What is Database Security?

Database security includes a variety of measures used to secure

database management systems from malicious cyber-attacks and
illegitimate use. Database security programs are designed to protect
not only the data within the database, but also the data management
system itself, and every application that accesses it, from misuse,
damage, and intrusion.

Database security encompasses tools, processes, and methodologies

which establish security inside a database environment.

Database Security Threats

Many software vulnerabilities, misconfigurations, or patterns of misuse

or carelessness could result in breaches. Here are a number of the
most known causes and types of database security cyber threats.

Insider Threats

An insider threat is a security risk from one of the following three

sources, each of which has privileged means of entry to the database:

• A malicious insider with ill-intent

• A negligent person within the organization who exposes the
database to attack through careless actions
• An outsider who obtains credentials through social engineering or
other methods, or gains access to the database’s credentials

An insider threat is one of the most typical causes of database security

breaches and it often occurs because a lot of employees have been granted
privileged user access.

Blog: How Insider Threats Drive Better Data Protection Strategies.

Human Error

Weak passwords, password sharing, accidental erasure or corruption of data,

and other undesirable user behaviors are still the cause of almost half
of data breaches reported.

Exploitation of Database Software Vulnerabilities

Attackers constantly attempt to isolate and target vulnerabilities in software,

and database management software is a highly valuable target. New
vulnerabilities are discovered daily, and all open source database
management platforms and commercial database software vendors issue
security patches regularly. However, if you don’t use these patches quickly,
your database might be exposed to attack

Even if you do apply patches on time, there is always the risk of zero-day attacks,
when attackers discover a vulnerability, but it has not yet been discovered and
patched by the database vendor.

SQL/NoSQL Injection Attacks

A database-specific threat involves the use of arbitrary non-SQL and SQL

attack strings into database queries. Typically, these are queries created as
an extension of web application forms, or received via HTTP requests. Any
database system is vulnerable to these attacks, if developers do not adhere
to secure coding practices, and if the organization does not carry out regular
vulnerability testing

Buffer Overflow Attacks

Buffer overflow takes place when a process tries to write a large amount of
data to a fixed-length block of memory, more than it is permitted to hold.
Attackers might use the excess data, kept in adjacent memory addresses, as
the starting point from which to launch attacks.

Denial of Service (DoS/DDoS) Attacks

In a denial of service (DoS) attack, the cybercriminal overwhelms the target

service—in this instance the database server—using a large amount of fake
requests. The result is that the server cannot carry out genuine requests
from actual users, and often crashes or becomes unstable.
In a distributed denial of service attack (DDoS), fake traffic is generated by
a large number of computers, participating in a botnet controlled by the
attacker. This generates very large traffic volumes, which are difficult to stop
without a highly scalable defensive architecture. Cloud-based DDoS
protection services can scale up dynamically to address very large DDoS
attacks.

Malware

Malware is software written to take advantage of vulnerabilities or to cause

harm to a database. Malware could arrive through any endpoint device
connected to the database’s network. Malware protection is important on
any endpoint, but especially so on database servers, because of their high
value and sensitivity.

An Evolving IT Environment

The evolving IT environment is making databases more susceptible to

threats. Here are trends that can lead to new types of attacks on databases,
or may require new defensive measures:

• Growing data volumes—storage, data capture, and processing is growing

exponentially across almost all organizations. Any data security practices or
tools must be highly scalable to address distant and near-future
requirements.
• Distributed infrastructure—network environments are increasing in
complexity, especially as businesses transfer workloads to hybrid cloud or
multi-cloud architectures, making the deployment, management, and choice
of security solutions more difficult.
• Increasingly tight regulatory requirements—the worldwide regulatory
compliance landscape is growing in complexity, so following all mandates are
becoming more challenging.
• Cybersecurity skills shortage—there is a global shortage of
skilled cybersecurity professionals, and organizations are finding it difficult to
fill security roles. This can make it more difficult to defend critical
infrastructure, including databases.

How Can You Secure Your Database Server?

A database server is a physical or virtual machine running the database.

Securing a database server, also known as “hardening”, is a process that
includes physical security, network security, and secure operating system
configuration
Ensure Physical Database Security

Refrain from sharing a server for web applications and database

applications, if your database contains sensitive data. Although it could be
cheaper, and easier, to host your site and database together on a hosting
provider, you are placing the security of your data in someone else’s hands.

If you do rely on a web hosting service to manage your database, you

should ensure that it is a company with a strong security track record. It is
best to stay clear of free hosting services due to the possible lack of
security.

If you manage your database in an on-premise data center, keep in mind

that your data center is also prone to attacks from outsiders or insider
threats. Ensure you have physical security measures, including locks,
cameras, and security personnel in your physical facility. Any access to
physical servers must be logged and only granted to authorized individuals.

In addition, do not leave database backups in locations that are publicly

accessible, such as temporary partitions, web folders, or unsecured cloud
storage buckets.

Lock Down Accounts and Privileges

Let’s consider the Oracle database server. After the database is installed, the
Oracle database configuration assistant (DBCA) automatically expires and
locks most of the default database user accounts.

If you install an Oracle database manually, this doesn’t happen and default
privileged accounts won’t be expired or locked. Their password stays the
same as their username, by default. An attacker will try to use these
credentials first to connect to the database.

It is critical to ensure that every privileged account on a database server is

configured with a strong, unique password. If accounts are not needed, they
should be expired and locked.

For the remaining accounts, access has to be limited to the absolute

minimum required. Each account should only have access to the tables and
operations (for example, SELECT or INSERT) required by the user. Avoid
creating user accounts with access to every table in the database.

Regularly Patch Database servers

Ensure that patches remain current. Effective database patch management

is a crucial security practice because attackers are actively seeking out new
security flaws in databases, and new viruses and malware appear on a daily
basis.

A timely deployment of up-to-date versions of database service packs,

critical security hotfixes, and cumulative updates will improve the stability of
database performance.
Disable Public Network Access

Organizations store their applications in databases. In most real-world

scenarios, the end-user doesn’t require direct access to the database. Thus,
you should block all public network access to database servers unless you
are a hosting provider. Ideally, an organization should set up gateway
servers (VPN or SSH tunnels) for remote administrators.

Encrypt All Files and Backups

Irrespective of how solid your defenses are, there is always a possibility that
a hacker may infiltrate your system. Yet, attackers are not the only threat to
the security of your database. Your employees may also pose a risk to your
business. There is always the possibility that a malicious or careless insider
will gain access to a file they don’t have permission to access.

Encrypting your data makes it unreadable to both attackers and employees.

Without an encryption key, they cannot access it, this provides a last line of
defense against unwelcome intrusions. Encrypt all-important application
files, data files, and backups so that unauthorized users cannot read your
critical data.

Database Security Best Practices

Here are several best practices you can use to improve the security of
sensitive databases.

Actively Manage Passwords and User Access

If you have a large organization, you must think about automating access
management via password management or access management software.
This will provide permitted users with a short-term password with the rights
they need every time they need to gain access to a database.

It also keeps track of the activities completed during that time frame and
stops administrators from sharing passwords. While administrators may feel
that sharing passwords is convenient, however, doing so makes effective
database accountability and security almost impossible.

In addition, the following security measures are recommended:

 • Strong passwords must be enforced
• Password hashes must be salted and stored encrypted
• Accounts must be locked following multiple login attempts
• Accounts must be regularly reviewed and deactivated if staff move to
different roles, leave the company, or no longer require the same level of
access

Test Your Database Security

Once you have put in place your database security infrastructure, you must
test it against a real threat. Auditing or performing penetration tests against
your own database will help you get into the mindset of a cybercriminal and
isolate any vulnerabilities you may have overlooked.

To make sure the test is comprehensive, involve ethical hackers or

recognized penetration testing services in your security testing. Penetration
testers provide extensive reports listing database vulnerabilities, and it is
important to quickly investigate and remediate these vulnerabilities. Run a
penetration test on a critical database system at least once per year.

Use Real-Time Database Monitoring

Continually scanning your database for breach attempts increases your

security and lets you rapidly react to possible attacks.

In particular, File Integrity Monitoring (FIM) can help you log all actions
carried out on the database’s server and to alert you of potential breaches.
When FIM detects a change to important database files, ensure security
teams are alerted and able to investigate and respond to the threat.

Use Web Application and Database Firewalls

You should use a firewall to protect your database server from database
security threats. By default, a firewall does not permit access to traffic. It
needs to also stop your database from starting outbound connections unless
there is a particular reason for doing so.

As well as safeguarding the database with a firewall, you must deploy a web
application firewall (WAF). This is because attacks aimed at web
applications, including SQL injection, can be used to gain illicit access to your
databases.
A database firewall will not stop most web application attacks, because
traditional firewalls operate at the network layer, while web application
layers operate at the application layer (layer 7 of the OSI model). A WAF
operates at layer 7 and is able to detect malicious web application traffic,
such as SQL injection attacks, and block it before it can harm your database

Imperva Database Security

Imperva provides an industry-leading Web Application Firewall, which can

prevent web application attacks that affect databases, including SQL
injection. We also provide file integrity protection (FIM) and file security
technology, defending sensitive files from cybercriminals and malicious
insiders.

In addition, Imperva protects all cloud-based data stores to ensure

compliance and preserve the agility and cost benefits you get from your
cloud investments:

Cloud Data Security – Simplify securing your cloud databases to catch up

and keep up with DevOps. Imperva’s solution enables cloud-managed
services users to rapidly gain visibility and control of cloud data.

Database Security – Imperva delivers analytics, protection, and response

across your data assets, on-premise and in the cloud – giving you the risk
visibility to prevent data breaches and avoid compliance incidents. Integrate
with any database to gain instant visibility, implement universal policies, and
speed time to value.

Data Risk Analysis – Automate the detection of non-compliant, risky, or

malicious data access behavior across all of your databases enterprise-wide
to accelerate remediation