A 2007 study of 494 IT security personnel conducted by the ComputerSecurity Institute found that, while the numbers are slowly decreasing,46% of the respondents said their company experienced a securityincident in the past year. Fraud caused, in part, by the loss ofcustomer and proprietary data is the number one reason for financialloss within companies (overtaking computer viruses for the first time).
Database security is a serious issue that affects every business ororganization, and most IT security personnel state one of the mosteffective means of database security is good database auditing. Toooften, however, data is left vulnerable, partly because companies aremore concerned with protecting the network from the outside and investin technologies such as firewalls to prevent attacks. What getsoverlooked is that information from a database is more likely to behacked by a current or former employee than from a virus injection.
"Essentially, we are guarding the front door, while the bad guys are walking in the back door," says Rick Kam of ID Experts.
The Data Trail
In order to ascertain risk, companies must track data usage, which is commonly referred to as database auditing. There are four key categories to database auditing: server security, database connections, table access control, and restricting database access.
Server security limits user access to the database server. Database connection involves knowing who has access to a database and how and when it is accessed, while table access control dictates what the user can do within the database itself. Restricting database access refers to protecting the database from outside sources, such as malware that can manipulate code on an internet-housed database.
Perhaps the biggest breakdown in database auditing is the lack of governance over user accounts. Too often, when an employee leaves a company or even transfers from one department to another, the person’s account isn’t closed or changed.
In fact, user access is the number one IT security concern among healthcare workers, according to a study taken at
the Healthcare Information and Management Systems Society (HIMSS) 2008 Annual Conference and Exhibition by Courion Corp. Of the 136 people questioned, 64% cited access as their main security issues, while 60% were concerned about passwords being shared between personnel and 52% admitted that orphaned accounts were not properly disabled.
While providing doctors, nurses, and other caretakers easy access to the data they need improves patient care, Kurt Johnson, vice president of corporate development at Courion, adds, "It also opens a whole new concern in the organization to exactly who has access to this information."
There are three phases to a database audit, according to Robert Grapes, chief technologist with Cloakware’s data center. "There’s the upfront work, the tactical things to be done day-by-day, and the post-forensic or the real audit of what happened on the system," he explains.
The upfront phase involves password issues and who has access to accounts. "While a lot has been done to address password management from an engineering standpoint, we’re finding that very little has been done to correct password issues for human administrators who need access to the database," Grapes continues.
So upfront, the idea is to look at who exactly has access to a database and to regularly do audits to account for everyone who has access to the database.
Automated software functions control the tactical daily audits. This can include closing a person’s access to the network or changing the fields an employee should have access to, depending on the job duties. The software also dictates when passwords should be changed.
After applications have been run and the database logs have been recorded for the day, the audit occurs. Software, such as Grapes’ Cloakware, can be used to record every time the data had been manipulated or a password changed. This information should then be verified on a regular basis to make sure the people working with the database had the authorization to do so.
Unfortunately, financial issues often drive database auditing best practices. It costs money to manage thousands of passwords, Grapes says, yet password management is the best way to protect data.
"Automating the process can improve the security profile," he says. Software, for example, can produce new passwords but not release the new code until the user is ready to log in.
However, if the funds don’t exist for automated auditing software, there is a relatively low-tech way to go to protect database information: Make sure that multiple people have access to the database. Too often, companies will assign control to one person, and there are no checks and balances in place.
"In San Francisco recently, a guy was able to lock out an entire system," Grapes says, "and that scenario is not uncommon. One person has all the privileges, like the fox protecting the hen house, and in this case, the fox is able to set up new accounts. Financial institutions are worried about this."