Risky Business – The Self Auditing Database
By Amichai Shulman, Chief Technology Officer, Imperva
Wednesday, 14 December 2005 03:02 EST
The increasing frequency of database attacks is driving federal and state legislation that requires virtually every organization to deploy more robust audit mechanisms to protect sensitive data. To meet this requirement, some organizations attempt to use the built-in auditing tools supplied with database software platforms. This practice of setting up a “self-auditing” database is based upon several false assumptions and violates the fundamental audit requirement for independence.
Flawed Assumptions
There are several false assumptions implicit in the use of built-in audit tools. The first is that the audit tool is the only element of the database that is not vulnerable to attack. In September 2005, Imperva discovered a MS-SQL Server vulnerability which proves that this is not the case. By preceding the client login message with NULL characters, an attacker can avoid MS-SQL’s built in audit tools. This and other similar vulnerabilities illustrate the flaw in assuming that built-in database audit tools are not vulnerable. Audit mechanisms are just as likely to be vulnerable as any other database element.
Even more flawed is a second assumption that an attacker will not turn off auditing, or tamper with audit records once a server is compromised. An attacker may, for example, gain database administrative privileges and immediately disable auditing mechanisms. Similarly, a rogue administrator or developer may abuse legitimately acquired administrative privileges to delete audit records in order to hide an attack.
To further illustrate the point, consider a car with a “built-in” video tape security feature. In the event that the door locks fail, a thief could be identified after the fact using the “built-in” video tape. Does this make sense? The video tape would be stolen along with the car! Perhaps the considerate thief will leave the camera on and mail the tape to police after the theft? This is an absurd system, but it’s directly analogous to “built-in” database auditing and it illustrates the obvious flaws in self-auditing security systems.
Independence
A keyword in the audit business is “independence”. Any audit professional will tell you that audit mechanisms should be independent of the system being audited. Therefore, any legitimate database audit mechanism should be independent of database server and users.
Pages: 1 | 2
|
|
|
Latest News
SMB over SSH: Secure File Sharing
18.05.07 Security tips blog, security-hacks, has published an simple guide to share files securely in heterogeneous networks.
Avoid data leaks by clearing the page file
14.05.07 Security-Hacks publishes a useful tip to avoid potential data leaks when you run out of memory.
How to set Master Password in Firefox
11.05.07 Nowadays many web sites require you to type a user name and password before you can enter the site.
How to test your firewall?
10.05.07 Security tips blog, Security-Hacks, has published a compilation of tools to test your firewall: "We’ve compiled a list of tools we believe will be of value to both home users and advance users.
eEye released integer overflow auditing tool
16.02.07 Vulnerability research company eEye Security has released a free security vulnerability auditing tool that helps spotting possible integer overflow vulnerabilities.
AES Password Manager 2.3 released
16.02.07 AES software has announced the availability of AES Password Manager 2,3, the latest version of their password management application that allows users automatically access password-protected web sites and email accounts.
IBM safeguards against Microsoft vulnerabilities
16.02.07 IBM’s security division, Internet Security Systems, offers protection from several critical vulnerabilities announced by Microsoft.
|
|
