Implementing Database Security and Auditing (eBook)
432 Seiten
Elsevier Science (Verlag)
978-0-08-047064-1 (ISBN)
* Useful to the database administrator and/or security administrator - regardless of the precise database vendor (or vendors) that you are using within your organization.
* Has a large number of examples - examples that pertain to Oracle, SQL Server, DB2, Sybase and even MySQL..
* Many of the techniques you will see in this book will never be described in a manual or a book that is devoted to a certain database product.
* Addressing complex issues must take into account more than just the database and focusing on capabilities that are provided only by the database vendor is not always enough. This book offers a broader view of the database environment - which is not dependent on the database platform - a view that is important to ensure good database security.
This book is about database security and auditing. You will learn many methods and techniques that will be helpful in securing, monitoring and auditing database environments. It covers diverse topics that include all aspects of database security and auditing - including network security for databases, authentication and authorization issues, links and replication, database Trojans, etc. You will also learn of vulnerabilities and attacks that exist within various database environments or that have been used to attack databases (and that have since been fixed). These will often be explained to an "e;internals level. There are many sections which outline the "e;anatomy of an attack - before delving into the details of how to combat such an attack. Equally important, you will learn about the database auditing landscape - both from a business and regulatory requirements perspective as well as from a technical implementation perspective.* Useful to the database administrator and/or security administrator - regardless of the precise database vendor (or vendors) that you are using within your organization.* Has a large number of examples - examples that pertain to Oracle, SQL Server, DB2, Sybase and even MySQL.. * Many of the techniques you will see in this book will never be described in a manual or a book that is devoted to a certain database product.* Addressing complex issues must take into account more than just the database and focusing on capabilities that are provided only by the database vendor is not always enough. This book offers a broader view of the database environment - which is not dependent on the database platform - a view that is important to ensure good database security.
front cover 1
copyright 5
Contents 8
front matter 16
Preface 16
body 20
1. Getting Started 20
1.1 Harden your database environment 25
1.2 Patch your database 39
1.3 Audit the database 48
1.4 Define an access policy as the center of your database security and auditing initiative 49
1.5 Resources and Further Reading 50
1.6 Summary 52
1.A C2 Security and C2 Auditing 52
2. Database Security within the General Security Landscape and a Defense- in- Depth Strategy 54
2.1 Defense-in-depth 55
2.2 The security software landscape 57
2.3 Perimeter security, firewalls, intrusion detection, and intrusion prevention 61
2.4 Securing the core 67
2.5 Application security 68
2.6 Public key infrastructure (PKI) 70
2.7 Vulnerability management 71
2.8 Patch management 74
2.9 Incident management 76
2.10 Summary 78
3. The Database as a Networked Server 80
3.1 Leave your database in the core 81
3.2 Understand the network access map for your database environment 82
3.3 Track tools and applications 85
3.4 Remove unnecessary network libraries 90
3.5 Use port scanners--so will the hackers 100
3.6 Secure services from known network attacks 103
3.7 Use firewalls 105
3.8 Summary 106
3.A What is a VPN? 107
3.B Named Pipes and SMB/CIFS 109
4. Authentication and Password Security 114
4.1 Choose an appropriate authentication option 115
4.2 Understand who gets system administration privileges 127
4.3 Choose strong passwords 128
4.4 Implement account lockout after failed login attempts 136
4.5 Create and enforce password profiles 138
4.6 Use passwords for all database components 139
4.7 Understand and secure authentication back doors 141
4.8 Summary 142
4.A A brief account of Kerberos 143
5. Application Security 146
5.1 Reviewing where and how database users and passwords are maintained 147
5.2 Obfuscate application code 158
5.3 Secure the database from SQL injection attacks 167
5.4 Beware of double whammies: Combination of SQL injection and buffer overflow vulnerability 187
5.5 Don't consider eliminating the application server layer 189
5.6 Address packaged application suites 190
5.7 Work toward alignment between the application user model and the database user model 194
5.8 Summary 194
6. Using Granular Access Control 196
6.1 Align user models by communicating application user information 198
6.2 Use row-level security (fine-grained privileges/ access control) 204
6.3 Use label security 208
6.4 Integrate with enteprise user repositories for multitiered authentication 212
6.5 Integrate with existing identity management and provisioning solutions 217
6.6 Summary 219
7. Using the Database To Do Too Much 222
7.1 Don't use external procedures 222
7.2 Don't make the database a Web server and donÌt promote stored procedure gateways 233
7.3 Don't generate HTML from within your stored procedures 238
7.4 Understand Web services security before exposing Web services endpoints 239
7.5 Summary 246
7.A Cross-site scripting and cookie poisoning 247
7.B Web services 249
8. Securing database- to- database communications 252
8.1 Monitor and limit outbound communications 252
8.2 Secure database links and watch for link-based elevated privileges 256
8.3 Protect link usernames and passwords 261
8.4 Monitor usage of database links 262
8.5 Secure replication mechanisms 265
8.6 Map and secure all data sources and sinks 278
8.7 Summary 285
9. Trojans 286
9.1 The four types of database Trojans 287
9.2 Baseline calls to stored procedures and take action on divergence 288
9.3 Control creation of and changes to procedures and triggers 289
9.4 Watch for changes to run-as privileges 293
9.5 Closely monitor developer activity on production environments 293
9.6 Monitor creation of traces and event monitors 297
9.7 Monitor and audit job creation and scheduling 309
9.8 Be wary of SQL attachments in e-mails 312
9.9 Summary 313
9.A Windows Trojans 313
10. Encryption 316
10.1 Encrypting data-in-transit 318
10.2 Encrypt data-at-rest 335
10.3 Summary 343
10.A Tapping into a TCP/IP session 343
11. Regulations and Compliance 346
11.1 The alphabet soup of regulations: What does each one mean to you? 347
11.2 Understand business needs and map to technical requirements 354
11.3 The role of auditing 359
11.4 The importance of segregation of duties 363
11.5 Implement a sustainable solution 366
11.6 Summary 367
12. Auditing Categories 368
12.1 Audit logon/logoff into the database 368
12.2 Audit sources of database usage 373
12.3 Audit database usage outside normal operating hours 375
12.4 Audit DDL activity 376
12.5 Audit database errors 378
12.6 Audit changes to sources of stored procedures and triggers 381
12.7 Audit changes to privileges, user/login definitions, and other security attributes 383
12.8 Audit creations, changes, and usage of database links and of replication 388
12.9 Audit changes to sensitive data 389
12.10 Audit SELECT statements for privacy sets 391
12.11 Audit any changes made to the definition of what to audit 392
12.12 Summary 393
13. Auditing Architectures 394
13.1 Don't create a false sense of security 394
13.2 Opt for an independent/backup audit trail 395
13.3 Architectures for external audit systems 396
13.4 Archive auditing information 399
13.5 Secure auditing information 401
13.6 Audit the audit system 403
13.7 Sustainable automation and oversight for audit activities 404
13.8 Thinks in terms of a data warehouse 405
13.9 Implement good mining tools and security applications 406
13.10 Support changing audit requirements 407
13.11 Prefer an auditing architecture that is also able to support remediation 409
13.12 Summary 410
13.A PGP and GPG 410
Index 416
Erscheint lt. Verlag | 20.5.2005 |
---|---|
Sprache | englisch |
Themenwelt | Sachbuch/Ratgeber |
Mathematik / Informatik ► Informatik ► Datenbanken | |
Informatik ► Netzwerke ► Sicherheit / Firewall | |
Mathematik / Informatik ► Informatik ► Software Entwicklung | |
Informatik ► Theorie / Studium ► Kryptologie | |
ISBN-10 | 0-08-047064-5 / 0080470645 |
ISBN-13 | 978-0-08-047064-1 / 9780080470641 |
Haben Sie eine Frage zum Produkt? |
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich