Database Security

What Is Database Security And Why Is It Important?

🤔What is database security?

Basically, database security is any form of security used to protect databases and the information they contain from compromise. Examples of how stored data can be protected include:

Software – software is used to ensure that people can’t gain access to the database through viruses, hacking, or any similar process.
Physical controls – an example of a physical component of database security could be the constant monitoring of the database by company personnel to allow them to identify any potential weaknesses and/or compromises.
Administrative controls – this refers to things like the use of passwords, restricting the access of certain people to certain parts of the database, or blocking the access of some company personnel altogether

🤔Why is database security important?

Safeguarding the data your company collects and manages is of utmost importance. Database security can guard against a compromise of your database, which can lead to financial loss, reputation damage, consumer confidence disintegration, brand erosion, and non-compliance of government and industry regulation.

Database security safeguards defend against a myriad of security threats and can help protect your enterprise from:

*Deployment failure
*Excessive privileges
*Privilege abuse
*Platform vulnerabilities
*Unmanaged sensitive data
*Backup data exposure
*Weak authentication
*Database injection attacks

Threats to databases

1. . Poor Privileges
This is a great place to start because it can be so easy to fix and yet potentially so devastating to your data. Human privileges can often exceed the requirements of a person’s job function. They can also remain unchanged when someone moves roles within the organization, or leaves altogether. This exposes the data to people who may have ill intent.

Time to conduct an audit of all users, roles and access rules, and make the changes you need to limit exposure. Be sure to communicate any changes to the staff member and answer any questions they may have with regards to their new limited access rights. This process will eliminate unnecessary risk - and take some of the human element out of it.

2. Malware
Cyber-criminals often use advanced attacks that blend multiple tactics such as spear phishing emails and malware. Just on its own, spear phishing has become an endemic scourge: 95% of US and 83% of UK respondents in a recent Cloudmark survey said they have experienced an attack. Malware, or "malicious software" is also on the rise. Unaware that malware has infected their device, legitimate database users become a direct conduit for these groups to access your networks and sensitive data.

3. Exploitation of Vulnerable Misconfigured Databases
Our enterprise database consultants find vulnerable and unpatched databases all too often as we audit systems considered safe by their owners. We often see databases with their default accounts and configuration parameters in place too - especially in the case of open source implementations where a staff member has downloaded the software and done a DIY job on the database.

Attackers exploit these vulnerabilities very easily. Your internal staff may be too busy to update patches or it might be tough to find a maintenance session. However these issues must be resolved and a patch process put in place. IT solution providers such as Fujitsu can help when you feel you would benefit from a third party discipline. Whatever you do though, take action to resolve the issue now.

4. Limited Security Expertise and Education
According to the Ponemon Institute 2014 Cost of Data Breach Study, 30% of data breach incidents are caused by “human factor”. The Online Trust Alliance (OTA) also stated in 2013 that more than 97% of breaches were preventable by implementing simple steps and following best practice and internal controls. Ensure your internal staff are trained and capable of maintaining the security of your enterprise database to a professional business-critical level. If you are not sure, then engage the services of a professional database service provider such as Fujitsu.

5. Input Injection (SQL Injection)
This type of attack allows an attacker to inject code into a program or query or inject malware onto a computer in order to execute remote commands that can read or modify a database, or change data on a web site. There are two major types of database injection attacks. The first is SQL Injection that targets traditional database systems, and then there is NoSQL Injection targeting Big Data platforms.

SQL Injection executes malicious SQL statements that control a web application’s database server. They can potentially attack any website or web application that uses an SQL-based database. These attacks bypass a web application’s authentication mechanisms and retrieve the contents of an entire database to add, modify and delete records and as such disrupt data integrity. They are quite common and one of the oldest and most dangerous vulnerabilities around

Authentication mechanisms

Database authentication is the process or act of confirming that a user who is attempting to log in to a database is authorized to do so, and is only accorded the rights to perform activities that he or she has been authorized to do.
Database authentication includes the following facilities:

*Password Encryption

*Account Locking

*Password Lifetime and Expiration

*Password Complexity Verification

Implementing database security

Following are some practices which can be done to implement database security:

Data covering, or permitting clients to get to certain data without having the capacity to view it, credit or debit card procedures or amid database testing and advancement, for instance, helps to secure the privacy of the database.
Encrypting all database activity, consider password to secure and encoding the entire database backup so that if the backup data is lost or stolen it is difficult to get to the information.
Secure against SQL injections by using questions which are in a certain boundary to keep malignant inquiries out of the database. Static Code Analysis is a basic tool for associations creating applications as a gateway to databases for slicing SQL injection, cradle flood, and badly designed issues.
Audit the data access and control the offline copies of it.
Backup of the database should be set to avoid disasters.
Proper maintenance of availability, integrity, and confidentiality should be done by expelling any unspecified elements to protect the database.