4

So as I understand it database hardening is a process in which you remove the vulnerabilities that result from lax con-figuration options. This can sometimes compensate for exploitable vendor bugs.

Three main stages exist in hardening a database:

  1. Locking down access to resources that can be misused.
  2. Disabling functions that are not required.
  3. Principle of least authority or least privileges.

There is a wealth of information for "locking down" RDBMS environments to harden them against attacks. However these resources don’t provide enough context on current exploitations for databases (if you don’t know what types of attacks exist and which ones are popular, how do you know if your hardening measures are going to provide protection).

A bad way for me to begin learning hardening techniques would be to list as many database exploitations out there and learning how each and every one of them work, that could take... a very long time.

So I am wondering where I can begin, resources available and current trends etc.

G Gr
  • 175
  • 2
  • 11
  • I think this applies for most databases: [Q: MySQL Server Hardening](http://security.stackexchange.com/questions/1138/mysql-server-hardening?rq=1) – Luc Feb 20 '13 at 18:36
  • Added a repose below, but in general, attacks are either in the underlying code of the DBMS, which would be a patching issue or will be in certain type of vector which is addressed through hardening and general controls. E.g., permissions on tables/views, good passwords, SQL injection, memory management. It is not very often there is a new "class" of attack per-se. – Eric G Feb 21 '13 at 05:06

4 Answers4

2

There are a few resources such as CIS. IF you want to by up to military standards, I would check out the STIGs (Security Technical Implementation Guides). They have STIGs for SQL Server, and you can check out the general DB reqs.

From your post, it is not clear if you are working in a web environment, but you probably want to know about SQL injection, etc. I'd start at OWASP. They have some general information on SQL injection, some secure guidelines, and some testing guidelines.

In terms for finding current exploits, you can search through CVEs.

If you provide us with some additional detail, we can provide some more resources. You may just want to check amazon for books on the subject that fit your style and focus.

Eric G
  • 9,691
  • 4
  • 31
  • 58
0

You could give the CIS - Center for Internet Security - a go. Database security benchmarks:

http://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.servers.database

CIS is a organization well-know for their security benchmarks and you'll find them in many organizations.

akaasjager
  • 1
  • 1
0

"current exploits" will be the "old hat exploits" of next month and, as such, are pretty similar to the current set of "old hat" exploits. And no-one will talk about next week's exploits anyway.

In short, look at the security patches over the last year and think whether the measures you take would have stopped any of them.

Gary
  • 884
  • 7
  • 12
0

To add to the other answers that list specific resources for hardening databases, I'll address your point around how to address unknown threats to databases.

I'd suggest that you shouldn't base your securing of any component of your infrastructure on specific threats (e.g. whatever the todays "hot 0-day" is).

Instead look at reducing your attack surface as much as practicable (e.g. removing unneeded functionality, only providing database users with specific rights required to operate, enabling remote logging of security events), and then (depending on your threat model) consider whether you need additional controls (e.g. database firewalls).

If you try to base controls on specific threats, you'll just end up constantly in catch-up mode.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217