5 Key Steps to Ensuring Database Security

Databases often contain extremely sensitive information that must be protected from security vulnerabilities and exploits. All organizations need to work on a continual basis to identify and remediate those vulnerabilities using a variety of tools that are available. In addition to doing monitoring and security assessments constantly, it is vital that the results are analyzed and properly audited so that an organization can not only ensure that its database security posture is sound, but also demonstrate compliance with regulations that demand high levels of security be applied to sensitive data.


Almost all organizations use databases in some form for tracking information such as customer and transaction records, financial information, and human resources records. Much of the information contained in databases is sensitive and can be sold for cash or, such as in cases of theft by a disgruntled employee or by a hacker with political motivations, to cause the organization loss of business or reputation, especially if the organization is found to be in breach of regulations or industry standards that demand high levels of data security.

According to the 2012 data breach investigations report published by Verizon Business, 96% of records breached in 2011 were taken from database servers. Of these, 55% exploited default or guessable credentials and 40% the use of stolen login credentials. And, according to another study among data professionals conducted by Unisphere Research, a division of Information Today, Inc., for the IOUG little more than one-third of the 430 respondents install 37% critical patch updates within three months of their release.

See also  How to Install phpMyAdmin on CentOS 5.8 using EPEL Repository

According to technology vendor Application Security, Inc., the following are the top 10 threats related to databases:

  1. Default or weak passwords
  2. SQL injection
  3. Excessive user and group privileges
  4. Unnecessary DBMS features enabled
  5. Broken configuration management
  6. Buffer overflows
  7. Privilege escalation
  8. Denial of service
  9. Un-patched RDBMS
  10. Unencrypted data


There are 5 key steps to ensuring database security, according to Applications Security, Inc.

  1. Isolate sensitive databases—maintain an accurate inventory of all databases deployed across the enterprise and identify all sensitive data residing on those databases.
  2. Eliminate vulnerabilities—continually assess, identify and remediate vulnerabilities that expose the database.
  3. Enforce least privileges—identify user entitlements and enforce user access controls and privileges to limit access to only the minimum data required for employees to do their jobs.
  4. Monitor for deviations—implement appropriate policies and monitor any vulnerabilities that cannot be remediated for any and all activity the deviates from authorized activity.
  5. Respond to suspicious behavior—alert and respond to any abnormal or suspicious behavior in real time to minimize risk of attack.


The first step for ensuring database security is to develop a database security plan, taking into account regulations such as Sarbanes-Oxley and industry standards such as the Payment Card Industry Data Security Standards with which the organization must comply. The use of a standard checklist is to be advised, rather than trying to develop a security plan from scratch. Examples of such as checklist include those available from the information assurance support environment website, sponsored by the U.S. Defense Information Systems Agency or the Center for Internet Security.

See also  CoreOS Announces Managed Linux, World's First "OS-as-a-Service"

As part of the development of this plan, the organization should take an inventory of all databases within the organization’s network environment, which can be done more efficiently through use of vulnerability management technology that can automatically discover all databases and run scans to identify which contain sensitive information, such as financial information and customer data. The scans performed by such technology will also be able to assess database vulnerabilities and misconfigurations, identifying issues such as default or weak passwords, missing patches and poor access controls, and will look to identify which vulnerabilities can be exploited so that remediation can be prioritized. Most tools available will include built-in templates that incorporate the requirements of many best practice frameworks and regulatory compliance initiatives. Such tools should be used not only when developing a database security program, but on a continuous basis to identify new threats and vulnerabilities.

See also  Linux systemd dev says open source is 'SICK', kernel community 'awful'

Database activity monitoring (DAM) tools will also aid in the process of reducing vulnerabilities by providing visibility in real time into all database activity. Such tools collect data, aggregate it and analyze the data to look for activities that are in violation of security policy or that indicate anomalies have occurred. According to the Gartner Group, the primary reason for deploying DAM technologies is to monitor the activity of privileged users such as database and system administrators, developers, and help desk and outsourced personnel, many of whom typically have unfettered access to corporate databases. To ensure that threats are minimized and the requirements of regulations are being complied with, DAM tools should be used to identify anomalous activities such as privileged users viewing sensitive data, altering log records, making unauthorized configuration changes or creating new accounts with super user privileges. They can compare activities performed with those authorized by change requests. In general, it is considered to be best practice to implement access controls based on the principle of least privilege to ensure that no one user has excessive access rights and those rights should be regularly audited.

Click here for full Story

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7

This short howto will explain the steps to reset a lost root password or to reset a forgotten root password on Linux RHEL 7 or CentOS 7. Basically, we will...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

Leave a Reply

Your email address will not be published. Required fields are marked *