This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."
Download it now to read this article plus other related content.
|DB Vendors Beef Up Security|
It supports Oracle, SQL Server, DB2, Lotus Domino, MySQL and MiniSql.
These tools will find most common vulnerabilities and configuration problems, and are cheap enough to be cost-effective. But they're still limited. Professional penetration testing services are more thorough, using powerful tools and manual techniques to dig into databases, rooting out both obvious and hidden holes; however, these services are expensive and invasive.
Auditing and Intrusion Detection
Scanners and pen tests give you a good snapshot of your database security posture, but there are no guarantees that change won't creep in and attackers won't try to exploit new or previously undetected vulnerabilities.
Several database IDS and auditing products can maintain a continuous vigil on databases, logging and alerting on attacks, suspicious activities and all changes that violate security policies. Their comprehensive logging and reporting capabilities are designed to meet both auditing and regulatory requirements.
Guardium's SQL Guard monitors and analyzes potentially unsafe and malicious traffic for Oracle, SQL Server, sybase and DB2 It monitors and logs all user activity. Its unique hierarchy-based, three-tiered approach--audit, health and policy--allows you to passively audit your environment against about a dozen categories of tests.
SQL Guard's standout feature is its user activity logging and drill-down capabilities. From the management interface, you can select any of your database users and click through a tree of activities. Audit features include SQL account creation details, administrator-level queries and newly created stored procedures. SQL Guard is also a valuable tool for incident response and data collection, allowing you to search activity based on users, commands and time of day.
IPLocks offers comprehensive security monitoring for Oracle, SQL Server, DB2, Sybase, Teradata Database and Hitachi's HiRDB. It flags configuration vulnerabilities, and issues alerts, detailed reports and trend analyses. It monitors user activity and flags suspicious behavior and changes to access privileges, roles and schemas/tables/ elements.
Lumigent Technologies' Entegra monitoring and auditing tool is available for SQL Server and Oracle. Entegra records all data accessed, enabling you to track user activity and database changes. The Web-based GUI allows you to drill down on specific database activities.
Application Security's AppRadar is an intrusion detection product identifies complex application-layer attacks against SQL Server. Application Security says version 2.0, scheduled for release this month, adds support for Oracle, granular activity monitoring and built-in HIPAA and Sarbanes-Oxley policies.
Some may say that the obvious answer to database security is encryption. But encryption doesn't obviate the need for secure configuration, diligent testing and continuous monitoring.
Encrypting and decrypting data to meet real-time business/transaction needs requires serious hardware: multiprocessor systems and accelerators that require gobs of memory, either in purpose-built appliances or software products on high-end servers. Key management can be a major headache and may be a full-time job. What's more, Microsoft and Oracle are building stronger native encryption capabilities that will put the squeeze on encryption vendors (see "DB Vendors Beef Up Security").
Vulnerabilities, poor system and application configurations, industry regulations and day-to-day security challenges aren't going away. Technological advances aside, your best bet is to formulate strong operating policies, purchase technology that has the highest ROI, create internal response teams that consistently work together on a range of daily security operations--including database compromises, and secure and standard configurations--and conduct semiannual user account reviews.
The majority of database security risks can be remedied through proper configuration, perimeter protections (that you most likely have already implemented) and DBA training. That may make it hard to justify the additional spending for most bolt-on database-specific security products, especially given the promises of Oracle and Microsoft's embedded security features.
Nevertheless, if publicly available databases are your company's lifeblood, these tools will add an extra layer of defense that offers real value.
This was first published in March 2005