Page 144 - Courses
P. 144

Logical Security Applications


            Controls

              Database controls include:
              Database authentication integrated with the OS or network layers.
              Direct access to databases restricted to DBAs (i.e., no user can directly update the database).
              Audit logging:
                   o  Database changes are logged.
                   o  Database logs are piped to another server so DBAs cannot change logs, since they are
                       stored in a database table modifiable by DBAs.
                   o  Monitoring of logged events occurs.
                   o  Sometimes, third-party logging software is used in lieu of database logging to identify
                       security event concerns. Such software is used to avoid the response time lags that occur
                       using native database logging.

            Auditing Database Layer Security

            1.  Identify the number of DBAs and super users, and interview each, noting their job duties and the
               databases they have access to. For larger installations, DBAs could be assigned to administer
               specific databases. In smaller installations, DBAs will have access to all databases. In any event,
               the number of people with access to the database should be limited.

            2.  Obtain configuration parameters that show the database is integrated with the OS for
               authentication and validate database authentication points to the OS.

            3.  Obtain a list of users from the network who have access to the database. Test to ensure users are
               appropriate and their access is authorized. Typically, all users who have database access are
               contained in a single Active Directory Services (ADS) group, which more efficiently segregates
               users.

            Auditing Database Layer Security: Accounts

            1.  Obtain a list of active database accounts from the database user table and test for
               appropriateness. If the database is integrated with Auditing Directory Services (ADS), then the
               only active accounts defined within the database would be the administrator account and
               potentially some batch IDs (which would be service accounts at the network level). Identify who
               knows the system administrator password (i.e., who uses it). Interview users, evaluate
               reasonableness of purpose for using the database System Administrator (SA) account, and
               determine who knows the SA password. Identify the purpose of each remaining active account
               and ensure it is reasonable.

            2.  Obtain network and OS credentials for each account noted (as applicable) and validate whether
               DBAs have privileged network or OS access. DBAs may have local system administrator capability
               on the servers the databases reside on. If DBAs do have privileged access capability to the



            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   139   140   141   142   143   144   145   146   147   148   149