Over the years, I have developed many of my security practices and used many of the government security guidelines to perform security audits in client environments. The combination of the government guidelines and my experience helps me uncover and secure the desired client’s systems and applications against ever-changing hacker attack points.
One of the resources that I use to uncover vulnerabilities is NIST (National Institute of Standards and Technology) which has a National Vulnerabilities Database (NVD). There is a nice software search capability that documents all the issues found in application software products. It can be found here (https://nvd.nist.gov/vuln/search). Put in any software product or put in your database such as DB2, Oracle, SQL Server in the search box and quickly understand the vulnerabilities within the software that we use every day.
Fortunately, there are also the DISA (Defense Information Systems Agency) and DoD (Department of Defense) security guidelines which help with procedures to secure DBMS environments. Periodically, DISA and DoD come out with new security procedures and guidelines for software especially DBMSs such as DB2, Oracle, SQL Server, and many others that can be found here. At this link, you will also find all the latest DBMS Security Technical Implementation Guides (STIGs). The government STIGs cover a wide range of software, so it is a great resource for a variety of software products from phone operating systems like Apple iOS and Android information to Network Routers and DBMSs.
I have been on the STIG mailing list for several years and was notified by DISA that they have just released a new IBM DB2 V10.5 LUW STIG that can be found here. I encourage security-minded people to get on their mailing list to get security notifications for their software foundation products.
To obtain the STIG, download the STIG ZIP file which contains two files. Use Internet Explorer to open the XML which was formatted through a XSL file into a readable format.
Within the latest IBM DB2 V10.5 LUW STIG there are 94 topics that cover a variety of areas to examine for security exposures. A large number of the latest STIG topics are related to the audit data that is produced through SQL Monitoring. Securing the SQL monitoring audit data is very important because hackers have lately been using it to decipher authorization ids and to determine which tables contain data that is desirable.
There are a number of STIG topics related to IBM software DB2 components packaged along with DB2 that may not be used. If you are not using them, disabling some DB2 add-on components may be advisable to eliminate those components from being leveraged to hack your DB2 system. Some of DB2 components that are not commonly implemented and should be reviewed are Spatial Extender server support, Text Search, Informix data source support, Oracle data source support, and DB2 First Steps. In addition, the DB2 SAMPLE database is sometimes used by hackers, so please DROP it immediately in any production environment as soon as possible.
Reviewing the STIG topics, along with reading the DB2 security topic blogs noted below will help your systems and applications stay secure against the dark hacker forces. Security is a never-ending effort; so make sure to dedicate time whenever possible to tighten your operational production systems.
Top 10 DB2 Family Security Best Practices Part 1
Top 10 DB2 Family Security Best Practices Part 2
More DB2 Family Security Best Practices Part 3
More DB2 Family Security Best Practices Part 4
More DB2 Family Security Best Practices Part 5
More DB2 Family Security Best Practices Part 6
More DB2 Family Security Best Practices Part 7: Preventing SQL Injection
Dave Beulke is a system strategist, application architect, and performance expert specializing in Big Data, data warehouses, and high performance internet business solutions. He is an IBM Gold Consultant, Information Champion, President of DAMA-NCR, former President of International DB2 User Group, and frequent speaker at national and international conferences. His architectures, designs, and performance tuning techniques help organization better leverage their information assets, saving millions in processing costs. Follow him on Twitter or connect through LinkedIn.
Leave a Reply