Although IT managers know they should do everything they can to maintain secure databases for their business and...
customers, experts say it's important to regularly review some simple but effective steps that sometimes get forgotten in the daily hubbub.
First, don't forget the patches. IT managers should keep current with the latest security patches for the network's operating system and databases, said Gerhard Eschelbeck, chief technological officer and senior vice president of engineering at Webroot Software Inc., a Boulder, Colo.-based developer of Internet security products.
"Unpatched security vulnerabilities are frequently used by attackers to compromise systems and databases," he said.
And weak or default passwords should be weeded out, as should unused login accounts, Eschelbeck said. "Unsecured login accounts or permissions lead to unauthorized access of your data," Eschelbeck said.
Limiting physical and network access to the database system is another crucial security step, according to Serdar Yegulalp, an author and editor of Windows Power Users Newsletter.
"Treat a database like any other computer asset that you want to protect. Don't just let anyone get to it," he said.
Database contact should be limited to machines that have to talk to it while ensuring standard protections are in place, he said.
Also, if a company uses a Web application to access its database -- with such scripts in Active Server Page, or ASP.NET technology -- and the scripts crash, it can potentially reveal its source code when it makes an error report, Yegulalp said.
In a case like that, limiting database access to the correct users is essential. If through proper security measures the database access is already limited to the right users, any script crashes will not reveal database connection information to the wrong users, Yegulalp said.
"I've seen this happen more than a few times -- the database connection name and password for all the world to see," he said, adding that he recommends rotating the password for the database connection regularly, which adds just one more layer of security to the process.
Finally, sensitive data, such as credit card or social security numbers, should be encrypted when they are stored in a database, not just when the data is in transit, Eschelbeck said.