Ch.9/10 Database final

Ace your homework & exams now with Quizwiz!

access

Appropriate _________ control is essential to ensure the confidentiality, integrity, and availability of the DBMS.

the instance level

At what level is a server audit object created?

-accuracy and reliability -strength and effectiveness

Auditing ensures environment's ___________ and ___________, whereas security testing measures environment's __________ and _____________

object explorer

Audits can be enabled, reviewed, and created using __________ in SQL Server Management Studio

Third-party group

Audits to satisfy legal obligations are generally conducted by a ____________

time and effort

Automatic functions or tools can save ______ and ________ during the auditing process

Several small security audits should be scheduled for different times of the year each focusing on one area of the environment

How do you ensure that enough resources are available for the entire network to be audited?

by simulating active exploitation and executing potential attacks within the environment. Typically outsourced to a third-party

How is security testing conducted?

security audits cover security policies, human resources, and legal or standards compliance, security testing does not

How is security testing different from security auditing?

injection

If a web application that communicates with a database has not been audited, a potential SQL _____________ risk remains

deliverables

If the review was that of a formal or external audit, all remediation actions are defined by a set of expected ___________

server or database

In Microsoft SQL server, auditing can be created at the _________ or _________ level

preliminary interviews

In planning for an audit, the organization will conduct ________________________ to learn about network and business structure

priorities

It is a good practice to check previous security audit results for clues as the where _________ have been placed in the past.

People, policies, systems, and controls

Knowledge of the _________, ____________, __________, and __________ is a necessity that should include an understanding of the relationships and correlations that exist among them

logs

Many database tools create _______ that can become large and resource intensive.

internal committee

Self-assessment audits are generally conducted by a ___________

manual

The auditing process in MySQL involves _________ exploration of logs and objects

remediation

The auditor or auditing committee's recommendations are typically followed by a specific set of ___________ actions

The classification of the audit and the individual auditors or auditing committee

The format of the written report is usually dependent on what?

The nature of the business

The frequency with which security audits take place depends on what?

the individuals who conduct it

The reason for an audit determines what?

target file or windows event logs

The recorded activity in SQL server can be sent to a __________ or __________

true

True or False: A hospital is an example of an organization that would commonly conduct a formal audit.

True

True or False: A security audit does not remove vulnerabilities, it only tests to ensure proper policies and procedures are in place to handle a potential vulnerability

true

True or False: Database audits should be conducted frequently and thoroughly to contribute to the security measures.

True

True or False: It is nearly impossible to conduct a security audit on all areas of the network at the same time.

functionality, purpose, and structure

Understanding of the _____________, _____________, and _____________ of all database management systems must be obtained to conduct an effective and comprehensive audit

Prepare Audit Report

What 3 steps make up the auditing process?

physical security operating systems web applications web server security database server policies and procedures central help desk network equipment security

What are common areas of the network that can be broken down into for an audit?

Systematic measures and checks to ensure networks remain secure

What are internal security controls?

Meant to provide an accurate view of organization's security controls and to initiate positive changes for weak areas

What are security audits meant to do?

web applications web servers middleware scripting pages

What are some database-supporting components that would require an audit to ensure reliability of the database?

-Failed logins are being monitored -Failed queries are being monitored -Changes to the metadata are being monitored

What are some examples of activity audit checks?

-PUBLIC is revoked from the system -The principle of least privilege is utilized -Privileges are granted using groups rather than individuals

What are some examples of data privilege audit checks?

-Symmetric keys are used for data encryption -Sensitive data is documented and labeled as such -Passwords are encrypted while remotely logging in to the database

What are some examples of encryption audit checks?

scope, type of audit, and the organization

What are some things the activities in the audit depend on?

-Background information -Defined perimeter and scope -Audit objectives -Key findings -Methodology used to identify risks -Remediation recommendations -Specific remediation actions to implement recommendations

What are the common components of the audit report?

server maintenance access control passwords account administration data privileges encryption activity

What are the different areas of concentration in a database audit?

1. Identify security measure's purpose 2. Locate any risk on the network that might prevent security measure from achieving its purpose 3. Search for process or practice already in place to mitigate the identified risks 4. Report any areas in which risks are identified and no mitigation process is in place

What are the four goals of an auditor?

-None: Disables auditing altogether -DB: Enables auditing and sends log to the database SYS.AUD$ table -OS: Enables auditing and sends log to the operating system -XML: Enables auditing and sends log to an XML operating system file

What are the options for the audit_trail function?

Database Application External

What are the three levels of auditing in Oracle?

Focus on database supporting components and then move to database itself, or the audit can begin at the database and then move to the components

What are the two ways a database audit can be done?

The objectives of the audit can be clearly defined and a solid plan can be created.

What can be done after the perimeter has been created and the assets prioritized within it?

helps define a prioritized checklist of activities that can be developed as a starting point for the DBMS audit.

What does a risk and threat analysis help do?

-logistical details and information already gathered (date and time) -backup strategy and impact to daily operations

What does an audit plan usually include?

provides information about changes made by a specific user session; it monitors sessions

What does application-level auditing in Oracle do?

provides an administrator with the ability to create custom audits to be defined for any given action on a database or database object

What does database-level auditing in Microsoft SQL server do?

provides information about changes made to a specific database object; it monitors databases

What does database-level auditing in Oracle do?

-Interviews with the DBA and database system team -Examining schemas, diagrams, policies, procedures

What does gathering information for an audit involve?

can be defined to record actions on the server itself

What does server-level auditing in Microsoft SQL server do?

-List and prioritize assets -Identify potential threats

What happens during the planning and preparation phase of an audit?

List tangible and intangible assets and Prioritize assets

What helps you understand the network and organizational structure?

Review of an environment's security controls and systems to identify weaknesses

What is a Security Audit?

auditing activity automatically and between larger security audits

What is a best practice when auditing activity?

the act of minimizing, handling, and detecting user access to the database and its resources

What is access control?

Area or systems on which security audit will focus

What is an audit scope?

SELECT, UPDATE, DELETE

What is an example of an action on a database or database object?

login information, backups, role changes

What is an example of an action on a server?

A review of how an administrator is: -Defining and creating user accounts -Removing user accounts -Applying security policies -Assigning groups, roles, and privileges

What is included in the auditing of account administration?

a review of: -a written policy -the server configuration -default user accounts

What is included in the auditing of passwords?

-Software updates -Backup strategies -Application version control -Resource management -Hardware updates

What is included in the auditing of server maintenance?

Process of identifying the feasibility and impact of an attack or intrusion

What is security testing?

Allows granular administration of system wide auditing at both application and database layers

What is the audit_trail function?

DB

What is the default audit_trail function setting when Security Settings is enabled

Debriefing meeting where results are communicated (the reporting phase)

What is the final step of the security auditing process?

Create a server audit object to record desired actions

What is the first step to create an audit in Microsoft SQL server?

ensuring appropriate privileges

What is the most time consuming task of an audit and often requires collaboration with the administrator?

Create a specification object that belongs to either the server audit object or database audit object

What is the second step in creating an audit in Microsoft SQL Server?

-Identify priority assets -Make conceptual perimeter of the security audit

What must be done when determining the audit scope?

Should include detailed information about people, data, technology, and documents that play a role in the audit

What should be addressed to define the perimeter in an audit?

Database-level Application-level

What two levels of auditing in Oracle must be applied to provide a comprehensive picture of the activities on a database?

Formal or external

What type of review would include deliverables and time frames for implementing expected actions?

informal or internal

What type of review would need all remediation actions to be tracked internally?

During the actual audit

When will an auditor validate risks or concerns using business policies and ask customers to explain issues as they are found?

in the Security Settings window in the database configuration assistant

Where can you enable the default security settings in Oracle

The audit itself

Which phase takes the most time in the auditing process?

Microsoft SQL server

Which server enables tracking and logging of activities throughout all levels of the database?

Usually involves company's owners, senior managers, and other stakeholders

Who is usually involved in the debriefing meeting?

because of the size of the database and the resources required to complete the audit

Why are database audits conducted in small pieces?

Conducted by a third party to satisfy a requirement or certify that a company is complying with a certain group of standards or laws

Why are external audits conducted?

Conducted to satisfy specific industry standards that are required by law

Why are formal audits conducted?

Conducted to provide evidence that security policies and practices are effective and working properly

Why are informal audits conducted?

to ensure that the company is meeting its auditing standards and complying with its own policies.

Why are internal audits conducted?

they are the first line of defense an intruder will encounter

Why are strong passwords critical in a secure environment?

Do not want negative repercussions from audit results, and it provides inaccurate view of the typical environment, leaving no room for real growth

Why do some organizations prepare extensively for audits and why is this bad?

Uses tools with the purpose of recording typical behavior of a system for troubleshooting

Why is an automated audit conducted?

It can require logging database access over a period of time

Why is auditing access control very time consuming?

the goal of a security audit is to report an accurate view of the organizational control of weaknesses.

Why should little to no preparation be done for an audit by the organization being audited?

Priority shifts could cause certain areas to be left unchecked for a time

Why should rotating schedules for an audit be used with caution?

-Informally as part of an organization's yearly self-assessment -After a security intrusion -In reaction to an identified risk -Formally to satisfy industry-specific standards or laws

Why/when should an audit be conducted?

a risk and threat analysis

what is especially important if a database is accessed remotely or from the Web?

external

___________ audits can be requested by governing bodies or financial institutions out of concern for noncompliance or corrupt undertakings.

formal

____________ audits utilize an external group of individuals who are hired or employed by the government or other standard-setting groups for the purpose of conducting an audit.

security testing

_____________ offers a way to actively evaluate the security measures implemented within an environment in terms of strength and loss potential

security auditing

_________________ compares the documentation with the architecture to ensure accuracy and reliability of an environment

planning and preparation

During the ______________ phase, an auditor will determine what systems, department, or component of the organization will be included

security audit

A ____________ is conducted to locate potential weaknesses found within the company's internal controls

stored and moving

Encryption should be checked for both _________ and _________ data throughout the database.

scope

Defining the _________ of the audit is one of the most important steps of the auditing process.


Related study sets

Insurance: Types of Life Polices

View Set

Ch 11, 12, 13 fin, Fin 400 Chapter 14 & 15

View Set

NURS 3110 - Powdered Medications Test

View Set

Definition and models of Blended Learning

View Set

Test and Assessment Qs - Attempt #1

View Set

Financial Algebra Chapters 6-3 and 6-4/Vocabulary

View Set

FLVS 2.02 - Cuando manejo en mi ciudad

View Set