Course : Information System Audit

Effective Period : September 2017

Topic 7
Auditing Database dan
Storage
 Learning Objectives
• Understand Data Permissions
• Understand Operating Systems Security
• Understand password strength and management
features
• Activity monitoring
• Database Encryption
• Database vulnerability, integrity, and the patching
process
 Database
• The term database typically refers to a relational
database management system (RDBMS). Database
management systems (DBMS) maintain data records
and their relationships, or indexes, in tables.
Relationships can be created and maintained across
and among the data and tables.
 Database Auditing Essentials
• To audit a database effectively, you need a basic
understanding of how a database works. You need to
understand a broad set of components to audit a
database properly. Here’s a little history lesson.
 Common Database Vendors
• Oracle
– Oracle Corporation is the largest database vendor and
supplies an entire series of databases.
• Oracle also has branched out into other databases, having
purchased several other database vendors, including the
following:
– Sleepycat Software, which maintains Berkeley DB, an
open-source, embedded database
– MySQL (from their Sun Microsystems acquisition)
– The TimesTen In-Memory Database
– InnoDB, a transaction engine for the MySQL database
 Common Database Vendors
• IBM
– IBM is another of the largest database vendors,
although IBM’s database software is a small piece
of the company’s business
• DB2 Universal Database, providing database software
for AIX, Linux, HP-UX, Sun, and Windows
• DB2 Universal Database for z/OS, providing software
for the mainframe
 Common Database Vendors
• MySQL
– MySQL is an open-source database used
extensively in small or medium-sized web
applications.
 Common Database Vendors
• Microsoft
Microsoft SQL Server is one of the most popular databases
owing to its low price tag and its simplistic administration
model, as well as the sheer momentum of Microsoft.
• Microsoft SQL Server comes in several flavors:
– Microsoft SQL Server 7.0 is an older version of the
product with a few legacy installations still in existence.
– Microsoft SQL Server 2000 (a.k.a. SQL Server 8.0) was
Microsoft’s main database version for five years. As
such, it is heavily entrenched in a large number of
enterprises
 Common Database Vendors
– Microsoft SQL Server 2005 provided a rich new set of security
features among other functionality over its predecessor.
– Microsoft SQL Server 2008 is the latest in Microsoft’s line and
continues to have a wide adoption through its strong
integration with other Microsoft products.
– The Microsoft Database Engine (MSDE) is a free version of SQL
Server providing a backend for independent software
vendors (ISVs) to embed databases in their applications.
Because MSDE is free, it is embedded in a large number of
applications and is very common. With the delivery of SQL
Server 2005, MSDE has been renamed to SQL Server 2005
Express Edition
 Database Components
• Program Files
A database is implemented as a software system, and as
such, it comprises a core set of operating system files.
These files include the executable files that will run the
database management system. It also may contain other
nonexecutable program files such as help files, source
and include files, sample files, and installation files
 Database Components
• Configuration Values
• Data Files
• Client/Network Libraries
• Backup/Restore System
• SQL Statements
– Select
– Insert
– Update
– Delete
 Database Components
• Database Objects
– Table
– View
– Stored procedure/Functions
– Trigger
– Index
• Data Dictionary
 Test Steps for Auditing Databases
(Setup & General Controls)
• A database is implemented as a software system, and
as such, it comprises a core set of operating system
files. These files include the executable files that will
run the database management system. It also may
contain other nonexecutable program files such as
help files, source and include files, sample files, and
installation files
 Test Steps for Auditing Databases
(Setup & General Controls)
• Verify that policies and procedures are in place to
identify when a patch is available and to apply the
patch. Ensure that all approved patches are
installed per your database management policy.
• Determine whether a standard build is available
for new database systems and whether that
baseline has adequate security settings.
 Operating System Security
• Ensure that access to the operating system is
properly restricted.
• Ensure that permissions on the directory in which
the database is installed, and the database files
themselves, are properly restricted.
• Ensure that permissions on the registry keys used
by the database are properly restricted.
 Account and Permissions Management
(Review Database Accounts)
• Review and evaluate procedures for creating user
accounts and ensuring that accounts are created
only with a legitimate business need. Also review
and evaluate processes for ensuring that user
accounts are removed or disabled in a timely
fashion in the event of termination or job
change.Ensure that permissions on the directory in
which the database is installed, and the database
files themselves, are properly restricted.
 Account and Permissions Management
(Review Database Accounts)
• Check for default usernames and passwords
• Check for easily gueses passwords
 Account and Permissions Management
(Review Database Accounts)
• Check that password management capabilities are
enabled
– Password strength validation functions
– Password expiration
– Password reuse limits
– Password expirations grace time
– Password lockout
– Password Lockout reset
• Review database privilages
– Grant
– Revoke
 Password Strength and
Management Features
• Pros include the following:
– Operating system authentication typically is more robust than
database authentication.
– Operating system authentication typically includes more
password management features.
– Password management features are more likely to be
implemented already at the operating system level.
• Cons include the following:
– Authentication is out of the DBA’s hands.
– A user with an operating system account can access the
operating system of the database if it is not configured
properly.
 Data Encryption
• Verify that network encryption is implemented
• Verify that encryption of data at rest is
implemented where appropriate
 Monitoring and Management
• Verify the appropriate use of database auditing
and activity monitoring
– Enabling native auditing is the database
– Monitoring network traffic of audit database
activity
– Reviewing transaction logs to build an audit
trail from the database
• Evaluate how capacity is managed for the database
environment to support existing and anticipated
business requirements
 Tools and Technology
• Auditing Tools
– AppDetective by Applications Security Inc (
www.appsecinc.com)
– NGSAuditor and NGSSquirrel by NGS Software, Ltd (
www.ngsoftware.com/home.aspx)
Monitoring and Data Encryption
tool
Auditing Storage
 Auditing Storage
• Redundant Array of Independent Disks (RAID)
– Raid-0 (Striping)
– Raid-1 (Mirroring)
– Raid-5 (Reliability with Parity)
– Raid-10 (High performance striping with mirrored
segments)
Auditing Storage
Auditing Storage
Auditing Storage
Auditing Storage
Auditing Storage
 Auditing Storage
• DAS, NAS, SAN and CAS
• Direct Attached Storage (DAS) is storage directly attached to the server
by connectivity media such as parallel Small Computer System
Interface (SCSI) cables.
• A Network Attached Storage (NAS) device runs an operating system
specifically designed to handle files and make them accessible to the
network
• Storage Area Network (SAN) is a scalable and flexible storage
subsystem generally available to more than one host at the same
time
• Content Addressed Storage (CAS) is object-oriented storage designed
specifically for archival storage of unique items that are not intended
to be changed after they are stored