Around 39 billion records were compromised between January and December of last year, according to Flashpoint’s 2022 A Year in Review report. While this result is quite staggering, it also sends a clear message of the need for effective database security measures.
Database security measures are a bit different from network security practices. The former involves physical steps, software solutions and even educating your employees. However, it’s equally important to protect your site to minimize the potential attack vectors that cyber criminals could exploit.
Let’s look at 10 database security best practices that can help you to bolster your sensitive data’s safety.
1. Deploy physical database security
Data centers or your own servers can be susceptible to physical attacks by outsiders or even insider threats. If a cybercriminal gets access to your physical database server, they can steal the data, corrupt it or even insert harmful malware to gain remote access. Without additional security measures, it’s often difficult to detect these types of attacks since they can bypass digital security protocols.
If you house your own servers, adding physical security measures such as cameras, locks and staffed security personnel is highly suggested. Furthermore, any access to the physical servers should be logged and only given to specific people in order to mitigate the risk of malicious activities. Standards for the physical security of server rooms include:
- ISO 27001
- ISO 20000-1
- NIST SPs (SP 800-14, SP 800-23, and SP 800-53)
- Department of Defense Information Assurance Technical Framework
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
2. Separate database servers
Databases require specialized security measures to keep them safe from cyberattacks. Furthermore, having your data on the same server as your site also exposes it to different attack vectors that target websites.
Suppose you run an online store and keep your site, non-sensitive data and sensitive data on the same server. Sure, you can use website security measures provided by the hosting service and the eCommerce platform’s security features to protect against cyberattacks and fraud. However, your sensitive data is now vulnerable to attacks through the site and the online store platform. Any attack that breaches either your site or the online store platform enables the cybercriminal to potentially access your database, as well.
To mitigate these security risks, separate your database servers from everything else. Additionally, use real-time security information and event monitoring (SIEM), which is dedicated to database security and allows organizations to take immediate action in the event of an attempted breach. Additionally, vulnerability management solutions are effective for providing an accurate assessment of the security risks of each of your network assets.
3. Set up an HTTPS proxy server
A proxy server evaluates requests sent from a workstation before accessing the database server. In a way, this server acts as a gatekeeper that aims to keep out non-authorized requests.
The most common proxy servers are based on HTTP. However, if you’re dealing with sensitive information such as passwords, payment information or personal information, set up an HTTPS server. This way, the data traveling through the proxy server is also encrypted, giving you an additional security layer.
4. Avoid using default network ports
TCP and UDP protocols are used when transmitting data between servers. When setting up these protocols, they automatically use default network ports.
Default ports are often used in brute force attacks due to their common occurrence. When not using the default ports, the cyber attacker who targets your server must try different port number variations with trial and error. This could discourage the assailant from prolonging their attack attempts due to the additional work that’s needed.
However, when assigning a new port, check the Internet Assigned Numbers Authority’s port registry to ensure the new port isn’t used for other services.
5. Use real-time database monitoring
Actively scanning your database for breach attempts bolsters your security and allows you to react to potential attacks.
You can use monitoring software such as Tripwire’s real-time File Integrity Monitoring (FIM) to log all actions taken on the database’s server and alert you of any breaches. Furthermore, set up escalation protocols in case of potential attacks to keep your sensitive data even safer.
Another aspect to consider is regularly auditing your database security and organizing cybersecurity penetration tests. These allow you to discover potential security loopholes and patch them before a potential breach.
6. Use database and web application firewalls
Firewalls are the first layer of defense for keeping out malicious access attempts. On top of protecting your site, you should also install a firewall to protect your database against different attack vectors.
There are three types of firewalls commonly used to secure a network:
- Packet filter firewall
- Stateful packet inspection (SPI)
- Proxy server firewall
Make sure to configure your firewall to cover any security loopholes correctly. It’s also essential to keep your firewalls updated, as this protects your site and database against new cyberattack methods.
7. Deploy data encryption protocols
Encrypting your data isn’t just important when keeping your trade secrets; it’s also essential when moving or storing sensitive user information, defending against ransomware, or staying compliant with data privacy laws like GDPR.
Setting up data encryption protocols lowers the risk of a successful data breach. This means that even if cybercriminals get a hold of your data, that information remains safe. This also means that your data is kept secure not only at rest, but in transit, where it often is the most vulnerable.
8. Create regular backups of your database
While it’s common to create backups of your website, it’s essential to create backups for your database regularly, as well, and to keep one copy encrypted. This mitigates the risk of losing sensitive information due to malicious attacks or data corruption. Best practice recommends the 3-2-1 backup rule:
- Store three copies of the data
- Use two types of storage
- Store one in an offsite location
CIS Control 11:Data Recovery outlines the steps of a data recovery plan and prioritizes the importance of not only creating backups but testing the team’s ability to get them back online. As we stated in a previous blog, “Backups for mission critical infrastructure should be tested on a regular basis. This isn’t just to verify the integrity of the backups. It also ensures that staff has the know-how and experience to restore in a timely matter, as well.”
9. Keep applications up to date
Research shows that 88% of codebases contain outdated software components. Furthermore, outdated plugins are a magnet for malware exploits and create open vulnerabilities that hackers could use to pivot to other areas of your network. Together, this creates a serious security risk when thinking about software that you use to manage your database or even run your website.
While you should only use trusted and verified database management software, you should also keep it updated and install new patches when they become available. The same goes for widgets, plugins and third-party applications, with an additional suggestion to avoid the ones that haven’t received regular updates. Steer clear of them altogether.
10. Use strong user authentication
According to the Verizon 2022 Data Breach Investigations Report, 67% of data breaches last year resulted from compromised credentials. Single-factor authentication (SFA) methods are known to be unsafe, and it has been argued that the password is dead. A bare-minimum two-factor authentication (2FA) is suggested for even social media sites, and multi-factor authentication (MFA) is generally accepted as the standard for secure user authentication today. It also plays a critical role in helping organizations qualify for cyber insurance.
However, even that is changing as criminals are bypassing MFA checkpoints to gain access to cloud resources, and a passwordless future might be in the cards for most organizations soon.
Also, consider only allowing validated IP addresses to access the database to mitigate the risk of a potential breach further. While IP addresses can be copied or masked, it requires additional effort from the assailant.
Enhance your database security to mitigate the risks of a data breach
Securing your database with industry standard best practices provides one more defense-in-depth layer to your zero-trust approach.
As breaches continue to rise, the chances of threat actors in your network becomes an ever-greater possibility. Organizations that have prepared ahead of time with stored and encrypted data will be the ones most likely to recover.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.