Download eBook (PDF) - Red Gate Software

CHAPTER 9: HONEYCOMBING ADATABASEIn the world of network servers, the term "honeypot" refers to a server that isplaced in an environment for the sole purpose of attracting those who aresnooping around, and capturing their activities within the honeypot server.Honeycombing a database is a very similar approach and involves creating"decoy" tables within a database that appear to contain valid, and unprotected,sensitive data. When unauthorized activity occurs on the decoy table, it iscaptured in an audit table and a notification is sent to the appropriate parties.Once the notification is received by the Database Administrator, immediatetermination of the violating user account can occur. Also, the data that iscaptured during the unauthorized activity can be reviewed to gain a betterunderstanding of how unauthorized activities are occurring and identify waysto prevent them from occurring on the real data.Until the release of SQL Server 2008, the process of honeycombing a SQLServer database was very difficult. Triggers could be used to capture theoccurrences of UPDATE, INSERT and DELETE statements; but nothing wasavailable to capture SELECT statements, beyond running SQL Server Profiler.With SQL Server 2008's auditing feature, a much wider array of events,including SELECT statements, are available, with the added advantage that wedon't need to use triggers to capture these events.This chapter will demonstrate how to create a honeycomb table, audit activityon it, and send notifications of this activity to the relevant parties.Implementing a Honeycomb TableThe process of honeycombing a database begins with the creation of a decoytable. The script in Listing 9-1 creates a honeycomb table in the defaultDatabase Object Schema of our HomeLending database. It has themouthwatering name of Customer_Information and the column names,including First_Name, Social_Security_Number andAddress_Street, are equally likely to attract the attention of the data thief.188