Page 143 - Courses
P. 143

Logical Security Applications

              Access controls — Database access occurs at the record or field level. In simplest terms, a record
               is synonymous with a row in an Excel spreadsheet and a field is synonymous with a row-column
               intersection (cell). Database access rules are stored in a database table.
              Audit logs — Depending on the degree and depth of database logging, response times may lag.
               Therefore, normal database logging may be minimally enabled (or may not be enabled at all).
               Database logs are stored in a database table. Database administrators (DBAs) have complete
               control over the logging tables and can modify and remove database logs. Third-party products
               exist that log access to a database, which has minimal impact to database response times. Since
               DBAs can modify database logs, a standard procedure is for DBA-logged activity to be replicated
               or transferred to a separate area not accessible by the DBAs. These logs are then reviewed with
               other system logs by the security administration function.

            A database runs under the OS as a separate process. In reviewing active accounts at the operating
            system level, one will see an active service account ID for the database. To protect the database,
            network security and host OS security are required in addition to database security. Furthermore,
            database systems utilize Transmission Control Protocol/Internet Protocol (TCP/IP) services and can
            be compromised - even when the OS is “hardened.”

            Database Security Issues

            Database security issues include:
              Database native authentication is normally weak, such that authentication is integrated with an
               external authentication mechanism (e.g., network or OS).
              Applications are integrated with databases. For an application to access a database, an ID and
               password are required, which are sometimes hard-coded passwords in application code.
              Database password features are weak with:
                   o  Minimum password length.
                   o  Lack of forced password change interval.
              Access control is rudimentary and cumbersome to maintain.
              There is a lack of security event logging.
                   o  Normally, database logging tracks changes to a database, encompassing read and write
                       of data.
              Weaknesses can also occur when database security is used separately from the other IT
               infrastructure layers.

            Security Risks

              Unauthorized modification, which can occur due to weak security protecting the database.
              Data is stolen without detection.
                   o  Can occur due to unauthorized access.
                   o  Is a result of lack of security event monitoring processes.
              Slow response time due to heavy use of audit logging to track events (limited mostly to data
               changes).
              Super users may accidentally update the wrong field or enter the wrong value during a mass
               update, and corrupt the table.

            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   138   139   140   141   142   143   144   145   146   147   148