According to Risk Based Security’s 2020 Q3 report, around 36 billion records were compromised between January and September 2020. While this result is quite staggering, it also sends a clear message of the need for effective database security measures.
Database security measures are a bit different from website security practices. The former involve physical steps, software solutions and even educating your employees. However, it’s equally important to protect your site to minimize the potential attack vectors that cyber criminals could exploit.
Let’s look at 10 database security best practices that can help you to bolster your sensitive data’s safety.
1. Deploy physical database security
Data centers or your own servers can be susceptible to physical attacks by outsiders or even insider threats. If a cybercriminal gets access to your physical database server, they can steal the data, corrupt it or even insert harmful malware to gain remote access. Without additional security measures, it’s often difficult to detect these types of attacks since they can bypass digital security protocols.
When choosing a web hosting service, make sure it’s a company with a known track record of taking security matters seriously. It’s also best to avoid free hosting services because of the possible lack of security.
If you house your own servers, adding physical security measures such as cameras, locks and staffed security personnel is highly suggested. Furthermore, any access to the physical servers should be logged and only given to specific people in order to mitigate the risk of malicious activities.
2. Separate database servers
Databases require specialized security measures to keep them safe from cyberattacks. Furthermore, having your data on the same server as your site also exposes it to different attack vectors that target websites.
Suppose you run an online store and keep your site, non-sensitive data and sensitive data on the same server. Sure, you can use website security measures provided by the hosting service and the eCommerce platform’s security features to protect against cyberattacks and fraud. However, your sensitive data is now vulnerable to attacks through the site and the online store platform. Any attack that breaches either your site or the online store platform enables the cybercriminal to potentially access your database, as well.
To mitigate these security risks, separate your database servers from everything else. Additionally, use real-time security information and event monitoring (SIEM), which is dedicated to database security and allows organizations to take immediate action in the event of an attempted breach.
3. Set up an HTTPS proxy server
A proxy server evaluates requests sent from a workstation before accessing the database server. In a way, this server acts as a gatekeeper that aims to keep out non-authorized requests.
The most common proxy servers are based on HTTP. However, if you’re dealing with sensitive information such as passwords, payment information or personal information, set up an HTTPS server. This way, the data traveling through the proxy server is also encrypted, giving you an additional security layer.
4. Avoid using default network ports
TCP and UDP protocols are used when transmitting data between servers. When setting up these protocols, they automatically use default network ports.
Default ports are often used in brute force attacks due to their common occurrence. When not using the default ports, the cyber attacker who targets your server must try different port number variations with trial and error. This could discourage the assailant from prolonging their attack attempts due to the additional work that’s needed.
However, when assigning a new port, check the Internet Assigned Numbers Authority’s port registry to ensure the new port isn’t used for other services.
5. Use real-time database monitoring
Actively scanning your database for breach attempts bolsters your security and allows you to react to potential attacks.
You can use monitoring software such as Tripwire’s real-time File Integrity Monitoring (FIM) to log all actions taken on the database’s server and alert you of any breaches. Furthermore, set up escalation protocols in case of potential attacks to keep your sensitive data even safer.
Another aspect to consider is regularly auditing your database security and organizing cybersecurity penetration tests. These allow you to discover potential security loopholes and patch them before a potential breach.
6. Use database and web application firewalls
Firewalls are the first layer of defense for keeping out malicious access attempts. On top of protecting your site, you should also install a firewall to protect your database against different attack vectors.
There are three types of firewalls commonly used to secure a network:
- Packet filter firewall
- Stateful packet inspection (SPI)
- Proxy server firewall
Make sure to configure your firewall to cover any security loopholes correctly. It’s also essential to keep your firewalls updated, as this protects your site and database against new cyberattack methods.
7. Deploy data encryption protocols
Setting up data encryption protocols lowers the risk of a successful data breach. This means that even if cybercriminals get a hold of your data, that information remains safe.
8. Create regular backups of your database
While it’s common to create backups of your website, it’s essential to create backups for your database regularly, as well. This mitigates the risk of losing sensitive information due to malicious attacks or data corruption.
Here’s how to create database backups on the most popular servers: Windows and Linux. Also, to further increase security, ensure that the backup is stored and encrypted in a separate server. This way, your data is recoverable and safe if the primary database server gets compromised or remains inaccessible.
9. Keep applications up to date
Research shows that nine in 10 applications contain outdated software components. Furthermore, analysis on WordPress plugins revealed that 17,383 plugins hadn’t been updated for two years, 13,655 for three years and 3,990 for seven years. Together, this creates a serious security risk when thinking about software that you use to manage your database or even run your website.
While you should only use trusted and verified database management software, you should also keep it updated and install new patches when they become available. The same goes for widgets, plugins and third-party applications, with an additional suggestion to avoid the ones that haven’t received regular updates. Steer clear of them altogether.
10. Use strong user authentication
According to Verizon’s most recent research, 80% of data breaches are caused by compromised passwords. This shows that passwords alone aren’t a great security measure, primarily because of the human-error aspect of creating strong passwords.
To combat this issue and add another layer of security to your database, set up a multi-factor authentication process. (This method isn’t perfect because of recent trends.) Even if credentials get compromised, cyber criminals will have a difficult time going around this security protocol.
Also, consider only allowing validated IP addresses to access the database to mitigate the risk of a potential breach further. While IP addresses can be copied or masked, it requires additional effort from the assailant.
Enhance your database security to mitigate the risks of a data breach
Keeping your database secure against malicious attacks is a multi-faceted endeavor, from the servers’ physical location to mitigating the risk of human error.
Even though data breaches are becoming more frequent, maintaining healthy security protocols lowers the risk of being targeted and helps to avoid a successful breach attempt.
About the Author: Kristina Tuvikene is an editor at ONLINE ONLY, an agency that works with cloud services brands among others. You can find her on LinkedIn.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.