[...]... you? 11 .1. 1 Health Insurance Portability and Accountability Act of 19 96 (HIPAA) 11 .1. 2 Gramm-Leach-Bliley Act of 19 99 (GLBA) 11 .1. 3 Sarbanes-Oxley Act (SOX or SarBox) 11 .1. 4 California Senate Bill 13 86 11 .2 Understand business needs and map to technical requirements 11 .2 .1 Use “reverse mappings” 11 .2.2 Timetable, data, and process mappings 11 .2.3 Example: SOX and Excel 11 .3 The role of auditing 11 .4... the database a Web server and don’t promote stored procedure gateways 7.2 .1 Mod_plsql 7.2.2 Mod_ose 7.2.3 Implementation options: Remove modules and/ or remove the HTTP server 14 9 15 7 16 8 16 8 17 0 17 0 17 1 17 2 17 4 17 5 17 5 17 7 17 9 18 5 18 9 19 3 19 8 200 203 203 204 210 213 214 215 218 218 Contents xi 7.3 7.4 7.5 7.A 7.B 8 219 220 2 21 223 224 226 227 228 230 Securing database- to -database communications 8 .1 8.2... duties 299 300 306 316 317 318 3 21 324 324 327 328 329 332 333 334 335 336 337 339 340 344 Contents xiii 11 .5 Implement a sustainable solution 11 .6 Summary 12 Auditing Categories 12 .1 12.2 12 .3 12 .4 12 .5 12 .6 12 .7 12 .8 12 .9 12 .10 12 .11 12 .12 Audit logon/logoff into the database Audit sources of database usage Audit database usage outside normal operating hours Audit DDL activity Audit database errors Audit... 373 374 13 Auditing Architectures 375 13 .1 13.2 13 .3 13 .4 13 .5 13 .6 13 .7 13 .8 13 .9 13 .10 13 .11 375 376 377 380 382 384 385 386 387 388 Don’t create a false sense of security Opt for an independent/backup audit trail Architectures for external audit systems Archive auditing information Secure auditing information Audit the audit system Sustainable automation and oversight for audit activities Thinks... tools and security applications Support changing audit requirements Prefer an auditing architecture that is also able to support remediation 13 .12 Summary 13 .A PGP and GPG Index 390 3 91 3 91 397 Contents Preface This book is a guide on implementing security and auditing for database environments It is meant to be used by database administrators, security administrators, system administrators, auditors, and. .. vulnerability: Sniffing data 10 .1. 2 Implementation options for encrypting data-in-transit 10 .2 Encrypt data-at-rest 10 .2 .1 Anatomy of the vulnerability: Prying SELECTs and file theft 10 .2.2 Implementation options for encrypting data-at-rest 10 .2.3 What to consider when selecting an implementation option 10 .3 Summary 10 .A Tapping into a TCP/IP session 11 Regulations and Compliance 11 .1 The alphabet soup of... suddenly come to the forefront Chapter 1 6 1. 1 Harden your database environment So now that you are (hopefully) convinced that you need to invest in the security of your database, let’s turn to the book The book has two main parts: Chapters 1 through 10 show you how to implement various facets of database security, and Chapters 11 through 13 can help you with database auditing implementations Each chapter... Install the Sybase auditing feature and use the auditing tables in sybsecurity or use other audit mechanisms (More on this later in this section and in Chapter 11 through 13 .) 1. 1.5 Hardening a MySQL environment Of the database platforms mentioned in this chapter, MySQL is the only open-source database platform Being open source has advantages and disadvantages when dealing with security and hardening In... covers diverse topics that include all aspects of database security and auditing, including network security for databases, authentication and authorization issues, links and replication, database Trojans, and more You will also learn of vulnerabilities and attacks that exist within various database environments or that have been used to attack databases (and that have since been fixed) These will often... define and enforce new regulations that have a direct impact on IT auditing Because financial, personal, and sensitive data is stored within databases, these requirements usually imply database auditing requirements Because regulations such as Sarbanes-Oxley, GLBA, and HIPAA (all discussed in Chapter 11 ) have financial and criminal penalties associated with noncompliance, database security and auditing . 19 96 (HIPAA) 329 11 .1. 2 Gramm-Leach-Bliley Act of 19 99 (GLBA) 332 11 .1. 3 Sarbanes-Oxley Act (SOX or SarBox) 333 11 .1. 4 California Senate Bill 13 86 334 11 .2 Understand business needs and map to technical. the database 29 1. 4 Define an access policy as the center of your database security and auditing initiative 30 1. 5 Resources and Further Reading 31 1.6 Summary 33 1. A C2 Security and C2 Auditing. environment 7 1. 1.2 Hardening a SQL Server environment 10 1. 1.3 Hardening a DB2 UDB (LUW) environment 13 1. 1.4 Hardening a Sybase environment 14 1. 1.5 Hardening a MySQL environment 16 1. 1.6 Use configuration