Security Audit - Introduction to Database Security - Lecture Slides, Slides of Network security

The key points which are very informative in context of the database security are listed as:Security Audit, Types of Audits, Alerts, Audit Trails, Application Audit, Best Practices, Standard Audit, Level Audit, Implemented, Enterprise Manager

Typology: Slides

2012/2013

Uploaded on 04/22/2013

sathiamoorthy
sathiamoorthy 🇮🇳

4.4

(24)

106 documents

1 / 32

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Security Audit
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20

Partial preview of the text

Download Security Audit - Introduction to Database Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Security Audit

2

Security Audit

  • Types of audits
  • Alerts
  • Audit trails
  • Application Audit
  • Best practices

4

Standard Audit

  • Also known as login audit
  • Can be Implemented via an interface for

Enterprise Manager

  • Can also be enabled using:
    • SQL Distributed Management Objects (DMO)
    • modify registry entry for audit level

5

Standard Audit

  • SQL Server has four audit levels:
    • Level 0, None (means that no info is written to audit log)
    • Level 1, Success (means that only successful login attempts are written to audit log)
    • Level 2, Failure (means that only failed login attempts are written to audit log)
    • Level 3, All (means that all login attempts are written to audit log)

7

C2 Level Audit

  • Audit logs are retained in files of size 200 Mb
  • The log files are stored as SQL Trace files with extension trc
  • To see the file contents start the SQL Profiler and open the SQL Trace files and select the particular file of interest for opening
  • By clicking on any row entry, complete audit command information can be viewed
  • Admin privilege will be needed to execute sp_configure in order to activate C2 level auditing

8

C2 Level Audit

  • Some audit can be performed using aspects of C2 level audit via manual execution of following stored procedures: - sp_trace_create creates trace definition - sp_trace_setevent identifies events and columns for trace - sp_trace_setfilter creates filter definition for trace - sp_trace_setstatus starts, stops and deletes trace definition

10

Alerts

  • SQL Server Agent is installed as a Windows service with each instance of SQL Server
  • Agent installation requires admin privilege
  • Two types of alerts:
    • Event alert
    • Error message alert
  • In order to activate alert, Agent compares incoming data with stored data in sysalerts table
  • SQL Mail can be avoided using an extended stored procedure XP_SMTP for email alerts

11

Alerts

  • SQL Server auditing uses:
    • event ID 17055 for event source
    • message ID 18452 for failed login attempt
    • message ID 18453 for successful login
  • These numbers could be used to trigger

alerts via email

13

Audit Trails

  • Baseline for audit trail is called event horizon
  • Event horizon refers to the number of audited events that audit trail analysis system must remember at any one time
  • Event horizon value 1 means that an event is examined without reference to any preceding or succeeding events
  • With event horizon of 1 data is aggregated for statistical analysis after all events are considered
  • Intrusion Detection System requires a value greater than 1 for event horizon

14

Audit Trails

  • Audit trail answers the ‘who’, ‘what’, ‘when’ and in ‘what order’ concerning data access
  • On the user side:
    • Who initiated a transaction from what terminal and when?
  • On the transaction side:
    • What was the exact transaction that was initiated?
  • On the data side:
    • What was the result of the transaction?
    • What were the database states before and after the transaction?

16

Application Audit

  • Application audit could also be technology

related

  • Example: audit of organizational PBX
  • Example: audit of a data warehouse
  • Periodicity of audit:
  • As the system is developed
  • Post-implementation of a new system
  • Every n months (n =12)

17

Application Audit

  • What does the auditor look for?
    • Assurance that the application provides adequate control over data being processed
    • Level of control related to degree of risk being assumed
    • Risk coming from incorrect or unauthorized processing of data
    • job descriptions for
      • application developers
      • business owners
      • production support groups

19

Application Audit

  • SANS recommends checking for following

controls:

  • Application Administration
  • Inputs, Processing, Outputs
  • Logical Security
  • Disaster Recovery Plan
  • Change Management
  • End user Support
  • Third Party Services

20

Application Administration

  • Impact of application on the business
  • Team members roles and responsibilities are defined and documented
  • Organizational chart is current
  • Charts and roles help managers:
    • Understand the business implications
    • Training tool for new members
  • Legal and regulatory compliance issues with respect to an application must be specified