Database hardening is the process of analyzing and configuring your database to address security vulnerabilities by applying recommended best practices and implementing security product sets, processes and procedures.
However, how you go about this, and the steps required to harden servers and databases, can vary based on the platform you’re using. So how do you know where to start? There are tons of websites and how-to articles explaining how to start your database hardening process and database security procedures, but still, not all information is created equal.
Navigating Database Hardening
To help you navigate your quest for information on database hardening, we compiled a list of our favorite websites that map out how to get started:
Oracle’s Database Security Guide – The Database Security Guide is part of every current Oracle release’s documentation set. Topics include user and application security, securing data transfers over the network, authentication, encryption and auditing. The appendix in the 12C Database Security Guide titled “Keeping Your Oracle Database Secure” provides information on applying security patches and best practices for securing users, roles, passwords, database data, utility execution, network and external procedures. Oracle’s Technology Network (OTN) – Oracle dedicates an area of its community network to database security. Many of the articles and posts are directly from Oracle personnel as well as folks with various Oracle accreditations. Microsoft SQL Server 2014 – The Security Center for SQL Server Database Engine and Azure SQL Database is the documentation you need to spend some time on to ensure the data stores you are responsible for supporting are secured. Topics include authentication, encryption, auditing, and securing database data transmissions. Microsoft also provides a MSDN Security Developer Center. There are numerous articles, blogs, hints and tips that focus on database and operating system security. This site is your “one stop shop” as the tabs across the top of the page provide links to documentation, downloads, whitepapers and community discussions. The “Getting Started” links on the left side of the website provide valuable insight to both new and experienced administrators. IBM’s DB2 Security for LUW – The IBM DB2 documentation begins with a security model overview. It then logically breaks the sections down beginning with installation and moves into authentication, encryption, users and roles, column level access control and security plugins. MySQL’s 5.6 “Security in MySQL” starts with a set of security guidelines. It then begins to focus on more granular security procedures and recommended best practices. The MySQL documentation has a chapter titled “Making MySQL Secure Against Hackers” and a FAQ.How Regulatory Compliances Affect Database Hardening
Those that want to learn more about data security best practices can also find information by visiting websites that focus on regulatory compliances. The Payment Card Industry Data Security Standard (PCI DSS) provides a comprehensive security architecture broken down into 12 categories to secure cardholder data. The 12 categories are further decomposed into a little over 300 individual control objectives.
Although your shop may not store or process credit cards, the PCI DSS website is an excellent resource to learn the activities that credit card processors perform to secure their environments. The documents library contains the “Template for Report on Compliance for use with PCI DSS V3.0,” commonly known as the PCI ROC, which provides a line item for every activity required to obtain PCI DSS compliance.
Although Navistie does not store, process or transmit credit card data, we adhere to PCI DSS standards to improve the security of our service delivery architecture. We contracted a third-party auditing firm to evaluate our processes, standards documentation and control points. After the audit was complete, the auditing firm created our PCI DSS ROC attestation documentation.
The PCI DSS ROC documents have the sections broken down into the individual control activities, procedural documentation and processes. The key takeaway is that you don’t need to use the ROC documentation to become PCI DSS compliant. You can use it as a learning tool to further your education on data security best practices. Here’s a general overview of what is covered in the PCI ROC document:
Perimeter Controls Network diagram reviews Firewall implementation and hardening Routers Wireless access DMZ recommendations Two-factor authentication Database and Operating System Hardening Adherence to configuration standards Center for Internet Security (CIS) International Standards Organization (ISO) SysAdmin Audit Network Security (SANs) National Institute of Standards Technology (NIST) Default vendor passwords Server usage Secure and unsafe protocols System security parameters Anti-virus settings and controls Sensitive Data Storage, Processing and Transmission Storage media protection Encryption and key management Software development Transfer protocols Data destruction Security Practices Separation of duties Account and password management Limiting user access to “need to know” Change control Notification Approval Testing required Back-off plans Physical security Visitor policies Access control mechanisms Security vulnerability analysis reviews Security training Testing Vulnerability scans Penetration Incident response Third-party service provider audit requirements Audit logging Required activities to be logged Log entry contents Audit log protection Server time synchronization requirements Log review frequency AlertingThe PCI DSS Standards Organization recommends that organizations adhere to the following industry-accepted server hardening standards:
Center for Internet Security (CIS) – A nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities. CIS provides resources that help partners achieve security goals. The website offers hardening best practices, daily tips, cyber advisories, case studies and numerous white papers. International Standards Organization (ISO) – An organization dedicated to developing and publishing a wide range of standards including information security management (ISO 27001) and risk management (ISO 31000). ISO/IEC 27001 provides requirements for an information security management system (ISMS) which they describe as “…a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.” SysAdmin Audit Network Security (SANs) – The SANS Institute is a for-profit company that provides security and cyber-security training. In addition to cyber-security training and certification offerings, they also provide Information Security Policy Templates that range from application development best practices to network and server hardening. This is an extremely robust list. If you need to create any type of security standards document, this is the website you should go to first. The site also provides white papers, articles, blogs, webcasts and FAQs. National Institute of Standards Technology (NIST) – A non-regulatory federal agency under the U.S. Department of Commerce. Their mission statement states, “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST is most known for their information security advisories and their National Vulnerability database. Users are able to search for vulnerabilities using the product name, vulnerability description. Enter the name of the database you are tasked with protecting, and you will find all of the vulnerabilities identified by NIST associated with that product. Their sister website, The Computer Security Division – Computer Security Resource Center, provides an abundance of information on information security tools and practices. It also offers security standards and guidelines documents.