Implementing Database Security and Auditing (eBook)

front cover 1
copyright 5
Contents 8
front matter 16
Preface 16
body 20
1. Getting Started 20
1.1 Harden your database environment 25
1.2 Patch your database 39
1.3 Audit the database 48
1.4 Define an access policy as the center of your database security and auditing initiative 49
1.5 Resources and Further Reading 50
1.6 Summary 52
1.A C2 Security and C2 Auditing 52
2. Database Security within the General Security Landscape and a Defense- in- Depth Strategy 54
2.1 Defense-in-depth 55
2.2 The security software landscape 57
2.3 Perimeter security, firewalls, intrusion detection, and intrusion prevention 61
2.4 Securing the core 67
2.5 Application security 68
2.6 Public key infrastructure (PKI) 70
2.7 Vulnerability management 71
2.8 Patch management 74
2.9 Incident management 76
2.10 Summary 78
3. The Database as a Networked Server 80
3.1 Leave your database in the core 81
3.2 Understand the network access map for your database environment 82
3.3 Track tools and applications 85
3.4 Remove unnecessary network libraries 90
3.5 Use port scanners--so will the hackers 100
3.6 Secure services from known network attacks 103
3.7 Use firewalls 105
3.8 Summary 106
3.A What is a VPN? 107
3.B Named Pipes and SMB/CIFS 109
4. Authentication and Password Security 114
4.1 Choose an appropriate authentication option 115
4.2 Understand who gets system administration privileges 127
4.3 Choose strong passwords 128
4.4 Implement account lockout after failed login attempts 136
4.5 Create and enforce password profiles 138
4.6 Use passwords for all database components 139
4.7 Understand and secure authentication back doors 141
4.8 Summary 142
4.A A brief account of Kerberos 143
5. Application Security 146
5.1 Reviewing where and how database users and passwords are maintained 147
5.2 Obfuscate application code 158
5.3 Secure the database from SQL injection attacks 167
5.4 Beware of double whammies: Combination of SQL injection and buffer overflow vulnerability 187
5.5 Don't consider eliminating the application server layer 189
5.6 Address packaged application suites 190
5.7 Work toward alignment between the application user model and the database user model 194
5.8 Summary 194
6. Using Granular Access Control 196
6.1 Align user models by communicating application user information 198
6.2 Use row-level security (fine-grained privileges/ access control) 204
6.3 Use label security 208
6.4 Integrate with enteprise user repositories for multitiered authentication 212
6.5 Integrate with existing identity management and provisioning solutions 217
6.6 Summary 219
7. Using the Database To Do Too Much 222
7.1 Don't use external procedures 222
7.2 Don't make the database a Web server and donÌt promote stored procedure gateways 233
7.3 Don't generate HTML from within your stored procedures 238
7.4 Understand Web services security before exposing Web services endpoints 239
7.5 Summary 246
7.A Cross-site scripting and cookie poisoning 247
7.B Web services 249
8. Securing database- to- database communications 252
8.1 Monitor and limit outbound communications 252
8.2 Secure database links and watch for link-based elevated privileges 256
8.3 Protect link usernames and passwords 261
8.4 Monitor usage of database links 262
8.5 Secure replication mechanisms 265
8.6 Map and secure all data sources and sinks 278
8.7 Summary 285
9. Trojans 286
9.1 The four types of database Trojans 287
9.2 Baseline calls to stored procedures and take action on divergence 288
9.3 Control creation of and changes to procedures and triggers 289
9.4 Watch for changes to run-as privileges 293
9.5 Closely monitor developer activity on production environments 293
9.6 Monitor creation of traces and event monitors 297
9.7 Monitor and audit job creation and scheduling 309
9.8 Be wary of SQL attachments in e-mails 312
9.9 Summary 313
9.A Windows Trojans 313
10. Encryption 316
10.1 Encrypting data-in-transit 318
10.2 Encrypt data-at-rest 335
10.3 Summary 343
10.A Tapping into a TCP/IP session 343
11. Regulations and Compliance 346
11.1 The alphabet soup of regulations: What does each one mean to you? 347
11.2 Understand business needs and map to technical requirements 354
11.3 The role of auditing 359
11.4 The importance of segregation of duties 363
11.5 Implement a sustainable solution 366
11.6 Summary 367
12. Auditing Categories 368
12.1 Audit logon/logoff into the database 368
12.2 Audit sources of database usage 373
12.3 Audit database usage outside normal operating hours 375
12.4 Audit DDL activity 376
12.5 Audit database errors 378
12.6 Audit changes to sources of stored procedures and triggers 381
12.7 Audit changes to privileges, user/login definitions, and other security attributes 383
12.8 Audit creations, changes, and usage of database links and of replication 388
12.9 Audit changes to sensitive data 389
12.10 Audit SELECT statements for privacy sets 391
12.11 Audit any changes made to the definition of what to audit 392
12.12 Summary 393
13. Auditing Architectures 394
13.1 Don't create a false sense of security 394
13.2 Opt for an independent/backup audit trail 395
13.3 Architectures for external audit systems 396
13.4 Archive auditing information 399
13.5 Secure auditing information 401
13.6 Audit the audit system 403
13.7 Sustainable automation and oversight for audit activities 404
13.8 Thinks in terms of a data warehouse 405
13.9 Implement good mining tools and security applications 406
13.10 Support changing audit requirements 407
13.11 Prefer an auditing architecture that is also able to support remediation 409
13.12 Summary 410
13.A PGP and GPG 410
Index 416