Implementing Database Security and Auditing: Includes ... - ADReM

More documents

Recommendations

Info

Getting Started 3 In December 2000, the online retailer Egghead.com announced that its customer database may have been compromised and warned that more than 3.5 million credit card numbers may have been stolen. Egghead.com later announced that the credit cards were not compromised but the investigation cost millions and few customers were willing to continue to do business with the retailer. The company went out of business shortly thereafter. In 2001, Bibliofind, a division of Amazon.com that specialized in rare and out-of-print books, was attacked and details for almost 100,000 credit cards were stolen. Even worse, the attackers maintained free access to the database for four months before being discovered! As a result, Bibliofind stopped offering buy/sell services and ended up as a matching service only (i.e., had to forgo a large portion of its revenues). In March 2001, the FBI reported that almost 50 bank and retail Web sites were attacked and compromised by Russian and Ukrainian hackers. In November 2001, Playboy.com was attacked and credit card information was stolen. In fact, the hackers sent e-mails to customers that displayed the credit card information. In the course of 2001, Indiana University was successfully attacked twice and private information, such as social security numbers and addresses, was stolen. A study conducted by Evans Data (a market research firm) in 2002 sampled 750 companies and reported that 10% of databases had a security incident in 2001! More than 40% of banking and financial services companies reported “incidents of unauthorized access and data corruption” and 18% of medical/healthcare firms reported similar types of incidents. In Oct. 2004 a hacker compromised a database containing sensitive information on more than 1.4 million California residents. The breach occurred on Aug 1 but was not detected until the end of the month. The database in question contained the names, addresses, Social Security numbers, and dates of birth of caregivers and care recipients participating in California’s In-Home Supportive Services (IHSS) program since 2001. The data was being used in a UC Berkeley study of the effect of wages on in-home care and was obtained with authorization from the California Department of Social Services. The hacker had reportedly taken advantage of an unpatched system and Chapter 1
Page 2: Implementing Database Security and
Page 6: Implementing Database Security and
Page 10: To my angels—Dafne, Tamir, Ariell
Page 16: viii Contents 2.2.2 Firewalls 39 2.
Page 20: x Contents 5.3.1 Anatomy of the vul
Page 24: xii Contents 9.5 Closely monitor de
Page 30: Preface This book is a guide on imp
Page 34: Preface xvii Stephen Chaung, Curt C
Page 40: 2 Getting Started More important, m
Page 46: Getting Started 5 While e-commerce
Page 50: 1.1 Harden your database environmen
Page 78: 1.2 Patch your database 21 1.2.1 Tr
Page 82: 1.2 Patch your database 23 fies the
Page 86: 1.2 Patch your database 25 1.2.3 An
Page 90: 1.2 Patch your database 27 Figure 1
Page 94:
1.3 Audit the database 29 The resul
Page 98:
1.5 Resources and Further Reading 3
Page 102:
1.A C2 Security and C2 Auditing 33
Page 106:
2 Database Security within the Gene
Page 110:
2.1 Defense-in-depth 37 ing) one wa
Page 114:
2.2 The security software landscape
Page 118:
2.2 The security software landscape
Page 122:
2.3 Perimeter security, firewalls,
Page 126:
Page 130:
Page 134:
2.5 Application security 49 importa
Page 138:
2.6 Public key infrastructure (PKI)
Page 142:
2.7 Vulnerability management 53 Fig
Page 146:
2.8 Patch management 55 tems, and o
Page 150:
2.9 Incident management 57 3. Harde
Page 154:
2.10 Summary 59 2.10 Summary Don
Page 160:
62 3.1 Leave your database in the c
Page 164:
64 Figure 3.2 Data access diagram s
Page 168:
66 Figure 3.4 Using tabular reports
Page 172:
68 3.3 Track tools and applications
Page 176:
70 3.3 Track tools and applications
Page 180:
72 3.4 Remove unnecessary network l
Page 184:
74 Figure 3.7 Using the SQL Server
Page 188:
Page 192:
Page 196:
Page 200:
82 3.5 Use port scanners—so will
Page 204:
84 3.6 Secure services from known n
Page 208:
86 3.7 Use firewalls tion service.
Page 212:
88 3.A What is a VPN? 3.A What is a
Page 216:
90 3.B Named Pipes and SMB/CIFS 3.B
Page 220:
92 3.B Named Pipes and SMB/CIFS Tab
Page 224:
94 3.B Named Pipes and SMB/CIFS Tab
Page 228:
96 Figure 4.1 Authentication as the
Page 232:
98 Figure 4.2 A Windows user is cre
Page 236:
100 @Spy 4.1 Choose an appropria
Page 240:
102 SID 4.1 Choose an appropriate a
Page 244:
104 4.1 Choose an appropriate authe
Page 248:
106 4.1 Choose an appropriate authe
Page 252:
108 4.2 Understand who gets system
Page 256:
110 4.3 Choose strong passwords 5.
Page 260:
112 4.3 Choose strong passwords Fig
Page 264:
114 4.3 Choose strong passwords Let
Page 268:
116 4.3 Choose strong passwords Fig
Page 272:
118 4.4 Implement account lockout a
Page 276:
120 4.6 Use passwords for all datab
Page 280:
122 4.7 Understand and secure authe
Page 284:
124 4.A A brief account of Kerberos
Page 290:
Application Security 5 After many y
Page 294:
5.1 Reviewing where and how databas
Page 298:
Page 302:
Page 306:
Page 310:
Page 314:
5.2 Obfuscate application code 139
Page 318:
Page 322:
Page 326:
Page 330:
Page 334:
5.3 Secure the database from SQL in
Page 338:
Page 342:
Page 346:
Page 350:
Page 354:
Page 358:
Page 362:
Page 366:
Page 370:
Page 374:
5.4 Beware of double whammies: Comb
Page 378:
5.6 Address packaged application su
Page 382:
5.6 Address packaged application su
Page 386:
5.8 Summary 175 Create a baseline
Page 390:
Using Granular Access Control 6 Onc
Page 394:
6.1 Align user models by communicat
Page 398:
Page 402:
Page 406:
6.2 Use row-level security (fine-gr
Page 410:
6.2 Use row-level security (fine-gr
Page 414:
6.3 Use label security 189 The last
Page 418:
6.3 Use label security 191 Figure 6
Page 422:
6.4 Integrate with enteprise user r
Page 426:
Page 430:
Page 434:
6.5 Integrate with existing identit
Page 438:
6.6 Summary 201 more techniques are
Page 444:
204 7.1 Don’t use external proced
Page 448:
206 Table 7.1 7.1 Don’t use exter
Page 452:
Page 456:
Page 460:
Page 464:
214 7.2 Don’t make the database a
Page 468:
Page 472:
Page 476:
220 7.4 Understand Web services sec
Page 480:
Page 484:
Page 488:
Page 492:
228 7.A Cross-site scripting and co
Page 496:
230 7.B Web services 7.B Web servic
Page 502:
8 Securing database-to-database com
Page 506:
8.1 Monitor and limit outbound comm
Page 510:
8.2 Secure database links and watch
Page 514:
Page 518:
Page 522:
8.4 Monitor usage of database links
Page 526:
8.4 Monitor usage of database links
Page 530:
8.5 Secure replication mechanisms 2
Page 534:
Page 538:
Page 542:
Page 546:
Page 550:
Page 554:
8.6 Map and secure all data sources
Page 558:
Page 562:
Page 566:
Page 570:
Trojans 9 A Trojan is an unauthoriz
Page 574:
9.2 Baseline calls to stored proced
Page 578:
9.3 Control creation of and changes
Page 582:
9.3 Control creation of and changes
Page 586:
9.5 Closely monitor developer activ
Page 590:
9.5 Closely monitor developer activ
Page 594:
9.6 Monitor creation of traces and
Page 598:
9.6 25 26 27 28 33 34 35 36 37 38 3
Page 602:
Page 606:
Page 610:
Page 614:
Page 618:
9.7 Monitor and audit job creation
Page 622:
9.8 Be wary of SQL attachments in e
Page 626:
9.A Windows Trojans 295 [HKEY_LOCAL
Page 632:
298 Directive of Data Protection, t
Page 636:
300 10.1 Encrypting data-in-transit
Page 640:
Page 644:
Page 648:
Page 652:
Page 656:
310 Figure 10.3 No certificate erro
Page 660:
Page 664:
Page 668:
316 10.2 Encrypt data-at-rest Figur
Page 672:
318 10.2 Encrypt data-at-rest corpo
Page 676:
320 10.2 Encrypt data-at-rest DBMS_
Page 680:
322 10.2 Encrypt data-at-rest secur
Page 684:
324 10.A Tapping into a TCP/IP sess
Page 688:
326 10.A Tapping into a TCP/IP sess
Page 692:
328 11.1 The alphabet soup of regul
Page 696:
Page 700:
Page 704:
Page 708:
336 11.2 Understand business needs
Page 712:
338 11.2 Understand business needs
Page 716:
340 11.3 The role of auditing Figur
Page 720:
342 11.3 The role of auditing Figur
Page 724:
344 11.4 The importance of segregat
Page 728:
346 11.4 The importance of segregat
Page 732:
348 11.6 Summary 11.6 Summary logs
Page 736:
350 12.1 Audit logon/logoff into th
Page 740:
352 12.1 BEGIN insert into user_log
Page 744:
354 12.2 Audit sources of database
Page 748:
356 Figure 12.4 Viewing client sour
Page 752:
358 12.4 Audit DDL activity that ma
Page 756:
360 12.5 Audit database errors do n
Page 760:
362 12.6 Audit changes to sources o
Page 764:
364 12.7 Audit changes to privilege
Page 768:
Page 772:
Page 776:
370 12.9 Audit changes to sensitive
Page 780:
372 12.10 Audit SELECT statements f
Page 784:
374 12.12 Summary 12.12 Summary aud
Page 788:
376 13.2 Opt for an independent/bac
Page 792:
378 Figure 13.1 Auditing by inspect
Page 796:
380 Figure 13.3 Auditing by inspect
Page 800:
382 13.5 Secure auditing informati
Page 804:
384 13.6 Audit the audit system the
Page 808:
386 13.8 Thinks in terms of a data
Page 812:
388 13.10 Support changing audit re
Page 816:
390 13.11 Prefer an auditing archit
Page 820:
392 13.A PGP and GPG ing files and
Page 824:
394 13.A PGP and GPG After generati
Page 830:
Index Access administration errors,
Page 834:
proxy, 198 as security model basis,
Page 838:
See also Encryption Data mapping, 3
Page 842:
key pair creation, 392-94 popularit
Page 846:
Microsoft Data Engine (MSDE), 110,
Page 850:
Organization, this book, 6 Outbound
Page 854:
Sarbanes-Oxley Act (SOX). See SOX S
Page 858:
passwords, changing, 105 Query Anal
Page 862:
environment usage, 88 hardware, 89
show all

Implementing Database Security and Auditing: Includes ... - ADReM

Create successful ePaper yourself

Delete template?

Save as template?