Password management best practices are typically aimed at the user, but businesses play a large and extremely important role in protecting user account data, and that includes employing database security fundamentals
Nobody should be able to get their hands on password data. … That information should be treated and protected the same way an organization’s most valuable intellectual property is protected.
Josh Shaul, CTO, Application Security Inc.
That doesn’t mean adding salt to a strong hashing algorithm, according to Josh Shaul, chief technology officer of Application Security Inc. Although salting would help, passwords protected by MD5 and SHA can be cracked by a determined cybercriminal in a few minutes or hours, Shaul said. Instead, the right approach is to add reliable database protections to keep unwanted visitors out of the database in the first place, he said.
“Nobody should be able to get their hands on password data,” Shaul said. “That information should be treated and protected the same way an organization’s most valuable intellectual property is protected.”
The need for addressing database security was highlighted by the LinkedIn password breach. The company is investigating how 6.5 million of its users’ passwords were leaked and posted on a Russian hacker forum. The scope of the breach was so enormous that other firms were forced to address the security of its customer passwords, including Facebook, Last.fm and eHarmony, because people often use the same password for multiple accounts, a poor but common practice.
protection: Begin with a database inventory
Firms should begin by conducting an inventory to determine what servers contain password data, said Johannes Ullrich, chief technology officer of the SANS Internet Storm Center. Many enterprises have multiple account databases in production as different applications have been deployed over the years. Some firms will discover dozens of applications with their own password stored, and some will contain data being stored in clear text – a major weakness, Ullrich said.
“Integrating a single file system for all those legacy applications is a difficult challenge,” Ullrich said. “It’s not something you do overnight.”
Database configuration comes next, according to Application Security’s Shaul. Penetration testers know that nine times out of ten they can find a database protected using a default or weak password. “You need to make sure the security settings are enabled correctly and unused features are removed,” Shaul said.
“The Database Security Technical Implementation Guide,” (.pdf) provided by the Defense Information Systems Agency, is a good place for database administrators to find what a secure configuration looks like, Shaul said. The Center for Information Security, a non-profit research firm, also provides updated configuration benchmark reports for common database management systems.
Password protection: Deploy database patches
Database patching is often the biggest point of failure for an organization. Vendors release patches regularly, but often organizations delay or ignore patches to avoid disrupting production systems, Shaul said. Patches need to be tested and deployed. Maintaining a strong patching program that addresses the most critical database servers is often the difference between an organization that experiences a password breach and an organization that doesn’t, Shaul said.
“Vendors release patches regularly, so you’ll need to recheck this patch status every month at a minimum, and put a process in place to roll out patches quickly,” Shaul said. “Target under seven days if your database supports a Web-facing application.”
Password protection: Limiting privileges, database activity monitoring
Once the database is protected from external attackers, the threat posed by insiders can be addressed. Limit privileges to those required to do their jobs, Shaul said. The scope should be limited to application users required to do authentication and user management, and DBAs. Check every user with access to the password data and remove everyone’s access you possibly can, he said. “You also need to examine the administrative privileges in the database (system privileges) and make sure they are only assigned to valid DBA accounts,” Shaul said.
Finally, database activity monitoring (DAM) goes a long way to determine who accesses the database and how the information it contains is manipulated. “That may be a DBA abusing their privileges and reading the passwords, or it may be an attacker exploiting a vulnerability (such as SQL injection) in your application and using that to read passwords,” Shaul said. A properly configured DAM technology can be set up to alert when it senses a problem, giving administrators a chance to isolate an issue before it becomes a serious breach.