As promised in the previous article, we also offer solutions to protect databases and ensure their security and integrity. These solutions were identified by Imperva, who also contributed to creating the top list of the biggest dangers databases are exposed to.
Threats of this kind can, in most cases, be avoided by implementing very simple rules and following logical and obvious steps.
The solutions can be organized into 6 different categories, depending on the actions taken.
The 6 categories of solutions are:
1. Discovery and Assessment – the actual location of where database vulnerabilities occur
2. User Privilege Management – identifying excessive rights over sensitive data
3. Monitoring and Blocking – protecting databases against attacks, data loss, and theft
4. Audit – demonstrating compliance with industry regulations
5. Data Protection – ensuring data integrity and confidentiality
6. Non-technical Security – strengthening a culture of awareness and training in the field of security.
These categories include numerous measures that can be applied in case of security issues. We will present them one by one, specifying where they can be applied.
1. Discovery and Assessment.
This category includes the following steps: System scanning to identify vulnerabilities, Risk score calculation, Vulnerability reduction, Identification of compromised endpoints, Risk analysis and prioritization of remediation efforts, Identification of servers with databases, Analysis of identification results, Identification and classification of sensitive data.
It is crucial to identify and know the system vulnerabilities from the perspective of data security. Most often, viruses and other malicious software take advantage precisely of these vulnerabilities to infiltrate. Weak authentication rules can trigger a DoS attack by granting access to a database without needing a password. Therefore, it is necessary to use vulnerability assessment tools to detect security errors and misconfigurations. Assessments should use industry best practices for database security.
Based on the identified vulnerabilities, a risk score is calculated. The higher it is, the bigger the problems.
If a vulnerability is discovered and there is no original patch, a virtual patch must be applied to minimize the danger until the issue itself is resolved.
Next is the stage of identifying hosts infected with malware, so that access to database information by these devices can be prevented.
Reports and analytical tools should also be used to understand risks and help prioritize remediation efforts.
To have a clear record of databases, companies should properly organize them and use special database services (for example, Oracle, Microsoft SQL, IBM DB2, etc.), run regularly.
After all these things are done, sensitive data identification at the row or column level follows. These can be: email addresses, personal identification numbers, bank data, etc.
Generally applied in cases of: Input Injection, Exploitation of database vulnerabilities and misconfigurations, Unmanaged sensitive data.
2. User Privilege Management
This category includes the following steps: Aggregation of access rights, Completion of data with information from and about users, Identification and removal of excessive rights and inactive users, Review and approval/removal of existing rights, Extraction of users' "real" identities.
Effective scanning of databases to identify usage rights, as well as the actual establishment of the rights they have (e.g., SELECT, DELETE, COPY), who granted them. Aggregating user rights into a single repository helps streamline reporting and analyze user access to sensitive data. Completing information with data about users' roles and behavior helps identify the best measures to take.
After identifying excessive rights, they must be removed, as well as rights granted to people who do not use them.
The third stage follows, that of reviewing all users and their rights and removing rights that are not part of the job description and specifics of each user's position.
Generally applied in cases of: Excessive and unused privileges (rights), Privilege abuse.
3. Monitoring and Blocking
This category includes the following elements: Real-time alerting and blocking, Detection of unusual activities, Blocking of malicious web requests, Monitoring local activity, Enforcing connection controls (to avoid overload), Validation of database protocols, Synchronization of response.
Monitoring any database access activity and usage must be done in real time to detect data leaks, unauthorized SQL and Big Data transactions, as well as protocol and system attacks. When such unauthorized attempts occur, alerts should be generated or the user session automatically closed. So-called Web Application Firewalls (WAF) should be used, which recognize and block elements coming from the web.
Local activity must also be monitored, including network and database administrators, as well as users with very high privileges. Protocols and monitoring solutions for database activity must be developed to isolate random or abnormal communications. When atypical communication events are detected, the solution should trigger an alert or block the transaction.
An important element is also timing the response provided by the database. Attacks aimed at blocking fixed, physical means cause delays in the database response. This can be used to program alarms that trigger whenever a delay or overload is observed.
Generally applied in cases of: Denial of Service (DoS), Excessive and unused privileges (rights), Privilege abuse, Input Injection.
4. Audit.
Implementing DAP-type solutions is very useful and brings several advantages, including performance, scalability, and flexibility. These automated DAP systems offer a very clear separation of administrative rights over databases and are invulnerable to attacks, whether caused by external factors or internally by database administrators or simple users. They are very performant and support various types of databases from multiple vendors.
An audit system records information and generates very detailed reports. Thus, information about users, logs, technical specifications, queries, and database responses can be obtained, etc.
Applied in case of: Incorrect audit
5. Data Protection.
This process concerns following very simple rules: proper archiving of data and their encryption. Archiving is a necessity, and many treat it as something secondary that must be done. However, securing archived data is often overlooked. Therefore, archives must be created automatically and protected in the same way as the active database. Encrypting all information is another requirement and must be done both on the active side and on backups. Together with auditing, this system offers maximum tracking of database activity.
Applied in cases of: Incorrect audit, Exposure of storage media
6. Non-technical Security.
Security rules must be respected by all employees, regardless of their level of involvement in actions involving databases. Attack software, malware, can affect any computer, and from there infiltrate the network and the database. Security involves how computers, the internet, email, and portable devices are used.
Applied in case of: Limited expertise and education in security matters
Conclusion
Data security and protection should never be treated lightly. Even if it seems you do not hold information important enough to be stolen or of interest to someone, you should still take measures. Your clients, partners, or even your employees must feel that you do everything to protect their privacy and data. Whether it is phone numbers, email addresses, or personal files, any kind of information presents an interest, smaller or larger, for a hacker or a dissatisfied employee.
Note! This material was created based on information provided by Imperva.
