Categories Topics
Description
Database Security

Overview
Database security is the practice of implementing security controls to protect databases, to include database systems and applications used to store, process or access data.  Databases often store the most sensitive information in the organization so should be part of defense-in-depth security program to ensure confidentiality, integrity and availability of critical data.

Guidelines
Database assets should first be identified to include data ownership and data classification.  Once assets are identified and prioritized for data protection, the following database system controls should be implemented:
  • Database system hardening: database systems should be securely configured to a documented standard; changes to configurations should also be monitored to ensure compliance.
  • Database system access: users to include administrators should use a unique ID to access system of databases; access to systems and system resources should also be based on role; accounts should also be centrally managed via an identity management system where feasible; systems should also be accessed through secure channels (e.g. SSH or password management vault).
  • Vulnerability and patch management: vulnerabilities should be remediated based on risk and established Service Level Agreements (SLA's); like systems, databases should also be patched consistently and timely.
  • Logging and Monitoring: database system security logs should be collected through a centralized logging mechanism and NTP should be used to ensure consistency of log correlation; Logs must also be monitored for threats and Privileged accounts should be monitored for potential compromise or misuse; Logs should be secured and saved according to compliance and policy requirements; Sensitive data is scrubbed from logs prior to storage.
  • Change Management: database system changes should be documented and approved, unauthorized configuration or system changes are logged and monitored.
  • Data encryption: sensitive data should be encrypted in transit, backups or archives.  Sensitive data should also be masked/removed in non-production. 
  • High availability: there must be a robust backup and recovery of critical databases. A Disaster Recovery (DR) processes should also be in place and periodically tested.

Topic Category
Operations and Communications Management
 
News Articles
Data-slurping keyboard app makes Mongo mistake with user datawww.theregister.co.uk12/5/2017
Sony social media accounts hijacked as hackers claims to have stolen PSN databasehotforsecurity.bitdefender.com8/21/2017
Unprotected database exposes VINs, owner info of 10 million carswww.helpnetsecurity.com6/7/2017
If You Want to Stop Big Data Breaches, Start With Databaseswww.wired.com3/29/2017
Stuffed toys database left personal data exposed, says security expertwww.zdnet.com2/28/2017
MySQL Databases Targeted in New Ransom Attackswww.securityweek.com2/24/2017
Oracle's monster security update: 270 fixes and over 100 remotely exploitable flawswww.zdnet.com1/18/2017
Hello Kitty Database of 3.3 Million Breached Credentials Surfacesthreatpost.com1/9/2017
Unprotected MongoDB Databases Wiped and Held for Ransom by Attackerwww.tripwire.com1/4/2017
8 million GitHub profiles scraped, data found leaking onlinewww.helpnetsecurity.com11/18/2016
Cerber Ransomware Now Hunts for Databasessecuringtomorrow.mcafee.com11/4/2016
Hacker grabs over 58 million customer records from data storage firmwww.tripwire.com10/13/2016
1.5M Dating Site Users’ Passwords Exposed by Misconfigured Databasewww.tripwire.com10/5/2016
An unsecured database leaves off-the-grid energy customers exposedwww.zdnet.com8/30/2016
With latest patches, Oracle signals no more free updates for Java 7www.computerworld.com4/15/2015
Oracle Releases January 2015 Security Advisorywww.us-cert.gov1/20/2015
Tech Giants, Telcos Get OK to Release Stats on NSA Spyingwww.wired.com1/27/2014
IRS Exposes SSNs in Database of Public Tax Filingsthreatpost.com7/11/2013
Hackers take data of 36,000 people at fortwww.app.com12/29/2012
New Accounting System Hack Could Cause 'Mayhem'threatpost.com12/7/2012
WCSU Alerts Students and Families Their Personal Data Exposedthreatpost.com11/29/2012
Symantec Warns of New Malware Targeting SQL Databasesthreatpost.com11/23/2012
The Root Of All Database Security Evils = Inputwww.darkreading.com11/15/2012
Adobe Hacker Says He Used SQL Injection To Grab Database Of 150,000 User Accountswww.darkreading.com11/14/2012
4 Long-Term Hacks That Rocked 2012www.darkreading.com11/8/2012
Lies We Tell Our CEOs About Database Securitywww.darkreading.com11/1/2012
McAfee debuts data center security suites for physical, cloud environmentswww.zdnet.com10/16/2012
Ghostshell leaks 120,000 records from top 100 universitieswww.zdnet.com10/2/2012
Microsoft warns of critical Oracle code bugs in Exchangewww.computerworld.com7/31/2012
Oracle to release 88 security fixeswww.computerworld.com7/12/2012
DreamHost resets passwords after database breachwww.computerworld.com1/23/2012
Anonymous shreds intelligence firm Stratfor in latest hackwww.scmagazine.com12/25/2011