According to Risk Based Security’s 2020 Q3 report, around 36 billion records were compromised between January and September 2020. While this result is quite staggering, it also sends a clear message of the need for effective database security measures.
Database security measures are a bit different from website security practices. The former involve physical steps, software solutions and even educating your employees. However, it’s equally important to protect your site to minimize the potential attack vectors that cyber criminals could exploit.
Let’s look at 10 database security best practices that can help you to bolster your sensitive data’s safety.
1. Deploy physical database security
Data centers or your own servers can be susceptible to physical attacks by outsiders or even insider threats. If a cybercriminal gets access to your physical database server, they can steal the data, corrupt it or even insert harmful malware to gain remote access. Without additional security measures, it’s often difficult to detect these types of attacks since they can bypass digital security protocols.
When choosing a web hosting service, make sure it’s a company with a known track record of taking security matters seriously. It’s also best to avoid free hosting services because of the possible lack of security.
If you house your own servers, adding physical security measures such as cameras, locks and staffed security personnel is highly suggested. Furthermore, any access to the physical servers should be logged and only given to specific people in order to mitigate the risk of malicious activities.
2. Separate database servers
Databases require specialized security measures to keep them safe from cyberattacks. Furthermore, having your data on the same server as your site also exposes it to different attack vectors that target websites.
Suppose you run an online store and keep your site, non-sensitive data and sensitive data on the same server. Sure, you can use website security measures provided by the hosting service and the eCommerce platform’s security features to protect against cyberattacks and fraud. However, your sensitive data is now vulnerable to attacks through the site and the online store platform. Any attack that breaches either your site or the online store platform enables the cybercriminal to potentially access your database, as well.
To mitigate these security risks, separate your database servers from everything else. Additionally, use real-time security information and event monitoring (SIEM), which is dedicated to database security and allows organizations to take immediate action in the event of an attempted breach.
3. Set up an HTTPS proxy server
A proxy server evaluates requests sent from a workstation before accessing the database server. In a way, this server acts as a gatekeeper that aims to keep out non-authorized requests.
The most common proxy servers are based on HTTP. However, if you’re dealing with sensitive information such as passwords, payment information or personal information, set up an HTTPS server. This way, the data traveling through the proxy server is also encrypted, giving you an additional security layer.
4. Avoid using default network ports
TCP and UDP protocols are used when transmitting data between servers. When setting up these protocols, they automatically use default network ports.
Default ports are often used in brute force attacks due to their common occurrence. When not using the default ports, the cyber attacker who targets your server must try different port number variations with trial and error. This could discourage the assailant from prolonging their attack attempts due to the additional work that’s needed.
However, when assigning a new port, check the Internet Assigned Numbers Authority’s port registry to ensure the new port isn’t used for other services.
5. Use real-time database monitoring
Actively scanning your database for breach attempts bolsters your security and allows you to react to potential attacks.
You can use monitoring software such as Tripwire’s real-time File Integrity Monitoring (FIM) to log all actions taken on the database’s server and alert you of any breaches. Furthermore, set up escalation protocols in case of potential attacks to keep your sensitive data even safer.
Another aspect to consider is regularly auditing your database security and organizing cybersecurity penetration tests. These allow you to discover potential security loopholes and patch them before a potential breach.
6. Use database and web application firewalls
Firewalls are the first layer of defense for keeping out malicious access attempts. On top of protecting your site, you should also install a firewall to protect your database against different attack vectors.
There are three types of firewalls commonly used to secure a network:
- Packet filter firewall
- Stateful packet inspection (SPI)
- Proxy server firewall
Make sure to configure your firewall to cover any security loopholes correctly. It’s also essential to keep your firewalls updated, as this protects your site and database against new cyberattack methods.
7. Deploy data encryption protocols
Setting up data encryption protocols lowers the risk of a successful data breach. This means that even if cybercriminals get a hold of your data, that information remains safe.
8. Create regular backups of your database
While it’s common to create backups of your website, it’s essential to create backups for your database regularly, as well. This mitigates the risk of losing sensitive information due to malicious attacks or data corruption.
Here’s how to create database backups on the most popular servers: Windows and Linux. Also, to further increase security, ensure that the backup is stored and encrypted in a separate server. This way, your data is recoverable and safe if the primary database server gets compromised or remains inaccessible.
9. Keep applications up to date
Research shows that nine in 10 applications contain outdated software components. Furthermore, analysis on WordPress plugins revealed that 17,383 plugins hadn’t been updated for two years, 13,655 for three years and 3,990 for seven years. Together, this creates a serious security risk when thinking about software that you use to manage your database or even run your website.
While you should only use trusted and verified database management software, you should also keep it updated and install new patches when they become available. The same goes for widgets, plugins and third-party applications, with an additional suggestion to avoid the ones that haven’t received regular updates. Steer clear of them altogether.
10. Use strong user authentication
According to Verizon’s most recent research, 80% of data breaches are caused by compromised passwords. This shows that passwords alone aren’t a great security measure, primarily because of the human-error aspect of creating strong passwords.
To combat this issue and add another layer of security to your database, set up a multi-factor authentication process. (This method isn’t perfect because of recent trends.) Even if credentials get compromised, cyber criminals will have a difficult time going around this security protocol.
Also, consider only allowing validated IP addresses to access the database to mitigate the risk of a potential breach further. While IP addresses can be copied or masked, it requires additional effort from the assailant.
Enhance your database security to mitigate the risks of a data breach
Keeping your database secure against malicious attacks is a multi-faceted endeavor, from the servers’ physical location to mitigating the risk of human error.
Even though data breaches are becoming more frequent, maintaining healthy security protocols lowers the risk of being targeted and helps to avoid a successful breach attempt.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Source of this news: https://www.tripwire.com/state-of-security/featured/database-security-best-practices-you-should-know/
At this year’s NGINX Sprint 2.0 virtual conference, NGINX, the arm of F5 behind the popular open source web server/load balancer and reverse proxy of the same name, made several declarations as to i...
Most online businesses have an eye for the first position on search engine results pages. This is because the top part attracts a large number of visitors. The top position is also the place where bu...
Eugenio Suárez is not a major league caliber shortstop. That’s no knock on him — pretty much no one in the entire world is, and he picked the position up out of necessity rather than because it was i...
Cloud storages become a leading solution for some individual and organization users due to enhanced data accessibility and safety. That is, many users choose to save their important data to a cloud ...
Imagine by Syahir Hakim within Pixabay Whether it be drought conditions, inefficiencies drawn from old classic practices or an incapability to gain the technical professor needed to c...
IcedID is a banking trojan, it is designed to be stealthy and built to collect financial information. IcedID harvests user credentials and banking sessions to commit financial crimes, including ...
The Ough. S. Army is searching for a cloud-based community that it can use to copy a real-world attacker punching the Department of Defense Guidance Network (DoDIN). In a request for informat...
Himachal Pradesh Police on Sunday made aware the netizens of hacker creating fake WhatsApp IDs of important persons since cops of the state to successfully dupe people and aware them not to inte...
Bug exploited inconsistencies between intermediary and backend serversMitmproxy, an open source, interactive HTTPS proxy service, has patched a dangerous bug that potentially allowed attackers to st...
Windows: Take a look at access to streaming media labeled by your location, web sites regarding display differently depending on in which you are supposed to, or just a little privacy, ...
While VPNs are sucking up all the oxygen in the privacy conversation, there is a similar technology that hasn't gotten the same attention: the humble proxy. We asked experts from two leading VPN comp...
A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk as part of a recent campaign undertaken by a Chinese advanced persistent threat group p...
This tutorial is about the How to Fix the Microsoft Store Acquiring License Error. We will try our best so that you understand this guide. I hope you like this blog How to Fix the Microsoft Store Acq...
The value of safety has been drilled inside of our heads for as long as we are remember. Whether it's the fireman contacting us about not shopping with matches or mom reminding us to buckle r...
Hi! I am new to this forum and I hope that my problem would be fix.This week, I notice that everytime I try to access google.com, it only shows "Your connection is not private" with error message NET...
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Not a lot of new Royals news because of the day game yesterday. Most of the stories were about that. Here’s some Alec Lewis from yesterday that slipped through the cracks Also from Wednesday, an MLBT...
Current information ProxyShell Exchange Server Flaw Used for Ransomware Attacks By Kurt Mackie 08/24/2021 Security researchers are seeing the appearance of LockFile ransomware deplo...