Database Security – Self Assessment

The following questionnaire will help you evaluate the strength of your database security. It takes about 5 minutes to complete it and at the end you’ll get a score along with an email containing the results with detailed explanations.

Do you know where is your sensitive information? Which database and what tables and columns contain it?

We know some of the sensitive databases

We know the main sensitive databases and most sensitive columns

We know the exact database and column of every piece of sensitive information

The most elementary requirement to protect sensitive data is to know where it is. Having the list of database that contain it and the tables and columns that require protection is essential.

Have you ensured users only have the minimal privileges they need (least privileged)?

Only to some of the users

Only for administrator privileges and roles

Yes, we validated everyone’s privileges and permissions

An important best practice is to ensure least privileged – that users only have the permissions needed to perform their job. This is especially important for administrator privileges that are, unfortunately, often granted by mistake or without good justification.

Are you aware of changes in your database?

We get a report/alert when users are created, modified, or changed

We get a report/alert when tables or objects are created, modified, or changed

We get an report/alert when database configuration changes

We review detailed information about all the above changes in the database

We review every change as well as monitor all the DDLs in the database

Change control is a simple way to demonstrate basic control over environments. Since administrators often neglect to document these changes, it is highly recommended to close the loop by monitoring for changes in the environment and approving them.

Do you review who connected to your database?

We have some logging in place, but we don’t review it

We review connections we consider to be higher risk

Yes, we are aware of everyone connecting to our databases

Knowing what users, programs, and machines connect to the database is the most minimal visibility to understand what’s going on. This information should be reviewed on a daily or weekly basis.

Do you review accesses to sensitive tables?

We have logs of access but we don’t review them

We have reports, but they are very large and impossible to review

We review important or suspicious accesses to sensitive data

We have effective reporting and are aware of all the relevant accesses

Special attention must be given to access to sensitive tables. It is important to know who’s performing such access, how much data is accessed, when that access is “unusual”, and more. Establishing effective reporting is essential so the reports are short, meaningful, and easy to review.

Do you monitor DBA activity?

The DBA team have internal monitoring of their activity

We have logs of all the activity, but they are not reviewed

We have effective reporting and are aware of all the relevant accesses

Due to their elevated privileges, DBAs activity is considered a high-risk activity profile. This is both from as an internal threat of abuse of privilege, and in case their credentials are stolen or their machines hacked.

How much time, on average, do you spend on database security?

No time. Everything is automatic

Up to 2 hours per week per database (30 minutes per day)

3-5 hours per week per database (up to an hour a day)

Over 5 hours per week per database (over an hour a day)

Effective monitoring can usually be done in less than 2 hours per week. Spending more time suggests your controls are not effective and that you are drowning in useless information. Not spending any time at all, suggests your controls are calibrated so low that you are unlikely to know if a real problem occurred.

Do you monitor for unusual database activity such as users connecting from different programs or from different machines?

We manually look at accesses to find unusual behavior

We have some monitoring, but I don’t think it’s very effective

We have effective monitoring for unusual activity

Databases have a lot of connections and its easy to miss small changes such as a different IP address for a particular user, or a program that a user doesn’t normally use. Automation can help ensure you are aware of any changes in the connection profiles.

Do you monitor anomalous application activity such as SQL injection?

Yes, we monitor for SQL injection, but we never get any alerts

Our application only uses bind variables, so SQL injection is not a problem.

Yes, we monitor for SQL injection as well as other application anomalies.

Applications perform massive amounts of SQLs that are impossible to review individually. This is one place where automation is the only solution. Anomaly analysis, for example, can analyze the activity profile and point out changes in the application behavior. These can be an indication of someone taking advantage of an application flaw to attack the database. SQL Injection is an example of an attack leveraging a common application bug.

How do you audit your database activity?

We don’t audit database activity

Manually, using home-grown scripts, and we’re happy with it

We have a solution, but it doesn’t do everything we need

We have a solution and it can do everything we require

Auditing database activity requires the right technology. At small scale, home-grow scripts can be effective. However, when auditing more activity of larger databases the performance impact becomes very high and the required time investment – challenging. Using the right solution can help you monitor everything with negligible overhead and achieve effective reporting.

Do you have separation of duties that prevent, for example, DBAs from accessing sensitive data?

We use auditing to be aware of malicious activity from DBA accounts

Yes, DBAs cannot access sensitive data without a special authorization

Database are designed to have administrator accounts with unlimited privileges. These accounts are a high-risk attack vector both for the internal abuse of privilege threat and in case they are compromised by credential theft or hacking into DBA machines. Reducing the access of these accounts and establishing separation of duties can significantly reduce the risk from DBA accounts.

You finished the self assessment!

Your database security maturity level is out of 10

If you’d like to receive a report with your self assessment results and more detailed explanations, please fill in your information:

First name
Last name
Company
Title
Email
Phone
	Email Results