starting outbound connections unless there is a particular reason for doing so.
As well as safeguarding the database with a firewall, you must deploy a web application firewall (WAF). This is because attacks aimed at web applications, including SQL injection, can be used to gain illicit access to your databases.
A database firewall will not stop most web application attacks, because traditional firewalls operate at the network layer, while web application layers operate at the application layer (layer 7 of the OSI model). A WAF operates at layer 7 and is able to detect malicious web application traffic, such as SQL injection attacks, and block it before it can harm your database.
Imperva Database Security
Imperva provides an industry-leading Web Application Firewall, which can prevent web application attacks that affect databases, including SQL injection. We also provide file integrity protection (FIM) and file security technology, defending sensitive files from cybercriminals and malicious insiders.
In addition, Imperva protects all cloud-based data stores to ensure compliance and preserve the agility and cost benefits you get from your cloud investments:
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection, and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.
