A recent survey showed that 80% of businesses do not have a database security plan which should include information regarding migration, patching schedules, databases needing encryption and more. Of course, before you can decide what to protect, you need to know what you have in the way of databases and the information they contain which ends up being quite complex. And the process of configuring parameters then checking them even more so.
However, resources like the Defense Information Systems Agency, and others, have checklists to guide you in securely configuring your databases. A database vulnerability tool can then be used to check if your database has met the lists requirements. Some things to look for first are:
- Missing patches
- Misconfiguratioins such as Oracle directory and file pemissions
- Default passwords
Default passwords are considered a major reason for why attacks happen. Making sure that users have hard to guess passwords, and changing them periodically reduces the risk of security breaks. Another big risk is the ANY system privileges, equivalent to ROOT user in Unix or ADMINISTRATOR for Windows. Monitoring these users is a top security challenge, and they need to be very controlled and validated. One last security help is virtual patching, a tool offered by Guardium and other security vendors, that detects and blocks new exploits, offering a degree of protection while waiting for the actual patch.