Database Security

Here are some basic database security steps enterprises can take that will improve their database security postures in just one day.

Change your default passwords. Every database Oracle has ever shipped has come with a set of default accounts and passwords. These user names and passwords are well known and documented.

"Default passwords are problematic, because they leave the front door to your database wide open," Julian said.

There are currently over 600 known default user name and password combinations and probably a dozen free tools to scan for them, Julian said.

There are also several other free scripts and tools available:
—Checkpwd from Red Database Security
—DPS (Default Password Scanner) from Oracle
—Oracle Security Probe from Pete Finnigan (written by Marcel-Jan Krijgsman)

By the way, Oracle11g includes a built-in DBA view to list default passwords (DBA_USERS_WITH_DEFPWD).

Eliminate easily guessed passwords. One of the most common attack vectors to this day is access via passwords that can be easily guessed. Attackers are aware that people use test/test or other password the same as the user name—even on production databases. There are even password dictionaries that provide common passwords.

Many hackers take advantage of wordlists. These are intended primarily for use with password crackers to gain access to systems.

Require strong passwords. Using and enforcing strong passwords can significantly enhance database security. There are a few keys to developing strong passwords:

Consider the length. Each character that a password includes increases the security of that password. Passwords should be eight or more characters in length; 14 characters or longer is ideal. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an eight-character password that uses characters from the entire keyboard.

Incorporate complexity. Combine letters, numbers and symbols to increase the variety of characters used in the password. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a "pass phrase"). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess. Avoid sequences, repeated characters and look-alike substitutions.

Additionally, for Oracle passwords specifically, passwords must begin with an ASCII letter. From there, ASCII letters a-z, _, #, $, and digits 0-9 are eligible. The space bar is not supported in passwords. Oracle 11g also supports case-sensitive passwords; other versions convert any password into uppercase letters.

Use variety. Use more than one password in your environment; the more you are using, the more difficult it is for malicious users to break them.

Additional steps to take include:
· Set a listener password
· Install the latest service pack
· Lock out accounts that are not in use
· Revoke permissions to PUBLIC that are not explicitly required

While implementing database security takes time and effort, by addressing these items organizations can significantly improve their security posture by eliminating these common areas of risk.