File Name: implementing database security and auditing .zip
This book is about database security and auditing.
Database security has a great impact on the design of today's information systems.
Teaching Database Security and Auditing
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Recognizing the importance of preserving what has been written, Elsevier prints its books on acid-free paper whenever possible.
A What is a VPN? The methods you will learn apply to all modern relational database environments. This book is meant to show you methods and techniques that will help you elevate the security of your database infrastructure. Each chapter in the book focuses on a certain area of database administration and usage and shows you what you need to do in that domain, as well as how to do it.
Because educated administrators are sure to be more effective than those that follow checklists with a limited understanding of what each item does and why, each chapter details anatomies of vulnerabilities in addition to the remedies. By understanding how attackers may try to compromise the database, you will be better able to invest your limited resources where they count most.
You may even be able to address issues that are not mentioned in this book and that may not even be known at this point in time. I mentioned that the aim of this book is to make your database environment more secure and that the focus is often both administration and usage. Many database vulnerabilities and security issues are caused by misconfigurations and inappropriate usage of the database by application serv- xv.
In addressing this topic, many of the chapters take a broader look of database security and show you how to resolve problems by improving the way the database interacts with applications and with other elements in the infrastructure. Without understanding these techniques, you may invest a lot of time in securing your island, only to learn that you have a gaping hole one that you could have easily addressed if you weren t too busy investing in perfecting your corner of the world.
The book is therefore not only meant to be a practical guide, but it also means to be an effective guide and address real-world problems. This book is not a checklist. Detailed instructions are included in almost all chapters, but the book is not a reference text for each of the database products.
I will include pointers to relevant checklists and reference texts and instead focus on ensuring that you invest your time wisely. Security is a never-ending battle against would-be attackers, and if you don t pick your fights wisely, you can lose to attrition.
Auditing is another area that can easily overwhelm you in terms of work. Therefore, I will try to highlight the most important areas in which you should invest your time, show you what to do, and how to do it.
I mentioned that each chapter addresses a certain area or category of techniques. This means that in most cases you can read the book sequentially or skip directly to a particular chapter when you are starting an initiative that has a specific focus. As an example, if you plan to start an initiative focused on database encryption, you should read Chapter 10; if you are concerned with database links, synonyms, nicknames, or replication, skip to Chapter 8; and if you are concerned with Web application access to your database, you can start with Chapter 5.
The chapters that discuss auditing Chapters 11 through 13 are a bit different. Rather than discussing categories of techniques as do Chapters 3 through 10, each chapter on the topic of auditing focuses on database auditing from a different perspective: Chapter 11 from the perspective of mapping of business requirements or regulations to actionable audit tasks, Chapter 12 from a content perspective, and Chapter 13 from an architectural perspective.
Chapters 1 and 2 are introductory chapters. Chapter 1 details some starting points you should always have in place, and Chapter 2 gives you a brief overview of enterprise security and domains from which you can get many implementation ideas.
Finally, I d like to thank the many people who have helped me understand, prioritize, implement, and navigate the complex topic of database security and audit, including George Baklarz, Moshe Barr, Roy Barr, Rodrigo Bisbal, Heather Brightman, Nir Carmel, Mike Castricone,.
By reading it you will learn many methods and techniques that will be helpful in securing, monitoring, and auditing database environments. The book covers diverse topics that include all aspects of database security and auditing, including network security for databases, authentication and authorization issues, links and replication, database Trojans, and more.
You will also learn of vulnerabilities and attacks that exist within various database environments or that have been used to attack databases and that have since been fixed. These will often be explained to an internals level. Many sections outline the anatomy of an attack before delving into the details of how to combat such an attack. Equally important, you will learn about the database auditing landscape both from a business and regulatory requirements perspective as well as from a technical implementation perspective.
This is not to say that the book is theoretical. It is a practical handbook that describes issues you should address when implementing database security and auditing. However, because detailing every single example for every database platform would have meant a 2,page book, many of the examples are given for a single database or a couple of them. The good news is that all techniques or almost all of them are relevant to all database platforms, and I urge you to read through all sections even if the example code snippets are taken from a database environment that you are not running.
In all of these cases, it will be easy for you to identify the equivalent setting or procedure within your own environment. As you ll learn throughout this book, good database security cannot always be implemented solely within the database, and many of the most serious security issues that you may face as the database owner or the server owner have to do with the way applications use a database and the way various interacting systems are configured.
Addressing these complex issues must take into account more than just the database, and focusing on capabilities that are provided only by the database vendor is not always enough. At this point you may be asking yourself a few questions: Doesn t the database have many security and auditing features? Isn t a database merely a file system with a set of value-added services such as transaction management and security? Isn t my database secure?
Why now? The database has been part of the IT environment for many years relational databases for at least 20 years ; why should we suddenly be overly concerned with security and auditing? The answer to the first set of questions is that while such features exist, they are not always used and are not always used correctly.
Security issues are often a matter of misconfiguration, and the fact that the database implements a rich security model does not mean that it is being used or that it is being used correctly. In fact, here are some examples that made the headlines and rest assured that for every incident that makes headlines there are that are kept quiet : In early , the online music retailer CD Universe was compromised by a hacker known as Maxus.
The hacker stole credit card numbers from the retailer s database and tried to extort money from the retailer. When his demands were refused, he posted thousands of customers credit card details to the Internet. Go to to see what Maxus Web site looked like. The company went out of business shortly thereafter. In , Bibliofind, a division of Amazon. Even worse, the attackers maintained free access to the database for four months before being discovered!
In March , the FBI reported that almost 50 bank and retail Web sites were attacked and compromised by Russian and Ukrainian hackers. In November , Playboy. In fact, the hackers sent s to customers that displayed the credit card information. In the course of , Indiana University was successfully attacked twice and private information, such as social security numbers and addresses, was stolen. In Oct a hacker compromised a database containing sensitive information on more than 1.
The breach occurred on Aug 1 but was not detected until the end of the month. The database in question contained the names, addresses, Social Security numbers, and dates of birth of caregivers and care recipients participating in California s In-Home Supportive Services IHSS program since The data was being used in a UC Berkeley study of the effect of wages on in-home care and was obtained with authorization from the California Department of Social Services.
The hacker had reportedly taken advantage of an unpatched system and Chapter 1. In Jan the following was reported by Security Focus A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U. Secret Service , obtain customers passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned by late July [of ] the company had confirmed that the offer was genuine: a hacker had indeed breached their customer database The answer to the second set of questions why now?
True, the database has been around for a long time, but the following trends are dominating the last few years: E-commerce and e-business New and wonderful ways to use databases Increased awareness among the hacker community Widespread regulations that pertain to IT and to security E-commerce and e-business have changed the way we live. We buy from online retailers, we pay our utility bills using online banking sites, and more. Businesses have optimized their supply chains and use Customer Relationship Management CRM software to manage relationships with their clients.
In doing so, systems have become much closer to each other and much closer to the end users. Sure, we use firewalls to secure our networks and we don t connect databases directly to the Internet, but you ll see in Chapter 5 that there is more than one way to skin a cat and that databases are far more exposed than they used to be. Ten years ago the database was accessed by applications that were only available to internal employees. Now it is indirectly through the application accessed by anyone who has access to the Web site i.
Doing efficient business with suppliers, customers, and employees has created new and wonderful ways in which the database is used and innovative ways in which it is configured. Opening up the enterprise to improve processes and streamline business was done quickly and without too much analysis of security implications. Databases are deployed in many places physically and logically and often with no significant protective layers.
New technologies are constantly being released by the vendors. These technologies include Web services within the database, XML handling within the database, tight integration with application servers, and the ability to run any application logic directly within the database to the extent of having an embedded Java virtual machine inside the database. This is great for developers and for increasing productivity, but it creates a security nightmare. More functionality means more actually, many more bugs that can be exploited by hackers, and many of the leading vendor databases have been plagued with bug-related vulnerabilities.
Even if new functions have no vulnerability, these features are usually risky because they open up the database to more types of attacks. They increase not only the developer s productivity but also the hacker s productivity. While we re discussing hacker skills and effectiveness, let s move on to hacker awareness. Hackers are always looking for new targets for their attacks and new methods they can use. In the same way that you realize that databases hold the crown jewels, so do the hackers.
Furthermore, after mastering attacks on networks and operating systems, hackers have turned to applications and databases as new breeding ground. This is very visible in hacker forums. It is interesting, for example, to track hacker conferences such as BlackHat and Defcon.
In , both BlackHat and Defcon had one presentation each devoted to database hacking. In , BlackHat had five such presentations and Defcon had four such presentations. In , BlackHat already had a full track dedicated to database hacking. Last, but by no means least, is regulation. Because financial, personal, and sensitive data is stored within databases, these requirements usually imply database auditing requirements.
Because regulations such as Sarbanes-Oxley, GLBA, and HIPAA all discussed in Chapter 11 have financial and criminal penalties associated with noncompliance, database security and auditing have suddenly come to the forefront. Chapter 1. The book has two main parts: Chapters 1 through 10 show you how to implement various facets of database security, and Chapters 11 through 13 can help you with database auditing implementations.
Each chapter is focused on a certain aspect of the database. For example, Chapter 3 is focused on the database as a networked server, Chapter 4 on database authentication, and Chapter 10 on encryption within the database environment. The only exception is this chapter Chapter 1.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Recognizing the importance of preserving what has been written, Elsevier prints its books on acid-free paper whenever possible. A What is a VPN? The methods you will learn apply to all modern relational database environments. This book is meant to show you methods and techniques that will help you elevate the security of your database infrastructure.
Database Systems: Design, Implementation, and Management, Eighth Edition Database.
Implementing Database Security and Auditing pdf 1. Lecture Database security and auditing - Protecting data integrity and accessibility - Chapter 9: Application Data Auditing 46 38 0. Agile Web Application Development with Yii 1.
Search this site. AbacusLaw PDF. Acca 2. Alejandro de la Sota : escritos, conversaciones, conferencias PDF. Alexa PDF.
Preface - free auditing books pdf. This book is a guide on implementing security and auditing for database environments. The methods free acca study materials you will learn apply to all modern relational database environments.
Faster previews. Personalized experience. Get started with a FREE account. Load more similar PDF files. PDF Drive investigated dozens of problems and listed the biggest global issues facing the world today.
Implementing Database Security and Auditing, , Ron Ben Natan, pages .com//10/benbakerbooks.org
Faster previews. Personalized experience. Get started with a FREE account. Unfold your own myth. Load more similar PDF files. PDF Drive investigated dozens of problems and listed the biggest global issues facing the world today.
Спасибо. - Он улыбнулся и сразу перешел к делу. - Мы вместе спустимся. - Он поднял беретту. - Ты найдешь терминал Хейла, а я тебя прикрою. Сьюзан была отвратительна даже мысль об .
- Тебе не нужно оставаться до конца смены. Мы с мисс Флетчер пробудем здесь весь день. Будем охранять нашу крепость.
- Если вы позвоните, она умрет. Стратмора это не поколебало. - Я готов рискнуть. - Чепуха.
Quien es. Кто он. - Понятия не имею. - Похож на китайца.
Мы можем восстановить его репутацию. Мы должны пойти на .