The Case for Hardening your Databases
By Raj Soni
Hardening your databases is the easiest thing you can do now to protect your data! It can identify exposures such as missing patches, weak passwords, unauthorized access and changes, misconfigured privileges, and other vulnerabilities.
Setting up a database vulnerability program provides the following key benefits: it will (1) identify and remediate vulnerable databases, (2) keep an “extra pair of eyes” on and create alerts for those vulnerable databases if you choose and (3) at the very least it will create exceptions for the vulnerabilities you know about and document them to CYA! We have found most organizations just perform OS/Server vulnerability scans but do not scan at the database level and entitlements reports which should be run and validated quarterly.
When you initially conduct a scan, you may get a lot of test failures. There will be some tests that can be easily fixed, and others may take time for various reasons, mostly because a database version is out of support due to a business reason, we will come to that point later. After your initial scan we can group the failed tests in different categories and address the easy ones first. Prioritize and fix the easy one right away. The ones that are going to take time to remediate, create an exception for so they don’t get flagged every time you run the scans.
Acceptable Risk
Let’s talk about CYA! You will get multiple test failures when you initially run database vulnerability scans and you may not be able to remediate them all immediately, if ever. If that is the case, wouldn’t you want the line-of-business to know and accept the risk if it cannot be resolved?
Forensics Values of Vulnerability Scans
If you study the forensics of previous data breaches, you will see there was a vulnerability that was exploited. If you also want to examine a potential data breach you will need previous vulnerability scans to compare with the most current scan to understand the attach vector and see what vulnerability was exploited.
Would you like to know what is the effort to set up a database vulnerability assessment and to run the on-going framework? We can also help built by consensus, with written standards and agreed upon remediation timelines so required fixes can be prioritized and scheduled. Drop me a note and I can answer any questions you may have.
Thank you and be well.
