Unless your network security can maintain confidentiality, integrity and availability, if you have applications that are Internet accessible, your databases are at high risk. Hackers are using application-layer attacks to gain access to networks and databases, often with a privileged system-level account. To mitigate this risk, protect your databases by layering your defenses and use firewalls and routers to segment resources with different security requirements. It is also important to install any security patches or updates that have been released by your application vendors. For example, the Critical Patch Update released by Oracle in January 2005, addressed 23 vulnerabilities ranging from SQL injection to denial-of-service issues.
On the other hand, if your Intranet-based applications are not Internet-accessible, as long as your firewall is configured to prevent Internet access to your Intranet, your risk of attack is greatly reduced. However, don't overlook the fact that people working within your organization have extra knowledge about the databases' structures and your security policy. Their knowledge makes databases and other applications susceptible to an insider attack. For this reason, I recommend reviewing your database security policies. For example, ask yourself the following: "Do I properly enforce segregation of staff duties?" "Do I grant users the lowest level of permissions required to complete their tasks (the least privilege principle)?" If the database contains sensitive information, I would consider encrypting stored data. It adds an important layer of protection -- any user that tries to access the data not only needs the right password, but the encryption key as well. Another advantage of encryption is people who do not have database privileges cannot read your sensitive information. On a final note, I would ensure that you have an auditing strategy to highlight security issues.
This was first published in December 2005