bMighty: What can smaller businesses do to protect their databases?
Sarel: They should do what larger businesses do -- that is, monitor everything that is going on.
Markovich: Monitoring database activity will alert you if something fishy is going on -- an attack that tries to exploit vulnerabilities or unauthorized access to sensitive information, for example, from an unauthorized IP or at unusual hours. Smaller businesses should rely on open standards and available free tools that they can use to protect their database and investigate breaches. There are a lot of free tools available on the Internet, like Hedgehog Standard [Sentrigo's] database activity monitoring tool, and OAK, an open source tool [the download is in a zip file] provided by David Litchfield.
The easiest way to get into a database is to guess a password. Many businesses rely on well-known passwords, so one of the first things to do is check for weak passwords. There are several available tools for password checking. For Oracle databases, Red database security provides a free tool called checkpwd, and for general password guessing, [there is] John the ripper.
Sarel: Small and midsize businesses are not aware of how vulnerable they are. Their trade secrets, lists of customers -- any information they keep on their databases -- smaller businesses aren't aware of how easy it is to get in. They need to know there is a problem. Once they are aware, there are tools that can help protect them.
Markovich: Another thing is, don't use an unauthorized network. Also, install just what you need for the database. Don't install everything. Databases come with many options -- XML, Java -- if you don't need it, don't install it. Otherwise you increase your attack surface. And give only the minimum amount of privileges to users for tasks. Try to be as close as possible to the latest version of the operating system and the database -- apply patches. And use available tools for monitoring assessment.
bMighty: How can smaller businesses do all this?
Sarel: It is tough for smaller businesses to do it all the time. One way around that is when you employ someone who will be in charge of your database, ask if they are aware of security issues and how they will deal with it. Only hire someone who is familiar with database security. In security, the key is to be aware.
If a smaller business has five people who have access to their database, give each person the least privileges that they need. If a user can't delete information from a database, the damage is limited. Also, all computer products have logs that tell you everything that has been going on. Make sure you keep those logs. Change the default settings so logs don't get lost. Remember, you only need one IT person who is security-aware to make sure things are secure.
bMighty: What should a smaller business do if there is a database breach?
Sarel: If that happens and your database is not critical to your business, completely isolate the database and investigate what is going on and build security so it doesn't happen again. Try to mitigate the damage, but you need to understand what happened. If your database is critical to what you're doing and you can't isolate it, immediately create a copy of the database so you can investigate it somewhere else. One of the things bad guys do is they try to cover their tracks. By isolating the database or creating a copy you might be able to find that out.
Markovich: For midsize companies where there are a few IT guys, it's important to have a separation of duties so the security guy can monitor [activities] but doesn't have access to the database and the database guy has access to the database. Minimize the damage a single person can do. If one person has access to all, they can damage it all.
Naomi Grossman is assistant editor of bMighty.com.
Previous 
