Audit Findings: SQL Database

Slides:

Advertisements

Similar presentations

Cryptography and Network Security Chapter 20 Intruders

Advertisements

Security+ Guide to Network Security Fundamentals

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Concepts of Database Management Seventh Edition

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network security policy: best practices

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Security Awareness Norfolk State University Policies.

Information Security Technological Security Implementation and Privacy Protection.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Concepts of Database Management Sixth Edition

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Mr C Johnston ICT Teacher BTEC IT Unit 05 - Lesson 12 Network Security Policy.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Database Role Activity. DB Role and Privileges Worksheet.

Small Business Security Keith Slagle April 24, 2007.

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.

CONTENT Introduction Objective Scope and methodologies Proposal chapters Proposed policies and recommendations Conclusion.

Privacy & Security at a Public Entity Randy Snyder, CNE Director of Data Processing Warren County Iowa

Enhancing Network Security

Information Technology Controls

Team Member: Xiaomin Dong

TRINITY UNIVERSITY HOSPITAL INTERNAL EXIT MEETING

Technology Audit Plan ----BCSY University

SQL Database Audit Planning

Oracle DBMS Audit Findings

Final HIPAA Security Rule

Lesson 16-Windows NT Security Issues

What a non-IT auditor needs to know about IT & IT controls

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

REDCap and Data Governance

Week Ten – IT Audit Reporting

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Test 3 review FTP & Cybersecurity

Introduction to the PACS Security

6. Application Software Security

Protect data in core business applications

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Presentation transcript:

Audit Findings: SQL Database Yingyan Wang, Jing Jiang, Parneet Toor, Xinteng Chen, Vittorio DiPentino

Scope Confidentiality Database Authentication Strong password protection Database Authorization Access control model Read/write privileges Data Transmission Data encryption Integrity Logging and Monitoring Record of metadata Log in times, edits and viewed data System Backup Backup schedule and methodology

Out of Scope Employee Training Programs Previously audited in same calendar year Databases in the operating system IA has a separate operating system to cover OS

Finding 1: Root Account Not Renamed Fact – The default administrative account for the database has a username of ‘root’. Standards – NIST Special Publication 800-63A,63B Root Cause of the issue: No documented procedures to define change/rename default administrative root account name. Risk Rating: High Impact to the business: Data confidentiality & integrity is lost. Recommendations: Document a process for root name change and implement the process for all major databases. FACT: The default administrative account for the database has a username of ‘root’. This is a commonly known fact so the administrative account should be renamed so outsiders will not know the name of the admin account. What is suppose to happen? The default administrative account for the database supposed to be renamed. Rename the root account to harden the security. Standard:NIST Special Publication 800-63B assess the control design and operating effectiveness Rootcause: There is not documented procedures to define change/rename default administrative root account name.Knowing the name of the admin account solves half of the login puzzle. The other half of the puzzle is guessing the password. This is much harder to do if you don’t know the name of the account. Password guessing is done by automated methods such as dictionary or brute-force attacks Why did it happen? ? Because Database manager was not aware it was his/her duty to inform Administrator to rename when login first time. Impact: High ; If the attacker is able to gain access to the database as the root user, data confidentiality and integrity is lost. The data may become useless or deleted. The MySQL server could be shutdown and the attacker could possibly use this in combination with other exceptions to take control of the machine. Recommendations: We recommend that document a process for ensuring that Root name can be easily changed by renaming the account in the MySQL privilege system and implement the process for all major databases.

Finding 2: Unencrypted Data Transmission Fact – Data is not encrypted when it is transferred through internet. Standards: NIST SP 800-175, FIPS PUB 140-2 Root Cause of the issue: Lack of security awareness and automatically encryption setting. Risk Rating: High Impact to the business: Privacy data could be disclosed and modified, which may cause lawsuit, reputation problems, and financial losses. Recommendations: Reasonable encryption method in place based on security level of data.

Finding 3: Lack of Login Monitoring Fact – Employees can try all possible passwords to enter the database without a login attempts limitation. Standards – NIST 800-63B- section 5.2.2 Root Cause of the issue – Lack of logins monitoring setting (to limit failed login attempts) and ignorance of the importance of the login monitoring. Impact to the business – Unauthorized access, loss of information confidentiality and integrity, loss of competitive advantages, and reputational damage. Risk Rating – Moderate Recommendations Require login attempts limitation. Maintain and track login logs regularly.

Finding 4: Database Authentication Fact Password requirements Contain between 8 and 15 characters. Include at least one upper case character, one lowercase character, and one number Employees used simple passwords such as Abcd1234 or their name with a number (ie. Jonathan1) Standards – NIST Special Publication 800-63B Authentication Assurance Level 1 Root Cause of The Issue No blacklisted passwords Impact to the Business Dictionary attacks can be used to hack into accounts that use “simple” passwords Risk Rating Moderate Recommendations Require complex more passwords

Finding 5:System Backup and Recovery Fact – Data backup is not conducted regularly and Recovery Point Objective (RPO) is not clear Standards – NIST Special Publication 800-34 Rev. 1 Root Cause of the issue: No Business continuity plan to specify the minimum frequency and scope of backups based on data criticality Risk Rating - High Impact to the business: Loss of data integrity, financial and reputational loss, lower performance and efficiency Recommendations: Establish business continuity plan to specify backup and recovery requirements. Automatically backup periodically.

Conclusion Risk Ratings: High risk: Finding 1, 2 and 5 Moderate risk: Finding 3 and 4 Overall Risk Rating – High Final Audit Opinion: The review of the SQL database shows a gap between current and expected security. The database has high risk of attack and confidentiality and integrity of data are not fully protected by controls. It is our final opinion that each recommendation be met with a solution to satisfy it.