Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit Findings: SQL Database

Published byKarin Sanders Modified over 6 years ago

Similar presentations

Presentation on theme: "Audit Findings: SQL Database"— Presentation transcript:

1 Audit Findings: SQL Database
Yingyan Wang, Jing Jiang, Parneet Toor, Xinteng Chen, Vittorio DiPentino

2 Scope Confidentiality Database Authentication
Strong password protection Database Authorization Access control model Read/write privileges Data Transmission Data encryption Integrity Logging and Monitoring Record of metadata Log in times, edits and viewed data System Backup Backup schedule and methodology

3 Out of Scope Employee Training Programs
Previously audited in same calendar year Databases in the operating system IA has a separate operating system to cover OS

4 Finding 1: Root Account Not Renamed
Fact – The default administrative account for the database has a username of ‘root’. Standards – NIST Special Publication A,63B Root Cause of the issue: No documented procedures to define change/rename default administrative root account name. Risk Rating: High Impact to the business: Data confidentiality & integrity is lost. Recommendations: Document a process for root name change and implement the process for all major databases. FACT: The default administrative account for the database has a username of ‘root’. This is a commonly known fact so the administrative account should be renamed so outsiders will not know the name of the admin account. What is suppose to happen? The default administrative account for the database supposed to be renamed. Rename the root account to harden the security. Standard:NIST Special Publication B assess the control design and operating effectiveness Rootcause: There is not documented procedures to define change/rename default administrative root account name.Knowing the name of the admin account solves half of the login puzzle. The other half of the puzzle is guessing the password. This is much harder to do if you don’t know the name of the account. Password guessing is done by automated methods such as dictionary or brute-force attacks Why did it happen? ? Because Database manager was not aware it was his/her duty to inform Administrator to rename when login first time. Impact: High ; If the attacker is able to gain access to the database as the root user, data confidentiality and integrity is lost. The data may become useless or deleted. The MySQL server could be shutdown and the attacker could possibly use this in combination with other exceptions to take control of the machine. Recommendations: We recommend that document a process for ensuring that Root name can be easily changed by renaming the account in the MySQL privilege system and implement the process for all major databases.

5 Finding 2: Unencrypted Data Transmission
Fact – Data is not encrypted when it is transferred through internet. Standards: NIST SP , FIPS PUB 140-2 Root Cause of the issue: Lack of security awareness and automatically encryption setting. Risk Rating: High Impact to the business: Privacy data could be disclosed and modified, which may cause lawsuit, reputation problems, and financial losses. Recommendations: Reasonable encryption method in place based on security level of data.

6 Finding 3: Lack of Login Monitoring
Fact – Employees can try all possible passwords to enter the database without a login attempts limitation. Standards – NIST B- section 5.2.2 Root Cause of the issue – Lack of logins monitoring setting (to limit failed login attempts) and ignorance of the importance of the login monitoring. Impact to the business – Unauthorized access, loss of information confidentiality and integrity, loss of competitive advantages, and reputational damage. Risk Rating – Moderate Recommendations Require login attempts limitation. Maintain and track login logs regularly.

7 Finding 4: Database Authentication
Fact Password requirements Contain between 8 and 15 characters. Include at least one upper case character, one lowercase character, and one number Employees used simple passwords such as Abcd1234 or their name with a number (ie. Jonathan1) Standards – NIST Special Publication B Authentication Assurance Level 1 Root Cause of The Issue No blacklisted passwords Impact to the Business Dictionary attacks can be used to hack into accounts that use “simple” passwords Risk Rating Moderate Recommendations Require complex more passwords

8 Finding 5:System Backup and Recovery
Fact – Data backup is not conducted regularly and Recovery Point Objective (RPO) is not clear Standards – NIST Special Publication Rev. 1 Root Cause of the issue: No Business continuity plan to specify the minimum frequency and scope of backups based on data criticality Risk Rating - High Impact to the business: Loss of data integrity, financial and reputational loss, lower performance and efficiency Recommendations: Establish business continuity plan to specify backup and recovery requirements. Automatically backup periodically.

9 Conclusion Risk Ratings: High risk: Finding 1, 2 and 5
Moderate risk: Finding 3 and 4 Overall Risk Rating – High Final Audit Opinion: The review of the SQL database shows a gap between current and expected security. The database has high risk of attack and confidentiality and integrity of data are not fully protected by controls. It is our final opinion that each recommendation be met with a solution to satisfy it.

10

Download ppt "Audit Findings: SQL Database"

Similar presentations

Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Security Awareness Norfolk State University Policies.

Security Awareness Norfolk State University Policies.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google