Sample Report Database Security Sample

Sa
Database Security Sample
le
mp
Re
Note : This sample report does not contain actual data. The data is
fictional and fictional names are used throughout this report.
po
COPIES AND COPYRIGHT
• As always, the IgniteiConsult users are welcome to an unlimited number of copies of the materials
contained within this sample. Furthermore, the IgniteiConsult users may copy any graphic herein for their
own internal purpose. Ignite Intelligence requests only that IgniteiConsult users retain the copyright mark
on all pages produced unless you have purchased IgniteiConsult product or SaaS usage time. Please
contact the Support Center at +61 466 392 338 for any help we may provide.
• The pages herein are the property of Ignite Intelligence. Beyond the samples, no copyrighted
materials of Ignite Intelligence may be reproduced without prior approval, unless you have purchased
IgniteiConsult product or SaaS usage time.
rt
LEGAL CAVEAT
• Ignite Intelligence has worked to ensure the accuracy of the information it provides to the users of
IgniteiConsult. This report relies upon data obtained from many sources, however, Ignite Intelligence
cannot guarantee the accuracy of the information or its analysis in all cases.
• Furthermore, Ignite Intelligence is not engaged in rendering legal, accounting, or other professional
services, unless paid for. Its reports should not be construed as professional advice on any particular set
of facts or circumstances. Members requiring such services are advised to consult an appropriate
professional in Ignite Intelligence.
• Neither Ignite Intelligence nor its software/programs are responsible for any claims or losses that may
arise from a) any errors or omissions in their reports, whether caused by Ignite Intelligence by its sources,
or b) reliance upon any recommendation made by IgniteiConsult.
ROADMAP FOR THIS SAMPLE
Sa
OVERVIEW OF DATABASE SECURITY DIAGNOSTIC
mp
About the Diagnostic
The Database (DB) Security Diagnostic benchmarks the key competencies of an organization that characterize the best DB
security experts. The results provide a baseline for measuring team performance, identify areas for development, and link
development opportunities to the corresponding resources to drive team performance improvement. Participants A
comprehensive team effectiveness evaluation is based on the feedback from a team of DB security experts and their Group
Leader who completed the assessment.
le
What you will find in this Report:
1. An evaluation of DB security skill maturity in terms of Key Performance Indicators (KPI’s).
2. The areas of largest priority misalignment between the desired and actuals in terms of Performance Spots (PS’s).
3. The areas where the DB group could change involvement at an atomic level in terms of Performance Factors (PF’s).
4. Process measures and health report and implementation guidelines in terms of Recommendations to support DB security
skills development.
Efficiency
Effectiveness Adaptability
Re
Process Metrics
Error Index
Process
Metrics
76.76%
63.0%
64.13%
82.94%
Benchmarks
90%
97%
88%
99%
rt
po
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
Page 2 of 13
ROADMAP FOR THIS SAMPLE
Sa
DATABASE SECURITY HIGH-LEVEL PROCESS HEALTH REPORT
Strategic Drivers
mp
Aggregate Access Rights - An electronic payment processor was auditing their database for PCI compliance and discovered
that ATM and PIN numbers were being stolen. Detailed logs from Imperva Secure Database Activity Monitoring helped track
down and apprehend the criminals. The company now generates alerts on suspicious database access to sensitive data.
Scan for Vulnerabilities - Failing to safeguard databases that store sensitive data can cripple your operations, result in
regulatory violations, and destroy your brand. Understanding the top database threats and implementing the solutions
outlined in IgniteiConsult will enable you to recognize when you’re vulnerable or being attacked, maintain security best
practices, and ensure that your most valuable assets are protected.
Discover Database Servers - Databases have the highest rate of breaches among all business assets, according to the 2012
Verizon Data Breach Report. Verizon reported that 96% of records breached are from databases, and the Open Security
Foundation revealed that 242.6 million records were potentially compromised in 2012.
le
Detect unusual access activity - The reason databases are targeted is quite simple; databases are at the heart of any
organization,storing customer records and other confidential business data. But why are databases so vulnerable to
breaches. One reason is that organizations are not protecting these assets well enough. According to IDC, less than 5% of
the $27 billion spent in 2011 on security products directly addressed data center security.
When hackers and malicious insiders gain access to sensitive data, they can quickly extract value,inflict damage, or impact
business operations. In addition to financial loss or reputation damage, breaches can result in regulatory violations, fines,
and legal fees. However, the good news is that the vast majority of incidents – more than 97% according to the Online Trust
Alliance (OTA) in 2013 – could have been prevented by implementing simple steps and following best practices and internal
controls.
High-level Process
Health Measures
Benchmarks
Discovery and Assessment locate where database
vulnerabilities and critical data
reside.
9.00
9.0
User Rights Management identifies excessive rights over
sensitive data.
7.19
9.0
Monitoring and Blocking protect databases from attacks,
data loss and theft.
6.65
9.0
Auditing - helps demonstrate
compliance with industry
regulations.
7.10
9.0
Data Protection - ensures data
integrity and confidentiality.
9.90
9.0
Non-Technical Security - instills
and reinforces a culture of
security awareness and
preparedness.
5.80
9.0
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
rt
Key Performance Indicators
po
Re
Key Performance Indicators Health Measures
Page 3 of 13
DATABASE SECURITY DETAILED PROCESS HEALTH REPORT
Key Performance Spots Health Measures
Key Performance
Indicators
Sa
High-level
Performance
Benchma User-set
Process Health
rks
values
Spots
Measures
Analyze
Discovery
Results.
10.70
9.0
6.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Analyze Risk
and Prioritize
Remediation
Efforts.
12.00
9.0
9.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Calculate Risk
Scores.
9.80
9.0
7.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Discover
Database
Servers.
12.00
9.0
9.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Identify
Compromised
Endpoints.
6.00
9.0
4.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Identify and
Classify
Sensitive Data.
5.00
9.0
8.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Mitigate
Vulnerabilities.
6.33
9.0
9.0
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Scan for
Vulnerabilities.
10.20
9.0
User Rights
Management identifies excessive
rights over sensitive
data.
Aggregate
Access Rights.
1.60
9.0
User Rights
Management identifies excessive
rights over sensitive
data.
Enrich Access
Rights
Information.
5.00
9.0
User Rights
Management identifies excessive
rights over sensitive
data.
Extract Real
User Identity.
11.60
9.0
5.0
User Rights
Management identifies excessive
rights over sensitive
data.
Identify and
Remove
Excessive
Rights.
6.17
9.0
4.0
User Rights
Management identifies excessive
rights over sensitive
data.
Review and
Approve/Reject
Individual User
Rights.
11.60
9.0
5.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Block Malicious
Web Requests.
3.00
9.0
9.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Detect Unusual
Access Activity.
6.12
9.0
5.0
1.0
8.0
7.0
© 2013-14 | Ignite Intelligence
rt
po
28/03/2014 2.03 PM
Re
Report generated date & time:
le
mp
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Page 4 of 13
Key Performance
Indicators
High-level
Performance
Benchma User-set
Process Health
rks
values
Spots
Measures
Impose
Connection
Controls.
2.00
9.0
9.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Monitor Local
Database
Activity.
8.40
9.0
3.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Real-Time
Alerting and
Blocking.
4.33
9.0
9.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Response
Timing.
11.90
9.0
8.0
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
Validate
Database
Protocols.
10.80
9.0
7.0
Auditing - helps
demonstrate
compliance with
industry regulations.
Automate
Auditing with a
DAP Platform.
10.50
9.0
4.0
Auditing - helps
demonstrate
compliance with
industry regulations.
Capture
Detailed
Transactions.
8.80
9.0
7.0
Auditing - helps
demonstrate
compliance with
industry regulations.
Generate
Reports for
Compliance and
Forensics.
2.00
9.0
9.0
Data Protection ensures data integrity
and confidentiality.
Archive External
Data.
8.00
9.0
9.0
Data Protection ensures data integrity
and confidentiality.
Encrypt
Databases.
11.80
9.0
7.0
Non-Technical Security
- instills and reinforces
a culture of security
awareness and
preparedness.
Cultivate
Experienced
Security
Professionals.
1.00
9.0
Non-Technical Security
- instills and reinforces
a culture of security
awareness and
preparedness.
Educate Your
Workforce.
10.60
9.0
Sa
Monitoring and
Blocking - protect
databases from
attacks, data loss and
theft.
le
mp
Re
9.0
5.0
po
DATABASE SECURITY PROCESS KEY CHALLENGES
rt
Key Challenges
1
DB administrator has only a rudimentary understanding of the security measures offered by your DBMS.
2
SQL Injection attacks pose tremendous risks to web applications that depend upon a database backend.
3
Organization trusts employees with protecting sensitive information. On the contrary, industry analysts say 'never'.
4
Security issues are often neglected in the implementation of data warehouses.
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
Page 5 of 13
ROADMAP FOR THIS SAMPLE
Sa
mp
DATABASE SECURITY PROCESS GAPS & RECOMMENDATIONS
Process Recommendations List for the Report
Key Performance
Indicators
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Process Gaps
Recommendations
le
Organization is struggling to maintain an accurate
inventory of their databases and the critical data objects
contained within them. Forgotten databases may
contain sensitive information, and new databases can
emerge e.g., in application testing environments
without visibility to the security team..
1.Sensitive data in the databases will be exposed to threats if the required
controls and permissions are not implemented. Hence an inventory of all
databases with data objects should be maintained.
2. Invalid or forgotten database inventory also should be maintained..
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
It is common in this organization to find vulnerable and
un-patched databases, or discover databases that still
have default accounts and configuration parameters.
Attackers may know how to exploit these vulnerabilities
to launch attacks against your organization.
According to the 2012 Independent Oracle User Group
(IOUG), 28 percent of Oracle users have never applied a
Critical Patch Update or don't know whether they've
done so. Another 10 percent take a year or longer to
apply their patches..
1.Stay on-top of maintaining database configurations even when patches are
available.It generally takes months to patch databases once a patch is available.
During the time your databases are un-patched,they remain vulnerable.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
It is common in this organization to find vulnerable and
un-patched databases, or discover databases that still
have default accounts and configuration parameters.
Attackers may know how to exploit these vulnerabilities
to launch attacks against your organization.
According to the 2012 Independent Oracle User Group
(IOUG), 28 percent of Oracle users have never applied a
Critical Patch Update or don't know whether they've
done so. Another 10 percent take a year or longer to
apply their patches..
1.Stay on-top of maintaining database configurations even when patches are
available.It generally takes months to patch databases once a patch is available.
During the time your databases are un-patched,they remain vulnerable.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
Re
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Cybercriminals, state-sponsored hackers, and spies use
advanced attacks that blend multiple tactics such as
spear phishing emails and malware to penetrate your
organization and steal sensitive data. You could be
unaware that malware has infected your device, so
legitimate users become a conduit for these groups to
access your networks and sensitive data.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
It is common in this organization to find vulnerable and
un-patched databases, or discover databases that still
have default accounts and configuration parameters.
Attackers may know how to exploit these vulnerabilities
to launch attacks against your organization.
According to the 2012 Independent Oracle User Group
(IOUG), 28 percent of Oracle users have never applied a
Critical Patch Update or don't know whether they've
done so. Another 10 percent take a year or longer to
28/03/2014 2.03 PM
1. Scan for Vulnerabilities : Understanding vulnerabilities that expose databases
to SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
1.Sensitive data in the databases will be exposed to threats if the required
controls and permissions are not implemented. Hence an inventory of all
databases with data objects should be maintained.
2. Invalid or forgotten database inventory also should be maintained..
rt
Organization is struggling to maintain an accurate
inventory of their databases and the critical data objects
contained within them. Forgotten databases may
contain sensitive information, and new databases can
emerge e.g., in application testing environments
without visibility to the security team..
2.If a vulnerability is discovered and the database vendor hasn't released a patch,
a virtual patching solution should be used. Applying virtual patches will block
attempts to exploit vulnerabilities without requiring actual patches or changes to
the current configuration of the server.Virtual patching will protect the database
from exploit attempts until the patch is deployed.Again,focus on patching highrisk vulnerabilities that can facilitate DoS and SQL injection attacks.
po
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Report generated date & time:
2.If a vulnerability is discovered and the database vendor hasn't released a patch,
a virtual patching solution should be used. Applying virtual patches will block
attempts to exploit vulnerabilities without requiring actual patches or changes to
the current configuration of the server.Virtual patching will protect the database
from exploit attempts until the patch is deployed.Again,focus on patching highrisk vulnerabilities that can facilitate DoS and SQL injection attacks.
Identify malware-infected hosts so that you can prevent these devices from
accessing sensitive information in databases as well as unstructured data stores.
Once you identify compromised devices, you should apply controls to sensitive
data to restrict those devices from accessing and exfiltrating data.
1.Stay on-top of maintaining database configurations even when patches are
available.It generally takes months to patch databases once a patch is available.
During the time your databases are un-patched,they remain vulnerable.
2.If a vulnerability is discovered and the database vendor hasn't released a patch,
a virtual patching solution should be used. Applying virtual patches will block
attempts to exploit vulnerabilities without requiring actual patches or changes to
the current configuration of the server.Virtual patching will protect the database
from exploit attempts until the patch is deployed.Again,focus on patching high-
© 2013-14 | Ignite Intelligence
Page 6 of 13
Key Performance
Indicators
Process Gaps
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Recommendations
apply their patches..
risk vulnerabilities that can facilitate DoS and SQL injection attacks.
Organization is struggling to maintain an accurate
inventory of their databases and the critical data objects
contained within them. Forgotten databases may
contain sensitive information, and new databases can
emerge e.g., in application testing environments
without visibility to the security team..
Analysis records to be created based on data stakeholder and application
stakeholder perspective.
Sa
Organization is struggling to maintain an accurate
inventory of their databases and the critical data objects
contained within them. Forgotten databases may
contain sensitive information, and new databases can
emerge e.g., in application testing environments without
visibility to the security team.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
It is common in this organization to find vulnerable and
un-patched databases, or discover databases that still
have default accounts and configuration parameters.
Attackers may know how to exploit these vulnerabilities
to launch attacks against your organization.
According to the 2012 Independent Oracle User Group
(IOUG), 28 percent of Oracle users have never applied a
Critical Patch Update or don't know whether they've
done so. Another 10 percent take a year or longer to
apply their patches..
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
mp
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
1.Sensitive data in the databases will be exposed to threats if the required
controls and permissions are not implemented. Hence an inventory of all
databases with data objects should be maintained.
2. Invalid or forgotten database inventory also should be maintained..
1.Stay on-top of maintaining database configurations even when patches are
available.It generally takes months to patch databases once a patch is available.
During the time your databases are un-patched,they remain vulnerable.
2.If a vulnerability is discovered and the database vendor hasn't released a patch,
a virtual patching solution should be used. Applying virtual patches will block
attempts to exploit vulnerabilities without requiring actual patches or changes to
the current configuration of the server.Virtual patching will protect the database
from exploit attempts until the patch is deployed.Again,focus on patching highrisk vulnerabilities that can facilitate DoS and SQL injection attacks.
1. Scan for Vulnerabilities : Understanding vulnerabilities that expose databases
to SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
Calculate Risk Scores : Score risks based on the severity of vulnerabilities and the
sensitivity of the data. Severity values should be based on known systems such as
the Common Vulnerability Scoring System (CVSS). Risk scores help prioritize risk,
manage, and research vulnerabilities. For example, higher risk scores would
relate to SQL injection.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
Cybercriminals, state-sponsored hackers, and spies use
advanced attacks that blend multiple tactics such as
spear phishing emails and malware to penetrate your
organization and steal sensitive data. You could be
unaware that malware has infected your device, so
legitimate users become a conduit for these groups to
access your networks and sensitive data.
Identify malware-infected hosts so that you can prevent these devices from
accessing sensitive information in databases as well as unstructured data stores.
Once you identify compromised devices, you should apply controls to sensitive
data to restrict those devices from accessing and exfiltrating data.
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
le
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what.
Re
1. Scan for Vulnerabilities : Understanding vulnerabilities that expose databases
to SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what.
User Rights Management
- identifies excessive
rights over sensitive
data.
Users may abuse legitimate database privileges for
unauthorized purposes. Once data reach a client
machine, the data then becomes susceptible to a wide
variety of possible breach scenarios.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
Calculate Risk Scores : Score risks based on the severity of vulnerabilities and the
sensitivity of the data. Severity values should be based on known systems such as
the Common Vulnerability Scoring System (CVSS). Risk scores help prioritize risk,
manage, and research vulnerabilities. For example, higher risk scores would
relate to SQL injection.
1. Aggregate access rights, enrich access rights information based on careful
scrutiny. Remove excess rights.
po
Discovery and
Assessment - locate
where database
vulnerabilities and
critical data reside.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
2. Maintain real-time alerting & blocking.
3. Detect unusual access activity..
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
rt
Staff are granted database privileges that exceed the
User Rights Management requirements of their job function, and these privileges
- identifies excessive
can be abused.
rights over sensitive
data.
There are no records of analysis of user privileges or
who has what privilege and why..
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
issues, and remove excessive rights that are not required for users to do their job.
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
Page 7 of 13
Key Performance
Indicators
Process Gaps
Recommendations
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
Sa
User Rights Management
- identifies excessive
rights over sensitive
data.
Users may abuse legitimate database privileges for
unauthorized purposes. Once data reach a client
machine, the data then becomes susceptible to a wide
variety of possible breach scenarios.
1. Aggregate access rights, enrich access rights information based on careful
scrutiny. Remove excess rights.
2. Maintain real-time alerting & blocking.
3. Detect unusual access activity..
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
mp
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
Staff are granted database privileges that exceed the
User Rights Management requirements of their job function, and these privileges
- identifies excessive
can be abused.
rights over sensitive
data.
There are no records of analysis of user privileges or
who has what privilege and why..
le
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
issues, and remove excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
Re
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
User Rights Management of regulations with clear database audit requirements.
- identifies excessive
Organization uses native audit tools provided by your
rights over sensitive
database vendors or rely on ad-hoc and manual
data.
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
User Rights Management
- identifies excessive
rights over sensitive
data.
Users may abuse legitimate database privileges for
unauthorized purposes. Once data reach a client
machine, the data then becomes susceptible to a wide
variety of possible breach scenarios.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
Identify malware-infected hosts so that you can prevent these devices from
accessing sensitive information in databases as well as unstructured data stores.
Once you identify compromised devices, you should apply controls to sensitive
data to restrict those devices from accessing and exfiltrating data.
rt
Cybercriminals, state-sponsored hackers, and spies use
advanced attacks that blend multiple tactics such as
spear phishing emails and malware to penetrate your
organization and steal sensitive data. You could be
unaware that malware has infected your device, so
legitimate users become a conduit for these groups to
access your networks and sensitive data.
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
po
User Rights Management
- identifies excessive
rights over sensitive
data.
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
1. Aggregate access rights, enrich access rights information based on careful
scrutiny. Remove excess rights.
2. Maintain real-time alerting & blocking.
3. Detect unusual access activity..
Staff are granted database privileges that exceed the
User Rights Management requirements of their job function, and these privileges
- identifies excessive
can be abused.
rights over sensitive
data.
There are no records of analysis of user privileges or
who has what privilege and why..
Report generated date & time:
28/03/2014 2.03 PM
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
© 2013-14 | Ignite Intelligence
Page 8 of 13
Key Performance
Indicators
Process Gaps
Recommendations
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
Sa
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
issues, and remove excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
mp
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
le
Staff are granted database privileges that exceed the
User Rights Management requirements of their job function, and these privileges
- identifies excessive
can be abused.
rights over sensitive
data.
There are no records of analysis of user privileges or
who has what privilege and why..
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
issues, and remove excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
Cybercriminals, state-sponsored hackers, and spies use
advanced attacks that blend multiple tactics such as
spear phishing emails and malware to penetrate your
organization and steal sensitive data. You could be
unaware that malware has infected your device, so
legitimate users become a conduit for these groups to
access your networks and sensitive data..
1.Scan for Vulnerabilities : Understanding vulnerabilities that expose databases to
SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
po
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
Re
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
Identify malware-infected hosts so that you can prevent these devices from
accessing sensitive information in databases as well as unstructured data stores.
Once you identify compromised devices, you should apply controls to sensitive
data to restrict those devices from accessing and exfiltrating data.
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
Staff are granted database privileges that exceed the
requirements of their job function, and these privileges
can be abused.
There are no records of analysis of user privileges or
who has what privilege and why..
rt
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
Page 9 of 13
Key Performance
Indicators
Process Gaps
Recommendations
issues, and remove excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
Sa
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
Users may abuse legitimate database privileges for
unauthorized purposes. Once data reach a client
machine, the data then becomes susceptible to a wide
variety of possible breach scenarios.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
of regulations with clear database audit requirements.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
1.Extract Real User Identity: Leverage solutions that correlate user information
with database transactions, also known as Universal User Tracking, or UUT. The
resulting audit logs can then include unique application user names.
2. Calculate Risk Scores : Score risks based on the severity of vulnerabilities and
the sensitivity of the data. Severity values should be based on known systems
such as the Common Vulnerability Scoring System (CVSS). Risk scores help
prioritize risk, manage, and research vulnerabilities. For example, higher risk
scores would relate to SQL injection..
1. Extract Real User Identity: Leverage solutions that correlate user information
with database transactions, also known as Universal User Tracking, or UUT. The
resulting audit logs can then include unique application user names.
2. Calculate Risk Scores : Score risks based on the severity of vulnerabilities and
the sensitivity of the data. Severity values should be based on known systems
such as the Common Vulnerability Scoring System (CVSS). Risk scores help
prioritize risk, manage, and research vulnerabilities. For example, higher risk
scores would relate to SQL injection..
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
Organization uses native audit tools provided by your
database vendors or rely on ad-hoc and manual
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
Users may abuse legitimate database privileges for
unauthorized purposes. Once data reach a client
machine, the data then becomes susceptible to a wide
variety of possible breach scenarios.
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
po
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what.
1. Scan for Vulnerabilities : Understanding vulnerabilities that expose databases
to SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
Re
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what..
le
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
2.Maintain real-time alerting & blocking.
3. Detect unusual access activity..
mp
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
1.Aggregate access rights, enrich access rights information based on careful
scrutiny. Remove excess rights.
1.Aggregate access rights, enrich access rights information based on careful
scrutiny. Remove excess rights.
2.Maintain real-time alerting & blocking.
3. Detect unusual access activity..
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
Report generated date & time:
28/03/2014 2.03 PM
Staff are granted database privileges that exceed the
requirements of their job function, and these privileges
can be abused.
rt
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
A successful SQL injection attack can give someone
unrestricted access to an entire database. SQL injection
involves inserting (or injecting) unauthorized or
malicious database statements into a vulnerable SQL
data channel such as a Web application or stored
procedure. If these injected statements are executed by
the database, critical data stores can be viewed, copied,
and altered.
1.Scan for Vulnerabilities : Understanding vulnerabilities that expose databases to
SQL injection is essential. Malware may be looking to exploit known database
vulnerabilities, making un-patched databases an easy target.
2. Weak authentication rules can enable a DoS attack by granting access to a
database without needing a password. Use vulnerability assessment tools to
detect security vulnerabilities, misconfigurations, and missing vendor patches.
3. Assessments should use industry best practices for database security, such as
DISA STIG and CIS benchmarks..
1.Privilege control mechanisms for job roles to be well defined or maintained. As a
result, users may not be granted generic or default access privileges that far
exceed their specific job requirements. This removes unnecessary risk.
© 2013-14 | Ignite Intelligence
Page 10 of 13
Key Performance
Indicators
Process Gaps
Recommendations
2. Aggregate Access Rights: Scan databases for both granted and privileged user
rights and extract details such as the actual access right (e.g. SELECT, DELETE,
CONNECT, etc), who granted them, who received those rights, and objects to
which rights have been granted. Aggregating user rights into a single repository
helps streamline the reporting and analysis of user access to sensitive data.
Sa
There are no records of analysis of user privileges or
who has what privilege and why..
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
of regulations with clear database audit requirements.
Organization uses native audit tools provided by your
database vendors or rely on ad-hoc and manual
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
28/03/2014 2.03 PM
1. Extract Real User Identity: Leverage solutions that correlate user information
with database transactions, also known as Universal User Tracking, or UUT. The
resulting audit logs can then include unique application user names.
2. Calculate Risk Scores : Score risks based on the severity of vulnerabilities and
the sensitivity of the data. Severity values should be based on known systems
such as the Common Vulnerability Scoring System (CVSS). Risk scores help
prioritize risk, manage, and research vulnerabilities. For example, higher risk
scores would relate to SQL injection..
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
rt
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
of regulations with clear database audit requirements.
Organization uses native audit tools provided by your
database vendors or rely on ad-hoc and manual
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
Report generated date & time:
2. Calculate Risk Scores : Score risks based on the severity of vulnerabilities and
the sensitivity of the data. Severity values should be based on known systems
such as the Common Vulnerability Scoring System (CVSS). Risk scores help
prioritize risk, manage, and research vulnerabilities. For example, higher risk
scores would relate to SQL injection..
po
Auditing - helps
demonstrate compliance
with industry
regulations.
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what.
1. Extract Real User Identity: Leverage solutions that correlate user information
with database transactions, also known as Universal User Tracking, or UUT. The
resulting audit logs can then include unique application user names.
Re
Auditing - helps
demonstrate compliance
with industry
regulations.
There is no analysis of Discovery Results : There are no
mechanisms to determine which databases that store
sensitive data need to be monitored, and who should
have access to what.
le
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
4. Identify and Remove Excessive Rights and Dormant Users: Identify users that
have too many privileges and users who don't use their privileges. This helps
determine if user access rights are appropriately defined, find separation of duties
issues, and remove excessive rights that are not required for users to do their job.
Hackers use access rights to impersonate users and go after sensitive data stores.
Therefore, reducing excessive rights helps protect against malware compromise.
5. Review and Approve/Reject Individual User Rights: Perform an organized review
of user rights to determine if they are appropriate. Reviewers should approve or
reject rights, or assign them to another for review, and administrators can report
on the review process. Conducting organized user rights reviews meets regulatory
requirements and reduces risk by ensuring that user privileges are granted on a
need-to-know basis..
mp
Monitoring and Blocking
- protect databases from
attacks, data loss and
theft.
3. Enrich Access Rights Information with User Details and Data Sensitivity: Adding
information related to user roles and their database behavior adds considerable
value to user rights analysis and helps zero-in on the abuse of privileges. Collect
and append contextual details to user rights information including the user name,
department, database object sensitivity, and last time accessed. This allows you
to focus your analysis on the access rights that represent the highest business
risk.
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
© 2013-14 | Ignite Intelligence
Page 11 of 13
Key Performance
Indicators
Process Gaps
Recommendations
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
Sa
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
of regulations with clear database audit requirements.
Auditing - helps
demonstrate compliance
with industry
regulations.
mp
Organization uses native audit tools provided by your
database vendors or rely on ad-hoc and manual
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
Organization uses native audit tools provided by your
database vendors or rely on ad-hoc and manual
solutions. These approaches do not record details
necessary to support auditing, attack detection, and
forensics. Furthermore, native database audit
mechanisms are notorious for consuming CPU and disk
resources forcing many organizations to scale back or
eliminate auditing altogether. Finally, most native audit
mechanisms are unique to a database server platform.
For example, Oracle logs are different from MS-SQL, and
MS-SQL logs are different form DB2. For organizations
with heterogeneous database environments, this
imposes a significant obstacle to implementing uniform,
scalable audit processes..
Backup storage media is often completely unprotected
from attack. As a result, numerous security breaches
can be involved in the theft of database backup disks
and tapes. Furthermore, failure to audit and monitor the
activities of administrators who have low-level access to
sensitive information can put your data at risk.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
4. Finally, users with administrative access to the database (either legitimately or
maliciously obtained) to be limited and closely monitored so that they don't turn
off native database auditing to hide fraudulent activity.
5. Audit duties should ideally be separate from both database administrators and
the database server platform to ensure strong separation of duties policies..
Taking the appropriate measures to protect backup copies of sensitive data and
monitoring your most highly privileged users is not only a data security best
practice, but also mandated by many regulations.
1.Cultivate Experienced Security Professionals: To defend against a growing array
of internal and external threats, hire information security personnel that are well
versed in IT Security and have experience implementing, administering, and
monitoring security solutions. Ongoing education and training are also important
for growing deeper security knowledge and skills. Consider outside IT security and
specialists to help with implementation, conduct security assessments and
penetration tests, and provide training and support for your administrators.
2. Educate Your Workforce: Train your workforce on risk mitigation techniques
including how to recognize common cyber-threats (e.g. a spear-phishing attack),
best practices around Internet and email usage, and password management.
Failure to enforce training and create a security conscious work culture increases
the chances of a security breach. The end result is well-informed users who are
trained to securely function when connected to key systems..
rt
Non-Technical Security instills and reinforces a
culture of security
awareness and
preparedness.
Internal security controls are not keeping pace with data
growth and your organization is ill-equipped to deal with
a security breach.Often this is due to the lack of
expertise required to implement security controls,
policies, and training.According to PWC's 2012
Information Security Breaches Survey, 75% of the
organizations surveyed experienced staff-related
breaches when a security policy was poorly understood
and 54% of small businesses did not have a program for
educating their staff about security risks.
28/03/2014 2.03 PM
3. Reporting, visibility, and forensic analysis are to be promoted with a link to the
responsible user.
po
Non-Technical Security instills and reinforces a
culture of security
awareness and
preparedness.
Internal security controls are not keeping pace with data
growth and your organization is ill-equipped to deal with
a security breach.Often this is due to the lack of
expertise required to implement security controls,
policies, and training.According to PWC's 2012
Information Security Breaches Survey, 75% of the
organizations surveyed experienced staff-related
breaches when a security policy was poorly understood
and 54% of small businesses did not have a program for
educating their staff about security risks.
Report generated date & time:
2. When users access the database via enterprise Web applications (such as SAP,
Oracle E-Business Suite, or PeopleSoft) there should have the knowledge of what
database access activity relates to a specific user instead of all activity being
associated with the Web application account name.
Re
Data Protection ensures data integrity
and confidentiality.
le
Data Protection ensures data integrity
and confidentiality.
Failure to collect detailed audit records of database
activity represents a serious organizational risk on many
levels.
This weakness (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at
odds with
industry and government regulatory requirements. For
example, Sarbanes-Oxley (SOX), which protects against
accounting errors and fraudulent practices, and the
Healthcare Information Portability and Accountability Act
(HIPAA) in the healthcare sector, are just two examples
of regulations with clear database audit requirements.
1. Automated recording of database transactions involving sensitive data should
be part of any database deployment in the organization.
1.Cultivate Experienced Security Professionals: To defend against a growing array
of internal and external threats, hire information security personnel that are well
versed in IT Security and have experience implementing, administering, and
monitoring security solutions. Ongoing education and training are also important
for growing deeper security knowledge and skills. Consider outside IT security and
specialists to help with implementation, conduct security assessments and
penetration tests, and provide training and support for your administrators.
2. Educate Your Workforce: Train your workforce on risk mitigation techniques
including how to recognize common cyber-threats (e.g. a spear-phishing attack),
best practices around Internet and email usage, and password management.
Failure to enforce training and create a security conscious work culture increases
the chances of a security breach. The end result is well-informed users who are
trained to securely function when connected to key systems..
© 2013-14 | Ignite Intelligence
Page 12 of 13
ROADMAP FOR THIS SAMPLE
Sa
DATABASE SECURITY PROCESS RISK ANALYSIS
mp
Process Gaps
Severe Risk
Items
High Risk
Items
Medium Risk
Items
Low Risk
Items
Total Risk
Items
Discovery and Assessment - locate where database vulnerabilities and critical
data reside.
6
6
2
1
15
User Rights Management - identifies excessive rights over sensitive data.
3
2
3
1
9
Monitoring and Blocking - protect databases from attacks, data loss and theft.
2
5
6
0
13
Auditing - helps demonstrate compliance with industry regulations.
0
2
1
0
3
Data Protection - ensures data integrity and confidentiality.
1
1
0
0
2
Non-Technical Security - instills and reinforces a culture of security awareness
and preparedness.
0
1
1
0
2
le
Key Performance Indicators
rt
po
Re
Report generated date & time:
28/03/2014 2.03 PM
© 2013-14 | Ignite Intelligence
Page 13 of 13