6Protecting your assets – audit & assurance regulation
7Protecting your digital assets Digital assets aren't any different than physical assetsIf I entrust my jewelry to a repair store and it gets stolen, they're liable for the loss.Identity theft is as painful as any other theft of a physical assetsMost of our assets are digitalDigital assets are much harder to protectAccessibilityTransferabilityFlexibility (prone to changes)Technical KnowledgeComplexity & backdoorsInternal threatsSeparation of dutiesHigher RisksTheft volumesTheft periods (continuity)Potential threats
8Top Regulations Impacting DB Security Audit RequirementsCobiT (SOX)PCI DSSHIPAACMS ARSGLBAISO 17799(Basel II)NERCNIST(FISMA)1. Access to Sensitive Data(Successful/Failed SELECTs)2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)3. Data Changes (DML)(Insert, Update, Delete)4. Security Exceptions(Failed logins, SQL errors, etc.)5. Accounts, Roles & Permissions (DCL)(GRANT, REVOKE)1. DDL = Data Definition LanguageAKA “schema changes”Manipulates database structureCREATE, DROP, ALTER objects such as TABLES2. DML = Data Manipulation LanguageManipulates & retrieves dataINSERT, UPDATE, DELETE and SELECT3. DCL = Data Control LanguageControls accessGRANT & REVOKECONNECT to the database or schema.SELECT, INSERT, UPDATE, DELETE records.USAGE -- use a database object such as a schema or a functionDDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language
10STIG Database Security Technical Implementation Guide (Database STIG) Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DOD)Published to the public domainConsidered the best practice/blueprint to achieve a secure database environmentIncludes directives for all DBMS and specific guidelines for Oracle, SQL Server and DB2Provides a clear distinction between responsibilities of theDatabase Administrator (DBA)System Administrator (SA)Information Assurance Officer (IAO)
12STIG Generic Requirements - Integrity Version verification, support for the version, patches etc.The IAO will ensure that unsupported DBMS software is removed or upgraded prior to a vendor dropping support.The IAO will ensure that the site has a formal migration plan for removing or upgrading DBMS systems prior to the date the vendor drops security patch support.The IAO will ensure that the DBMS version has all patches applied.Weekly (or more frequent) monitoring of the objects code to ensure that they have not been modified; baselines must be generated. This also includes functions and proceduresThe IAO will ensure that DBMS software is monitored on a regular basis no less frequently than weekly to detect unauthorized modifications.The DBA will provide to the SA and IAO a list of database software directories to be included in software backup, baselining, and monitoring.The IAO will ensure that configuration management policies and procedures are implemented for database software modifications.Third party software, Install dirThe SA will make sure that third party software should not be installed on the same directory structure as the database directory structure.DDL CommandsThe IAO will ensure that database applications do not use DDL statements.
13STIG Generic Requirements (cont) Unused ComponentsThe IAO will ensure that all unused binaries, database accounts, database objects, etc. will be removedSoftware development limitationsThe DBA will ensure that software development on a production system is separated through the use of separate and uniquely identified data and application file storage partitions and processes/services.The IAO will ensure that software configuration management policies are implemented and strictly enforced to ensure untested software is not inadvertently loaded to production systems.The DBA will ensure that no database links are defined between production and development databases.The DBA will ensure that development applications do not access production databases unless justified and documented with the IAO.The DBA will ensure that development databases created from production database exports have passwords changed from their production values.The DBA will ensure that export data from a production database used to populate a development database has all sensitive data such as payroll data or personal information, etc., removed or modified prior to import to the development database.The IAO will review privileges granted to developers on shared production/development database systems to modify application code or application objects every three months or more frequently.De-identification, data sanitization, data obfuscation, …Princeton Softech (IBM)ApplimationDatamasking.com – camouflage
14STIG Generic Requirements (cont) File permissionsThe SA will ensure that permissions to database software comply with security evaluation specifications. If unavailable, permissions to database software will be set to comply with vendor recommended permissions.The SA will ensure that all directories created by the installation of the DBMS are protected in accordance with security evaluation specifications if available. If unavailable, DBMS directory permissions will be set to comply with vendor recommendations.The SA will ensure that all file permissions created by the installation of a DBMS are modified as necessary to comply with security evaluation specifications if available. If unavailable, DBMS file permissions will be set to comply with vendor recommended permissions.The SA will ensure that permissions to change directory names, file permissions, or group information associated with the database software are restricted to SAs and DBAs.The SA will ensure that all DBMS and third-party database application software files and directories are owned by the application software installation account and are protected from access by more than the minimal number of users required.More…Backups, recoveryPerformance analysis
15STIG – Discretionary Access Control Database Account ControlsThe DBA will ensure that all database actions are traceable to an individual user.The DBA will ensure that all database accounts are granted roles containing the minimum set of privileges required for the application.The DBA will configure all database accounts to be protected by a password, certificate, or other approved authentication method.The DBA will ensure that use of shared database accounts are justified and documented with the IAO.Authentication- Encourage the use of PKI (DOD PKI, )Password GuidelinesThe DBA will assign a temporary database account password at account creation.The DBA will ensure that database account passwords…are stored in an encrypted format.are hardened - minimum of eight chars, upper/lower case, digits, special char.don’t contain personal information, dictionary words, etc.are changed every 90 days or more frequently.Are different from previous ones by at least 4 charactersnot reused within 10 passwords and within a year.The DBA will ensure that application database account passwords are changed at least once a year and anytime an application administrator is reassigned.The DBA will disable all default database account immediately after installation.The DBA will lock the database account after three failed loginsPassword expiration – not for functional accoutns but need to document itUse monitoring/alerting instead.
16STIG – Database Accounts Application Connection Pool AccountsThe DBA will ensure that access to a shared database N-Tier connection account is restricted by network configuration and authentication method to the connecting middle-server.The DBA will ensure that the acceptance of risk for the limited auditing capability of the database in a shared N-Tier connection account configuration is documented and filed with the IAO.The DBA will configure connections between the database server and connecting middle tier system in accordance with policy as listed in Section 5.2, Network Connections to the Database.Application User Database AccountsThe DBA will ensure that privileges granted to application user database accounts are restricted to those required to perform the specific application functions assigned.The DBA will ensure that privileges are not directly granted to database application user database accounts.
17STIG – Database Auditing – cont. DBA Auditing – IAO ensures that all database connections used to perform the following listed DBA actions are auditedDatabase startupDatabase shutdownDatabase online backupDatabase archivingDatabase performance statistics collectionValue Based AuditingThe DBA will ensure that access and changes to classified data are stored in the DBMS transaction log.The IAO will ensure that DBMS transaction logs are reviewed weekly or more frequently for suspicious or unauthorized changes to classified data or data stored in a MAC I or MAC II DBMS.The IAO will ensure that processes or procedures are in place to notify users of the time and date of modifications to classified data stored in the database.Required Audit Operations on Audit DataThe DBA will ensure that database audit trail information is audited for all update/deletionThe DBA/SA will ensure that all audit data deletion operations cause an audit record to be generated within the active audit trail.Audit Data AccessThe DBA will ensure that access to any DBA views that allow a database account to display audit information is restricted to DBAs or security auditors.The DBA will ensure that select, insert, delete, or update privileges on audit information is restricted to DBAs or security auditors.The DBA will ensure that privileges to disable auditing are restricted to DBAs or security auditorsMAC – Mission Assurance CategoryReflects the importance of informationMAC 1 – Systems handling information that is determined to be vital to the operational readiness – most stringentMAC 2 – Important for the support of deployed and contingency forcesMAC 3 – necessary for the conduct of day-to-day business but does not affect support to deploy forces
18STIG – DAC – Database Authorizations Database Object Access (DBA)Application grants – through RolesApplication object privileges are not granted to PUBLIC.DBMS default object privileges not granted to PUBLIC unless required by DBMS vendor.Access to DBA views and tables is restricted to DBAs and batch processing accounts that have been documented with the IAO.Database Roles (DBA)Application user roles are granted the most limited set of privileges that allows the user to accomplish the specific job function required of their position.Roles are not granted to PUBLIC.No permissions are granted directly to database accountsDBA Role (DBA)DBA role is restricted to authorized users only (production and development).The IAO will authorize all DBA accounts.Developer Roles (DBA)Shared production/development host system, an application developer database account is not granted DDL permission on production database.Shared production/development host system, No OS privileges for developers on production files, directories or database components (DBS & SA)Privileges assigned to application developer database accounts are justified and authorized by the IAO.SA, developers are not granted system privileges within a production database.
19STIG – Database Auditing Audit Data RequirementsThe IAO will ensure that auditing is configured and implemented on all systems.The DBA will ensure that audit data is captured for all required database eventsThe SA/DBA will ensure that audit data is captured for database events that are auditable at the host system level including database process or service startup/shutdown and database authentication or access.The IAO will ensure that database audit data is captured and maintained for one year.The DBA will ensure that audit data is only readable by personnel authorized by the IAO.Minimum Required Audit OperationsThe DBA will ensure that the creation, alteration, or deletion (drop) of database accounts, system structure, objects, tables, indexes are audited.The DBA will ensure that enabling and disabling of audit functionality is audited.The DBA will ensure that granting and revoking of database system level privileges is audited.The DBA will ensure that any action that returns an error message because the object referenced does not exist is audited.The DBA will ensure that any action that renames a database object is audited.The DBA will ensure that any action that grants or revokes object privileges from a database role or database account is audited.The DBA will ensure that all modifications to the data dictionary or database system configuration are audited.The DBA will ensure that all database connection failures are audited. Where possible, the DBA will ensure that both successful and unsuccessful connection attempts are audited.1 year is the benchmark – push back on other requirements
20STIG – Database Auditing – Audit Data Reviews General Audit RequirementsThe database audit data will be reviewed regularly and within a scheduled time frame.This review process will check for any intrusive activity and any anomalous activity.Daily Reviews for the following:Excessive logon attempt failures by single or multiple database accountsLogons at unusual/non-duty hoursFailed attempts to access restricted system or data files indicating a possible pattern of deliberate browsingUnusual or unauthorized activity by System AdministratorsCommand-line activity by a database account that should not have that capabilitySystem failures or errorsUnusual or suspicious patterns of activityThe DBA or security administrator will do the following:Provide reports on current audit dataProvide reports on historical audit dataProvide a methodology to back up current audit data into a historical formatProvide a means of archiving current audit data after a backup to a historical formatThe IAO will ensure that the database audit data is reviewed daily.For a daily review you need a dedicated monitoring team
21STIG – Database Monitoring In addition to reviewing audit data collections, unauthorized database activity may also be discovered by actively monitoring the status of database objects.The DBA will monitor the database for unauthorized changes to database objects.The SA will monitor the file system for unauthorized changes in critical system or database files.The DBA will monitor database batch and job queues to ensure that no unauthorized jobs are accessing the database.The DBA will monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with site policy.The DBA will monitor the database to discover access by unauthorized application software.
22Top Data Protection Challenges Where is my sensitive data located & who’s using it?How can I enforce access & change control policies for critical databases?How do I check for vulnerabilities and lock-down database configurations?How do I automate & centralize compliance controls?
24Scalable Multi-tier Architecture First Solution for 100% Visibility Into All Mainframe Database Activity Without Impacting Business ProcessesDell Case Study:Heterogeneous environment: Oracle & SQL Server, including Oracle RAC and SQL Server clusters, on Windows & Linux, with mix of enterprise applications including Oracle e-Business, JD Edwards, Hyperion and in-house applications. Includes databases supporting 7x24 manufacturing and customer-facing Dell.com site.Key drivers: SOX, PCI and SAS70Deployed to ~300 database servers in 10 data centers around the world, over 12 weeks. Using S-TAPs exclusively to monitor traffic.Previously using: mix of homegrown scripts, native logging and 3rd-party application (BindView), different approaches for Oracle and SQL Server. Lots of work to maintain scripts and keep them running. Oracle system table overflowed and brought down critical database. Frustration because DBAs were working on this rather than deploying new business projects. Struggled to keep with up massive volume of audit data being generated, and present it so that they could pass their audits.Needed:-- Minimal overhead.-- Separation of duties.-- No changes to databases.-- Automated audit reporting.-- Complete visibility into all transactions (DDL, DML, etc.).-- Real-time, proactive security.-- Scalability to handle large distributed environment.-- Integration with Remedy change management system.Multi-tier architecture;-- S-TAPs collect data on each DB server.-- Collectors receive data from multiple S-TAPs.-- Aggregators in each geography receive data from multiple collectors.-- Centralized Web console.Future plans:-- Expand to additional 725 DB servers-- VA-- Application user monitoring-- CAS
25Single set of security policies & compliance views for both mainframe & distributed environments DB2 for Z/OSZ2000Z-TAPDB2 for UNIX, Linux, WindowsG5000 Central Policy Manager & AggregatorS-TAPG2000Oracle, SQL Server, Sybase, InformixS-TAP
42Change control reconciliation Automatically tag all changes with ticket numbers (e.g., Remedy)Compare changes to authorized work ordersDetect & report on all unauthorized changesNo ticket #’s, outside authorized periods, unauthorized IDs, …