Showing posts with label database. Show all posts
Showing posts with label database. Show all posts

Friday, November 09, 2007

Full Paper on Database Log Management Posted

Finally, my database log management paper (first mentioned here) is released. Head to InfosecWriters and enjoy it! Direct link to PDF here.

Abstract: "Database security have been capturing more and more attention in recent years, even though most of the security issues surrounding databases existed since the first day commercial database systems were introduced in the market in the 1980s.

Nowadays, database security is often seen as containing the following principal components: access control to database software; Structures and data; database configuration hardening; database data encryption; database vulnerability scanning.

It is interesting to see that logging and auditing underline all of the above domains of database security. Indeed, the only way to verify what access control decisions are being made and who views what data from the RDBMS is to look at the authentication logs. Database configuration hardening includes enabling and increasing the auditing levels. Similarly, data encryption might be verified by log and configuration review. And, vulnerability exploitation usually leaves traces in logs despite what some say (the challenge is more often with understanding what the log said and not with having the logs) In recent years, insider attacks gathered more attention than periodic outbreaks of malware; and database logging happens to be in the forefront of this fight against insider attacks. Database systems are usually deployed deep inside the company network and thus insiders are usually has the easiest opportunity to attack and compromise them, and then steal (or “extrude” as some would say) the data."

Read on here [PDF]!

Posted by at No comments: Image
Labels: , , ,

Monday, October 01, 2007

Awesome Move by OSSEC ...

... to incorporate database log alerts for MySQL and PostreSQL. I think this will help bringing database logging into the mainstream much faster!
Posted by at No comments: Image
Labels: , ,

Thursday, August 23, 2007

On Database Security and Monitoring

Fun high-level paper on database security. Here is an interesting bit: "Analysts differ a bit in their recommendations, but generally suggest activity monitoring, which could give the most return on investment." While I cringe at this reference to "ROI," the comment itself makes sense. Database encryption lags and will continue to lag, while database activity logging and monitoring - slowly! - starts to rise ...
Posted by at No comments: Image
Labels: , , ,

PCI and Database Logging

I saw this pathetic excuse of a vendor :-) the other day: they were trying to convince a prospect that their "kinda log management" tool is suitable for PCI DSS compliance (i.e. for Requirement 10 and as well as across others - see more here in my PCI book chapter on logging [PDF]) without having any way to collect and analyze database logs, such as Oracle audit logs/tables or MS SQL trace files. Yuck!

One would think that this post belong in the "Nobody is That Dumb ... Oh, Wait" category, but no, folks, this is for real. Do you think these PCI DSS people put logging requirements in PCI just for fun? I wish :-) No, they put them there so that access to credit card information (PAN as well as other credit card and customer data) is recorded and can be monitored and reported on. And where most of the card numbers and customer info are stored? Yes, in databases!

So, please tell me, how can someone who cannot collect logs from databases have any semblance of credibility in PCI-driven log management? Exactly! :-)
Posted by at No comments: Image
Labels: , , , , , ,

Tuesday, March 06, 2007

On Database Logging and Auditing (Teaser + NOW Full Paper)

Here is a excerpt from a fun paper on database logging that I just wrote:

"Database security have been capturing more and more attention in recent years, even though most of the security issues surrounding the databases existed since the first day commercial database systems were introduced in the market.

Nowadays, database security is often seen as containing the following principal components:
• access control to database software, structures and data
• database configuration hardening
• database data encryption
• database vulnerability scanning

It is interesting to see that logging and auditing underline all of the above domains of database security. Indeed, the only way to verify what access control decisions are being made and who views what data from the RDBMS is to look at the authentication logs. Database configuration hardening includes enabling and increasing the auditing levels. Similarly, data encryption might be verified by log and configuration review. And, vulnerability exploitation usually leaves traces in logs despite what some say (the challenge is more often with understanding what the log said and not with having the logs)

In recent years, insider attacks gathered more attention than periodic outbreaks of malware; and database logging happens to be in the forefront of this fight against insider attacks. Database systems are usually deployed deep inside the company network and thus insiders are usually has the easiest opportunity to attack and compromise them, and then steal (or “extrude” as some would say) the data..."

Read more here if you are a CSI Member. If you are not, the only way to get my paper is to ask me (sorry, copyrighted stuff)


UPDATE: another similar paper by me is posted here.

UPDATE2: full paper mention above is posted, finally! Enjoy my "Introduction to Database Log Management" at InfosecWriters!
Posted by at 6 comments: Image
Labels: , , ,
Subscribe to: Comments (Atom)

Dr Anton Chuvakin

Dr Anton Chuvakin