5 Ways to Improve Database Security

 By Micah Pratt | March 21, 2014 4 min read

   

You don’t have to go far to find out how important database security is. For
instance, Target is still reeling from their systems being hacked, exposing the credit
card information of many of their customers. It’s the kind of harm that requires a
lot of time, money, and resources for damage control, as well as the aftermath of
breaking the trust in the company and diverting resources toward making sure it
doesn’t happen again.

Ensuring the security of your company’s information is important, and even some
of the biggest businesses can expose themselves to hackers exploiting security
flaws. The information in your company’s databases are important, so it stands to
reason that database security is too.

Here are five things you can do to keep your company and customer information
safe and secure.

1. Have secure passwords.

The most sophisticated systems on Earth can’t protect against a bad password.
There are the typical culprits — 12345, ABCDE, anything else on the most guessed
password list — but hackers have increasingly sophisticated tools at their disposal
that makes many other passwords increasingly vulnerable. Now, it’s not just making
your password “password” that you have to worry about. It can be words in-and-of
themselves. Programs exist that guess passwords that might be words in the
dictionary or commonly used phrases, so those are out.

You can try to make a combination of letters, numbers and symbols to throw off
would-be hackers. You can check your password here to see how long it would take
hackers to guess it. Business Bee has also rated some password management tools
that may be able to help you.
One other suggestion is to set rules that make employees change passwords on a
revolving basis. If a password isn’t changed after 90 days, lock out that account
pending administrator approval to make sure that an old password isn’t a hacker’s
way in.

Delivering Business Advice Directly to You

By signing up, I agree to the Terms of Use

Sign up

2. Encrypt your database.

Just as important as the passwords is the encryption of your database. Encryption
means converting your data to a format such that, were it to be intercepted, would
seem like a string of letters and numbers with no tangible meaning. But to the
database program, it all easily converts to the data you want. But it ties back into
passwords. A Yahoo! hack in 2012 exposed more than 400,000 passwords in plain
text to the web at large. This meant open access to emails and passwords, and the
need for a whole lot of users who put their faith in Yahoo! to change their
passwords. Here, too, you don’t want to be the company at the other end of that
controversy. Make sure that your database is encrypted with up-to-date encryption
software.

3. Don’t show people the backdoor.

A simple way to protect your database? Leave it out of sight. This means keeping it
hidden from search engine results through the robots.txt file, and also not linking
to it directly. While you want employees to have access to database information,
you may not want to put the log-in directly on the site. If you have an online
database, do yourself a favor and keep it on a need-to-know basis. After all, the first
step toward hacking a database is finding it in the first place.

4. Segment your database.

A wide open database is a wide open vulnerability. You’ll want to segment your data
to make sure that not just anyone sees everything. In many systems, various roles
can be created within the database.

For instance, you might want to have users, super users, administrators, and super
administrators. Users can access or input basic information, but not alter
information beyond what they’ve put in, whereas a superuser has computer
permissions that allow wider access to data without being able to change
everything. An administrator can work above all of these users, altering the
structure of the database or having access to more sensitive information, while a
super administrator can run the whole operation. For the upper tiers, you’ll want to
keep the number of people with those clearances low, such as managers or
department heads. This ensure that, should a password be exposed on the site, it’s
not devastating if it’s only someone with access to basic information on the site.

5. Monitor and audit your database.

One way to prevent database breaches is to keep an eye on the database itself.
Monitoring access and behaviors of database users can help you ensure that no
odd behaviors are exhibited that might imply a leak. Checking unfamiliar IP
addresses can ensure that no one has an employee password who shouldn’t. Think
of it like when you get a call from the bank asking you to confirm a transaction.
Your address is in New York, but your card is being used in Calgary. It’s a red flag to
bank security, and the same thing should be a red flag to your business.

In addition, regular audits of your database help find inactive accounts, helping
eliminate problems that might arise with someone obtaining old employee
information. Perform regular audits, and your company can tighten up security
before problems arise
 Determining data storage requirements
In existing database environments, the first step to determine data storage requirements is
to take an inventory of your storage needs. The types of storage are:
Performance oriented — Database or portions of databases, before-image (BI) areas, after-
image (AI) areas
Archival — Historical data, backups
Sequential or random — Data entry and report generation, or spot queries

1. Practice Minimal Data Collection

A rule of thumb when collecting data is to only collect what you need. For example, if you don’t need to know
someone’s date of birth or their name prefix, e.g. Mr., Ms., Miss, then don’t collect it. This helps to save you
bandwidth in protecting that information, too.
When collecting personal data, think of alternative ways of dealing with it. This can include using a “verify not
store” framework wherever possible. This type of system uses third-party data sources to check the user’s
input, verifying it does belong to them, and that they are who they say they are; after that, minimal or no actual
data needs to be stored.
A typical use of this would be in a Know Your Customer (KYC) system. You could check that individual
using passport, CRA, and other data checks, then assign a KYC level to that customer without storing some or
all of the data input.
Or if you do collect it, but can apply minimal disclosure to these data — do so. In practice, this would mean
that when you do share data with another service (e.g. the person’s age), you only show certain aspects of these
data (e.g. date of birth becomes age over X).
2. Make it a Two-Way Conversation
Privacy can become a way to engage with your customers and show them you respect their data. GDPR sets
out to make the use of consent an integral part of data collection and use.
When you design your user experience and associated UI, build in consent models whenever you collect or use
data.
Also consider offering a system of consent receipts wherever possible. Take a look at the work being done by
the Kantara Initiative on the use of consent receipts.
3. Practice Robust Data Security
Privacy covers many areas, including the ability to choose to share data. However, to apply these choices and
to protect the underlying data, security measures need to be implemented.
Security, especially in cloud-based services, needs to be applied across multiple layers. This starts with
understanding what your data is and classifying it correctly. Is it sensitive data? Will it need extra protection?
You must then look to measures such as access control, privileged access management (PAM) credential
choices and management, encryption and web app security, including database protection.
4. Encourage Education and Awareness
Education on security and privacy issues is not just about your employees becoming security-aware. You
should also endeavor to educate your customers about security and privacy. This can include regular advisories
on patching, protection of credentials, phishing and so on.
5. Create Achievable Policies and SLAs with Third Parties
Privacy is a whole-system effort. Any touchpoint within your company, across your services, and in the way
you process data and manage customers has a potential impact on privacy.
 Security and privacy policies MUST reach out to the extended data and vendor ecosystem.
Make sure that these policies are enforceable by making them achievable. Set out ways to measure their
implementation and effect. Avoid making sweeping statements on data; instead, break it down into bite-size
pieces. Remember that human beings have a habit of making up their own paths when one path is blocked. If
you close off a certain technology that was liked, give users a safe and usable alternative

Some of The Most Important SQL Commands

 SELECT - extracts data from a database.

 UPDATE - updates data in a database.
 DELETE - deletes data from a database.
 INSERT INTO - inserts new data into a database.
 CREATE DATABASE - creates a new database.
 ALTER DATABASE - modifies a database.
 CREATE TABLE - creates a new table.

Key Differences Between T-SQL and PL-SQL

1. The basic difference between T-SQL and PL-SQL is that T-SQL is a
Microsoft product whereas, PL-SQL is an Oracle product.
2. The full form of T-SQL is Transact-SQL whereas, the full form of PL-
SQL is Procedural Language SQL.
3. T-SQL focuses on the degree of control on how an application works
whereas, the PL-SQL is a natural programming language that blends
well with the SQL.
4. You can not convert the code of T-SQL to PL-SQL as they have
different features, syntax, they differ in a way how they handle their
variables, stored procedures, and built-in function.
5. T-SQL performs best with Microsoft SQL server whereas,the PL-SQL
performs best with Oracle database server.
6. T-SQL is simpler and easier whereas, PL-SQL is complex, but it is
potentially more powerful.

 Use char when the sizes of the column data entries are consistent.

 Use varchar when the sizes of the column data entries vary considerably.
  Use varchar(max) when the sizes of the column data entries vary considerably,
and the string length might exceed 8,000 bytes.

To check the status of the SQL Server Agent:

1. Log on to the Database Server computer with an Administrator account.

2. Start Microsoft SQL Server Management Studio.

3. In the left pane, verify the SQL Server Agent is running.

4. If the SQL Server Agent is not running, right-click SQL Server Agent, and then

click Start.

5. Click Yes.

6. On the File menu, click Exit.

Sample answers to job interview questions about the

most challenging project you have worked on
Below you will find an example answer that you can use as inspiration to create and
structure your answers.

Situation and Task

‘In my previous job at a marketing firm, I have worked on several challenging projects.
One time, when I just started at the company, I was asked to work with a small team on
a marketing pitch deck for a new client. We got the project because of our reputation
and ability to take on the project on short notice. It was a great opportunity for us to
show what we were capable of doing in a short amount of time. Then, two weeks before
the pitch deck presentation the client requested us to change the entire plan. It turned
out that they were unhappy with our first concept and stated that it differed too much
from the initial idea that they had in mind.

Action
We organized a brainstorm meeting with the team to figure out what exactly went
wrong at which point in the development of the pitch deck. After several hours we
concluded that some parts of the project were developed based on assumptions
without clearly asking the client for approval before moving on. I asked if I could take
the lead on redeveloping the pitch deck. For me, this was a challenge, as well as a
great opportunity.
It was a challenge because I had never created a pitch deck working at this company
and we had a short amount of time, but it was a great opportunity because I had
experience with creating these decks in several of my prior jobs, so it was a great
chance to demonstrate my skills. I overcame the challenge by getting the goals clear of
what the client exactly wanted, analyzing their feedback, and setting up small
milestones to track progress in the two weeks we had left.

Result
We kept in touch with the client throughout the redevelopment process of the pitch deck
and finished and submitted it one day before the deadline. Ultimately the client was
very happy with our work, and we are still working with them today.

Include what you’ve learned from the situation

For me, the most important learning from this project is that it’s important to get the
goals clear before a project starts.  Furthermore, my experience taught me that the best
way to work on challenging projects is to create milestones to track progress. Now, at
the start of a new project, I focus on the most difficult parts and challenges of the
project so that I know as soon as possible if there are any issues or attention areas. If
this is the case I have more than enough time to work on this before any deadlines. A
detailed plan to work on a project is essential to finish it successfully.’