Statista shows a near doubling of data compromises between last year (3,205) and the year before (1,802). Cybercriminals go where the data goes, and there is more need than ever for effective database security measures.
These tactics differ from network security practices, which rely heavily on software solutions and even employee best practices. When it comes to securing databases, it is a battle between security experts and cybercriminals themselves, and the one who wins is the one with the most knowledge.
On that note, here are 10 database security best practices that can help you stay one step ahead of attackers.
1. Deploy physical database security
Data centers or your own servers can be susceptible to physical attacks by outsiders or even insider threats. If a cybercriminal gets access to your physical database server, they can steal the data, corrupt it, or even insert harmful malware to gain remote access. Without additional security measures, it's often difficult to detect these types of attacks since they can bypass digital security protocols.
If you house your own servers, adding physical security measures such as cameras, locks, and staffed security personnel is highly recommended. Furthermore, any access to the physical servers should be logged and only given to specific people in order to mitigate the risk of malicious activities. Standards for the physical security of server rooms include:
- ISO 27001
- ISO 20000-1
- NIST SPs (SP 800-14, SP 800-23, and SP 800-53)
- Department of Defense Information Assurance Technical Framework (IATF)
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
2. Separate database servers
Databases require specialized security measures to keep them safe from cyberattacks. Furthermore, having your data on the same server as your site also exposes it to different attack vectors that target websites.
Suppose you run an online store and keep your site, non-sensitive data, and sensitive data on the same server. Sure, you can use website security measures provided by the hosting service and the eCommerce platform's security features to protect against cyberattacks and fraud. However, your sensitive data is now vulnerable to attacks through the site and the online store platform. Any attack that breaches either your site or the online store platform enables the cybercriminal to potentially access your database, as well.
To mitigate these security risks, separate your database servers from everything else. Additionally, use real-time security information and event monitoring (SIEM), which is dedicated to database security and allows organizations to take immediate action in the event of an attempted breach. Additionally, vulnerability management solutions are effective for providing an accurate assessment of the security risks of each of your network assets.
Watch our video to find out how to secure your IMB i and remote data with Sequel Data Access: How to Utilize Database Security Options
3. Set up an HTTPS proxy server
A proxy server evaluates requests sent from a workstation before accessing the database server. In a way, this server acts as a gatekeeper that aims to keep out non-authorized requests.
The most common proxy servers are based on HTTP. However, if you're dealing with sensitive information such as passwords, payment information, or personal information, set up an HTTPS server. This way, the data traveling through the proxy server is also encrypted, giving you an additional security layer.
4. Avoid using default network ports
TCP and UDP protocols are used when transmitting data between servers. When setting up these protocols, they automatically use default network ports.
Default ports are often used in brute force attacks due to their common occurrence. When not using the default ports, the cyber attacker who targets your server must try different port number variations with trial and error. This could discourage the assailant from prolonging their attack attempts due to the additional work that's needed.
However, when assigning a new port, check the Internet Assigned Numbers Authority's port registry to ensure the new port isn't used for other services.
5. Use real-time database monitoring
Actively scanning your database for breach attempts bolsters your security and allows you to react to potential attacks.
You can use monitoring software such as Tripwire's real-time File Integrity Monitoring (FIM) to log all actions taken on the database's server and alert you of any breaches. Furthermore, set up escalation protocols in case of potential attacks to keep your sensitive data even safer.
Another aspect to consider is regularly auditing your database security and organizing cybersecurity penetration tests. These allow you to discover potential security loopholes and patch them before a potential breach.
6. Use database and web application firewalls
Firewalls are the first layer of defense for keeping out malicious access attempts. On top of protecting your site, good database security means installing a firewall to protect against different attack vectors.
There are three types of firewalls commonly used to secure a network:
- Packet filter firewall
- Stateful packet inspection (SPI)
- Proxy server firewall
Make sure to configure your firewall to cover any security loopholes correctly. It's also essential to keep your firewalls updated, as this protects your site and database against new cyberattack methods.
7. Deploy data encryption protocols
Encrypting your data isn't just important when keeping your trade secrets; it's also essential when moving or storing sensitive user information, defending against ransomware, or staying compliant with data privacy laws like GDPR.
Setting up data encryption protocols lowers the risk of a successful data breach. This means that even if cybercriminals get a hold of your data, that information remains safe. This also means that your data is kept secure not only at rest but in transit, where it often is the most vulnerable.
8. Create regular backups of your database
While it's common to create backups of your website, it's essential to create backups for your database regularly, as well, and to keep one copy encrypted. Automated data backups mitigate the risk of losing sensitive information due to malicious attacks or data corruption. Best practice recommends the 3-2-1 backup rule:
- Store three copies of the data
- Use two types of storage
- Store one in an offsite location
CIS Control 11: Data Recovery outlines the steps of a data recovery plan and prioritizes the importance of not only creating backups but also testing the team's ability to get them back online. As we stated previously, "Backups for mission-critical infrastructure should be tested on a regular basis. This isn't just to verify the integrity of the backups. It also ensures that staff has the know-how and experience to restore in a timely matter, as well."
9. Keep applications up-to-date
Research shows that 88% of codebases contain outdated software components. Furthermore, outdated plugins are a magnet for malware exploits and create open vulnerabilities that hackers could use to pivot to other areas of your network. Together, this creates a serious security risk when thinking about software that you use to manage your database or even run your website.
While you should only use trusted and verified database management software, you should also keep it updated and install new patches when they become available. The same goes for third-party applications, with an additional suggestion to avoid the ones that haven't received regular updates. Steer clear of those altogether to ensure the best database security.
Learn more about securing your data with Fortra's Data Protection Overview. Watch now.
10. Use strong user authentication
According to the Verizon 2022 Data Breach Investigations Report, 67% of data breaches last year resulted from compromised credentials. Single-factor authentication (SFA) methods are known to be unsafe, and it has been argued that the password is dead. A bare minimum two-factor authentication (2FA) is suggested for even social media sites, and multi-factor authentication (MFA) is generally accepted as the standard for secure user authentication today. It also plays a critical role in helping organizations qualify for cyber insurance.
However, even that is changing as criminals are bypassing MFA checkpoints to gain access to cloud resources, and a passwordless future might soon be in the cards for most organizations.
Also, consider only allowing validated IP addresses to access the database to mitigate the risk of a potential breach further. While IP addresses can be copied or masked, additional effort is required from the assailant.
Enhance your database security to mitigate the risks of a data breach
Securing your database with industry-standard best practices provides one more defense-in-depth layer to your zero-trust approach. As breaches continue to rise, the chance of threat actors in your network becomes an ever-greater possibility. Organizations that have prepared ahead of time with stored and encrypted data will be the ones most likely to recover.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.