Databases are a key target for cybercriminals because they often contain sensitive data. This sensitive data may be financial information, it may contain intellectual property, corporate secrets or personally identifiable information. There are some things that make databases vulnerable to inside and outside threats. These things can be caused either by human or technical factors.
There are many factors that may affect database vulnerability. Among such most popular factors are weak passwords, which can make databases really vulnerable. Among other vulnerabilities that can make your database a fair game for cybercriminals are wrongly configured servers and the failure to timely install security patches for databases. Database security researches constantly analyze different databases trying to find new ways of hacking them. When they succeed in doing that, information about it is immediately shared with database security community and database security patches are issued. However, few system administrators install fixes, leaving computers vulnerable. Installing database security patches and fixes is critical.
Below are the public resources using which you can increase the protection level of your databases:
- CVEs database
- CIS Benchmarks
- DISA compliance
All discovered database vulnerabilities are collected in a special CVE database. Common Vulnerabilities and Exposures (CVE®) is a database of vulnerabilities in the code. CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries — also called “CVEs,” “CVE IDs,” and “CVE numbers” by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Entries also provide a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.
The process of creating a CVE Entry begins with the discovery of a potential security vulnerability. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Entry is added to the CVE list and posted on the CVE website by the CVE Team.
The national and international sensitive data protection regulations clearly stipulate that databases shouldn’t have any vulnerabilities and all security patches should be applied immediately upon their release.
As it was mentioned earlier, one of the reasons for database vulnerability is misconfigured servers. The Center for Internet Security, Inc. (CIS®) is a community-driven non-profit organization responsible for development CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data.
CIS Benchmarks are best practices for the secure configuration of a target system. They are developed through volunteer efforts of IT experts, technology vendors, public and private community members and the CIS Benchmark Development team.
Such best practices are available for operating systems, cloud providers, server software, mobile devices, network devices, desktop software.
DISA stands for the Defense Information Systems Agency and is part of the Department of Defense (DoD). The mission of the agency is to provide information technology and communication support to the government and associated defense agencies. The Agency developed and maintaining a security standard for computer systems and networks that connect to the Department of Defense. This standard contains sets of secure configurations and checklists, known as Security Technical Implementation Guides (STIGS), which ensure the security of computer networks and systems.
Vulnerability Assessment with DataSunrise
The Vulnerability Assessment tool from DataSunrise enables you to make your databases less vulnerable at many layers.
Firstly, it informs you about all known CVEs (vulnerabilities) for the databases included in your DataSunrise’s configuration. The list of vulnerabilities can be downloaded from the DataSunrise web site. As a result, database administrators and owners can get the latest information about available database security patches and apply them which increases the database security level.
Secondly, using SQL queries, the Vulnerability Assessment tool can check if your protected databases comply with the requirements of CIS and DISA.
DataSunrise Database Security Suite enables you to keep your databases secure and up to date with the latest database security practices.