Ch.9/10 Database final
access
Appropriate _________ control is essential to ensure the confidentiality, integrity, and availability of the DBMS.
the instance level
At what level is a server audit object created?
-accuracy and reliability -strength and effectiveness
Auditing ensures environment's ___________ and ___________, whereas security testing measures environment's __________ and _____________
object explorer
Audits can be enabled, reviewed, and created using __________ in SQL Server Management Studio
Third-party group
Audits to satisfy legal obligations are generally conducted by a ____________
time and effort
Automatic functions or tools can save ______ and ________ during the auditing process
Several small security audits should be scheduled for different times of the year each focusing on one area of the environment
How do you ensure that enough resources are available for the entire network to be audited?
by simulating active exploitation and executing potential attacks within the environment. Typically outsourced to a third-party
How is security testing conducted?
security audits cover security policies, human resources, and legal or standards compliance, security testing does not
How is security testing different from security auditing?
injection
If a web application that communicates with a database has not been audited, a potential SQL _____________ risk remains
deliverables
If the review was that of a formal or external audit, all remediation actions are defined by a set of expected ___________
server or database
In Microsoft SQL server, auditing can be created at the _________ or _________ level
preliminary interviews
In planning for an audit, the organization will conduct ________________________ to learn about network and business structure
priorities
It is a good practice to check previous security audit results for clues as the where _________ have been placed in the past.
People, policies, systems, and controls
Knowledge of the _________, ____________, __________, and __________ is a necessity that should include an understanding of the relationships and correlations that exist among them
logs
Many database tools create _______ that can become large and resource intensive.
internal committee
Self-assessment audits are generally conducted by a ___________
manual
The auditing process in MySQL involves _________ exploration of logs and objects
remediation
The auditor or auditing committee's recommendations are typically followed by a specific set of ___________ actions
The classification of the audit and the individual auditors or auditing committee
The format of the written report is usually dependent on what?
The nature of the business
The frequency with which security audits take place depends on what?
the individuals who conduct it
The reason for an audit determines what?
target file or windows event logs
The recorded activity in SQL server can be sent to a __________ or __________
true
True or False: A hospital is an example of an organization that would commonly conduct a formal audit.
True
True or False: A security audit does not remove vulnerabilities, it only tests to ensure proper policies and procedures are in place to handle a potential vulnerability
true
True or False: Database audits should be conducted frequently and thoroughly to contribute to the security measures.
True
True or False: It is nearly impossible to conduct a security audit on all areas of the network at the same time.
functionality, purpose, and structure
Understanding of the _____________, _____________, and _____________ of all database management systems must be obtained to conduct an effective and comprehensive audit
Prepare Audit Report
What 3 steps make up the auditing process?
physical security operating systems web applications web server security database server policies and procedures central help desk network equipment security
What are common areas of the network that can be broken down into for an audit?
Systematic measures and checks to ensure networks remain secure
What are internal security controls?
Meant to provide an accurate view of organization's security controls and to initiate positive changes for weak areas
What are security audits meant to do?
web applications web servers middleware scripting pages
What are some database-supporting components that would require an audit to ensure reliability of the database?
-Failed logins are being monitored -Failed queries are being monitored -Changes to the metadata are being monitored
What are some examples of activity audit checks?
-PUBLIC is revoked from the system -The principle of least privilege is utilized -Privileges are granted using groups rather than individuals
What are some examples of data privilege audit checks?
-Symmetric keys are used for data encryption -Sensitive data is documented and labeled as such -Passwords are encrypted while remotely logging in to the database
What are some examples of encryption audit checks?
scope, type of audit, and the organization
What are some things the activities in the audit depend on?
-Background information -Defined perimeter and scope -Audit objectives -Key findings -Methodology used to identify risks -Remediation recommendations -Specific remediation actions to implement recommendations
What are the common components of the audit report?
server maintenance access control passwords account administration data privileges encryption activity
What are the different areas of concentration in a database audit?
1. Identify security measure's purpose 2. Locate any risk on the network that might prevent security measure from achieving its purpose 3. Search for process or practice already in place to mitigate the identified risks 4. Report any areas in which risks are identified and no mitigation process is in place
What are the four goals of an auditor?
-None: Disables auditing altogether -DB: Enables auditing and sends log to the database SYS.AUD$ table -OS: Enables auditing and sends log to the operating system -XML: Enables auditing and sends log to an XML operating system file
What are the options for the audit_trail function?
Database Application External
What are the three levels of auditing in Oracle?
Focus on database supporting components and then move to database itself, or the audit can begin at the database and then move to the components
What are the two ways a database audit can be done?
The objectives of the audit can be clearly defined and a solid plan can be created.
What can be done after the perimeter has been created and the assets prioritized within it?
helps define a prioritized checklist of activities that can be developed as a starting point for the DBMS audit.
What does a risk and threat analysis help do?
-logistical details and information already gathered (date and time) -backup strategy and impact to daily operations
What does an audit plan usually include?
provides information about changes made by a specific user session; it monitors sessions
What does application-level auditing in Oracle do?
provides an administrator with the ability to create custom audits to be defined for any given action on a database or database object
What does database-level auditing in Microsoft SQL server do?
provides information about changes made to a specific database object; it monitors databases
What does database-level auditing in Oracle do?
-Interviews with the DBA and database system team -Examining schemas, diagrams, policies, procedures
What does gathering information for an audit involve?
can be defined to record actions on the server itself
What does server-level auditing in Microsoft SQL server do?
-List and prioritize assets -Identify potential threats
What happens during the planning and preparation phase of an audit?
List tangible and intangible assets and Prioritize assets
What helps you understand the network and organizational structure?
Review of an environment's security controls and systems to identify weaknesses
What is a Security Audit?
auditing activity automatically and between larger security audits
What is a best practice when auditing activity?
the act of minimizing, handling, and detecting user access to the database and its resources
What is access control?
Area or systems on which security audit will focus
What is an audit scope?
SELECT, UPDATE, DELETE
What is an example of an action on a database or database object?
login information, backups, role changes
What is an example of an action on a server?
A review of how an administrator is: -Defining and creating user accounts -Removing user accounts -Applying security policies -Assigning groups, roles, and privileges
What is included in the auditing of account administration?
a review of: -a written policy -the server configuration -default user accounts
What is included in the auditing of passwords?
-Software updates -Backup strategies -Application version control -Resource management -Hardware updates
What is included in the auditing of server maintenance?
Process of identifying the feasibility and impact of an attack or intrusion
What is security testing?
Allows granular administration of system wide auditing at both application and database layers
What is the audit_trail function?
DB
What is the default audit_trail function setting when Security Settings is enabled
Debriefing meeting where results are communicated (the reporting phase)
What is the final step of the security auditing process?
Create a server audit object to record desired actions
What is the first step to create an audit in Microsoft SQL server?
ensuring appropriate privileges
What is the most time consuming task of an audit and often requires collaboration with the administrator?
Create a specification object that belongs to either the server audit object or database audit object
What is the second step in creating an audit in Microsoft SQL Server?
-Identify priority assets -Make conceptual perimeter of the security audit
What must be done when determining the audit scope?
Should include detailed information about people, data, technology, and documents that play a role in the audit
What should be addressed to define the perimeter in an audit?
Database-level Application-level
What two levels of auditing in Oracle must be applied to provide a comprehensive picture of the activities on a database?
Formal or external
What type of review would include deliverables and time frames for implementing expected actions?
informal or internal
What type of review would need all remediation actions to be tracked internally?
During the actual audit
When will an auditor validate risks or concerns using business policies and ask customers to explain issues as they are found?
in the Security Settings window in the database configuration assistant
Where can you enable the default security settings in Oracle
The audit itself
Which phase takes the most time in the auditing process?
Microsoft SQL server
Which server enables tracking and logging of activities throughout all levels of the database?
Usually involves company's owners, senior managers, and other stakeholders
Who is usually involved in the debriefing meeting?
because of the size of the database and the resources required to complete the audit
Why are database audits conducted in small pieces?
Conducted by a third party to satisfy a requirement or certify that a company is complying with a certain group of standards or laws
Why are external audits conducted?
Conducted to satisfy specific industry standards that are required by law
Why are formal audits conducted?
Conducted to provide evidence that security policies and practices are effective and working properly
Why are informal audits conducted?
to ensure that the company is meeting its auditing standards and complying with its own policies.
Why are internal audits conducted?
they are the first line of defense an intruder will encounter
Why are strong passwords critical in a secure environment?
Do not want negative repercussions from audit results, and it provides inaccurate view of the typical environment, leaving no room for real growth
Why do some organizations prepare extensively for audits and why is this bad?
Uses tools with the purpose of recording typical behavior of a system for troubleshooting
Why is an automated audit conducted?
It can require logging database access over a period of time
Why is auditing access control very time consuming?
the goal of a security audit is to report an accurate view of the organizational control of weaknesses.
Why should little to no preparation be done for an audit by the organization being audited?
Priority shifts could cause certain areas to be left unchecked for a time
Why should rotating schedules for an audit be used with caution?
-Informally as part of an organization's yearly self-assessment -After a security intrusion -In reaction to an identified risk -Formally to satisfy industry-specific standards or laws
Why/when should an audit be conducted?
a risk and threat analysis
what is especially important if a database is accessed remotely or from the Web?
external
___________ audits can be requested by governing bodies or financial institutions out of concern for noncompliance or corrupt undertakings.
formal
____________ audits utilize an external group of individuals who are hired or employed by the government or other standard-setting groups for the purpose of conducting an audit.
security testing
_____________ offers a way to actively evaluate the security measures implemented within an environment in terms of strength and loss potential
security auditing
_________________ compares the documentation with the architecture to ensure accuracy and reliability of an environment
planning and preparation
During the ______________ phase, an auditor will determine what systems, department, or component of the organization will be included
security audit
A ____________ is conducted to locate potential weaknesses found within the company's internal controls
stored and moving
Encryption should be checked for both _________ and _________ data throughout the database.
scope
Defining the _________ of the audit is one of the most important steps of the auditing process.