Comments on: The Soft Underbelly? - Database Security

By: Make DBAs Part of the Solution - Executive Briefing

Make DBAs Part of the Solution - Executive Briefing — Sun, 12 Aug 2007 18:28:32 +0000

[...] lack of a role in database security is ironic. Nowhere else in a modern organization does more valuable data reside than in the databases. And the problems are piling up. This week, Oracle was slated to release a whopping 46 patches for [...]

By: Sandeep Nain

Sandeep Nain — Wed, 18 Jul 2007 04:47:45 +0000

Nice post Slavik…

Keep it up…

By: Slavik

Slavik — Tue, 17 Jul 2007 23:19:11 +0000

There a lots of things a company can do to secure its databases, and many people (including myself) make a living out of doing exactly that. Some of the main things are:
1. Only install what you need - DBMSs are full of features, not all of them required for every kind of installation. The more optional features you install, the larger the possible attack surface for hackers. You can get attacked through a vulnerability in a component you weren’t even using - completely unnecessary.
2. Change all default passwords and users and regularly check for default/weak passwords - sounds simple, but you’ll be amazed how many companies still have those lying around.
3. Grant least privileges - even seemingly innocent VIEW privileges can be an opening for exploits.
4. Use secure coding practices - for example, using bind variables will greatly help in preventing vulnerability to SQL injection
5. Encrypt sensitive data - it’s another security layer, in case some of the other measures fail, and it’s also a requirement for some regulatory compliance audits
6. Use security monitoring and auditing tools - this is not necessarily a huge investment, and will provide you with visibility into what’s going on in the database - who’s doing what, where and when.

Just my 2 cents…

By: TheRealDonQuixote

TheRealDonQuixote — Tue, 17 Jul 2007 01:12:04 +0000

Here’s a tip for all you MBA’s out there running corporate America. Hire some pentesters to remain on your IT staff purely to keep testing your companies’ security, including your actual data in your DB’s. Pay them well, not just cause they deserve it, but so they don’t have wandering thoughts of more money. Then, talk to them, learn about the basics of information security.

Oh, and stop leaving huge printouts of reports all over the place. Not EVERYONE in the company needs a printed copy of all your sensitive info for your weekly team update or whatever. Remember, social engineering and dumpster diving is a large part of data gathering and subsequently hacking your company into non-existence or just costing you and yours a buttload of money and time.

There, now America is safe. XD

By: Sandeep Nain

Sandeep Nain — Tue, 17 Jul 2007 00:53:41 +0000

Corporates still believe that their business critical data is very secure if they have a firewall infront of their DB server and I have also seen many DBAs assuring the management that DB is safe as they have put fine grained controls for database access.

But (as We all know) the hackers are now moving towards the application layer from network layer. therefore corporates must put some efforts in making their s/w applications secure (applications which are interacting with those corporate databases). Special consideration should be given to authentication and access control mechanisms…

e.g. If there is a flaw in authentication system of a web application, a hacker may be able to log in as administrator and destory the business critical data.

By: backbone

backbone — Mon, 16 Jul 2007 23:42:22 +0000

i think that the db’s will be even tomorrow… they are the biggest step in data storying systems… can’t see something better that databases… just improvements…

By: Ful Stomach

Ful Stomach — Mon, 16 Jul 2007 23:09:50 +0000

It’s interesting that this article is posted today, cause it was only yesterday I was thinking “WoW another SQL injection HaX”. I haven’t been back to look at the related articles, but from memory, this site seems to reflect the fact that there are allot of techniques/tools for compromising insecure databases.

Just a thought, if it’s databases today, then what will be tomorrow?

By: Cyanide

Cyanide — Mon, 16 Jul 2007 20:02:53 +0000

Some of the things you can do for databases are simple things like row permissions and just finer grained controls including what a user can and cant do on certain rows or a db.

Other examples are putting your db servers at the center of a “Onion” security model where the databases are the most protected asset to a company and putting firewalls in front of certain database servers that only allow certain hosts to access to the server. You should look at the overall network design though when doing this and do it conjunction with other methods like network segmentation.

By: backbone

backbone — Mon, 16 Jul 2007 17:40:49 +0000

the thing is that I didn’t see any tips on how to secure your database… of course it’s a stupid think to leave not passworded your database, but beyond that never seen quite good tips =))))

By: SN

SN — Mon, 16 Jul 2007 14:23:25 +0000

very interesting .. security is important, but I guess data is even more important for security purposes ($$$)