Database security is very important to consider in any organization or company. It’s where an entities most valuable data is stored. Personal identifiable information has been stolen from databases over and over in the last decade. (Blackhat, n.d.) says, “By one estimate, 53 million people have had data about themselves exposed over the past 13 months.” This was in 2006 after large data breaches from Bank of America, Time Warner, and Marriott International. Today you could only imagine that there are many more. A few suggested things to consider when securing any database or distributed system. Separate the database from the web servers. Encrypt any stored files in the database. Keep patches current.
Keep the database server’s separate from the web servers is a great help. Usually software when installed on a server will include a database and install it on the same server. If an attacker can compromise the administrator account of the webserver he then has access to the database files. (Applicure Technologies, n.d.) suggests, “instead, a database should reside on a separate database server located behind a firewall, not in the DMZ with the web server.” Agreed this would increase the complexity of the installation but the benefits on the security are well worth it.
Another factor to consider is the way in which the data will be stored. Encryption is an option for all data but will decrease performance in certain areas. Knowing the kind of data like car information color, make, and model versus vin number and license plate number would help in determining the information that needs to be encrypted and does not. Depending upon the business compliance whether HIPAA, SOX, and PCI may make this decision for us. Encryption of also website files for instance a web configuration file may contain information to the databases the website needs to connect to. Many times this is in clear text. (Applicure Technologies, n.d.) says, “WhiteHat security estimates that 83 percent of all web sites are vulnerable to at least one form of attack.” These types of attacks are very frequent in number.
Lastly keep databases patched regularly. Many databases have many other third party plugins that create other entry points into databases. At the time of their publication there were 8 DB2, 2 Informix and greater than 50 Oracle 0day vulnerabilities, (Blackhat, n.d.). So the general consensus would be to keep the need for third party vendors and databases to a minimum.
Overall there is no exact method of database security it’s a practice and everyones implementation will be different based off of the needs of each business and the regulatory requirements that the business is subject to.
Figure 1. Shows the cost of different types of data on the blackmarket.
Figure 2. Shows the top companies with data breaches in 2005.
Applicure Technologies. (n.d.). Best practices for database security. Retrieved from http://www.applicure.com/blog/database-security-best-practice
Blackhat. (n.d.). Hacking databases for owning your data. Retrieved from https://www.blackhat.com/presentations/bh-europe-07/Cerrudo/Whitepaper/bh-eu-07-cerrudo-WP-up.pdf