The underutilised security bulwark: database logs.As security breaches like that of TJ Maxx grab headlines and as corporate regulations like Sarbanes-Oxley and PCI (1) (Payment Card Industry) See PCI DSS. (2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). continue to emphasize preserving and securing data and assurance of IT controls, organisations are increasingly turning to log data to provide a continuous fingerprint fingerprint, an impression of the underside of the end of a finger or thumb, used for identification because the arrangement of ridges in any fingerprint is thought to be unique and permanent with each person (no two persons having the same prints have ever been of everything that happens within the security perimeter. Enterprises look to logs from network systems (routers, switches, firewalls), security devices (IDS/IPS, firewalls), and/or servers (Windows, Unix, Linux, and even mainframes) to gain insight into their system, protect from internal and external security threats, and satisfy auditors. However, another crucial, log-generating part of the IT infrastructure, the database, has been capturing more attention recently, even though most security issues surrounding databases have existed since commercial database systems were introduced a few decades ago. Over the past few years, insider attacks have caused more headaches than occasional malware-related incidents. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. recent surveys, a majority of respondents attribute at least some amount of data loss to insiders. Perhaps the top reason why paying attention Noun 1. paying attention - paying particular notice (as to children or helpless people); "his attentiveness to her wishes"; "he spends without heed to the consequences" attentiveness, heed, regard to database security is crucial to improving enterprise information security posture is that database systems are deployed deep inside the company network. This is also why databases are less visible on a security radar--their internal deployment is seen as a shield that protects them from Internet attacks. However, such database placement makes them a prime target for insiders, who have the best opportunity to attack, compromise, and steal the data. Although, it is not just insider threats that present problems. Databases that house confidential client information (e.g. medical records or credit card numbers) that need to be available to partners and other outside parties can also be penetrated by outsiders, possibly through web application vulnerabilities. Such a breach is guaranteed to have deleterious deleterious adj. harmful. effects. The term "database security" connotes controlling access to database software, structures (or "metadata"), the data itself, database configuration hardening hardening, in metallurgy, treatment of metals to increase their resistance to penetration. A metal is harder when it has small grains, which result when the metal is cooled rapidly. , database data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign , and database vulnerability scanning, all of which are underscored by database logging, which stands as the last but most critical line of defence against insider attacks as well as compliance risks. Database Logging is Difficult ... Databases offer different arrays of logging options, but most are capable of logging user logins and logouts, database system starts, stops, restarts, various system failures and errors, user privilege changes, database structure changes, database administrator actions, and database data access. These logged events provide deep insight into the IT infrastructure and business data- insight that can help enterprises meet their security, compliance, and IT operational needs. The question then becomes if databases offer extensive logs that are crucial for accurate and effective user-activity tracking and/or preventing insider attacks, why do database logs remain the forgotten children of the log family? There are several reasons that database log management and analysis does not happen to the extent that it should. First, it is inherently complicated--the logs themselves are unclear and often difficult to analyse; many databases log in multi-line format, where a single record might be spread across multiple lines of log data. In addition, all but the most basic database logging capabilities are typically turned "off" by default, however shocking that sounds in today's compliance-heavy environment. To enable proper database logging, a database administrator (DBA) must set special configuration options or sometimes restart the database software, both of which take time, manpower, and expertise. Further, unlike other areas of the IT infrastructure, where logging has a negligible impact on system performance, database logging does actually slow down the database, especially when all access to data is recorded. High-performance databases are meant to provide thousands of data transactions per second In a very generic sense, the term Transactions Per Second refers to the number of atomic actions performed by certain entity per second. In a more restrictied view, the term is usually used by DBMS vendor and user community to refer to the number of database transactions performed , and logging all of those events takes power and space that most DBA's don't want to sacrifice. From the DBA perspective, their job is not to log, but to ensure the smooth functioning of the database and quick responses to database queries by customers. To top it off, few security professionals are familiar with in-depth details of database logging. But it Has to be Done.. Despite these challenges, database logging must be enabled and log review must happen. For example, viewing the authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. logs is the only way to verify what access control decisions are made, who views and downloads what data, who is connected to the server, who is deleting or corrupting data, and whether or not a security breach has led to unauthorised access to critical and supposedly secure information. Reviewing database logs is the only way to know the "who, what, where, and how" if a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employee accesses a secure customer list to steal confidential data or, worse, to modify it to cause embarrassing problems for company executives (!). It is unlikely that intrusion detection See IDS and IPS. or other security technology would stop this type of problematic user-activity in time, but records of the employee's search would be found, immutable IMMUTABLE. What cannot be removed, what is unchangeable. The laws of God being perfect, are immutable, but no human law can be so considered. , in database logs. Having such logs ready for real-time analysis and reports could mitigate the damage from that type of attack or abuse. In fact, one of the more important database logs is actually a log of DBA activity. DBA's have access to all sorts of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead that is stored in the database--patient information in hospitals, financial information in financial institutions, and credit card information in retail stores. They also have the best ability to modify or corrupt covert data. It is essential that DBA activity logs be collected, reviewed, and--yes!--protected from DBAs themselves as a "separation of duty" measure, because with near-unbridled access to the company crown jewels crown jewels Ornaments used at the coronation of a monarch and the formal ensigns of monarchy worn or carried on state occasions, as well as collections of personal jewelry consolidated by European sovereigns as valuable assets of their royal houses and the offices they , they could present an internal threat to company security. Of course, this brings up another known point of resentment for DBA's towards logging! In addition to security, database logging and log analysis must be performed for IT auditors to enable regulatory compliance with the slew of government mandates for preserving and securing data. Payment Card Industry Data Security Standards (PCI-DSS), designed to enhance payment account data security, mandates that companies monitor their logs; although it does not specify database logs, this information would be crucial to guaranteeing secure payment information, since this data is stored in a database. The Sarbanes-Oxley Act See SOX. (SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. ) mandates that companies must have an assurance of internal controls. In spirit, this regulation means that officers of the company should be sure that their financial records, stored in databases, remain intact and unmodified Adj. 1. unmodified - not changed in form or character unqualified - not limited or restricted; "an unqualified denial" modified - changed in form or character; "their modified stand made the issue more acceptable"; "the performance of the modified aircraft . Of course, it is a logical conclusion that if financial data is stored in databases and this financial data must be locked, safe and secure, the best way to guarantee data security and integrity is to review the database logs. The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) requires that patient information (again, stored in a database) is kept secure and controlled. Imagine if a nurse were interested in peeking at celebrity health records. If she isn't caught red-handed at the computer, how would anyone know? The answer should already be obvious-look at the logs. Perhaps the user name of Nurse Smith, who has no business accessing the database, will show up as having viewed a chart detailing the latest Hollywood star's emergency-room treatment for a drug overdose Drug Overdose Definition A drug overdose is the accidental or intentional use of a drug or medicine in an amount that is higher than is normally used. , and the hospital will know that she has accessed confidential records. More generally, IT governance best practices frameworks such as the Control Objectives for Information and related Technology (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ) also steer IT users towards database logging. Database Logging Doesn't Have to be A Challenge ... Enterprises are faced with a staggering amount of logs, and databases are among the most "chatty chat·ty adj. chat·ti·er, chat·ti·est 1. Inclined to chat; friendly and talkative. 2. Full of or in the style of light informal talk: a chatty letter. " log sources. The presence of these logs and their review and analysis are essential to ensure IT security and compliance, but, unfortunately, for a variety of reasons, the cards are stacked against their easy and comprehensive collection, review, and analysis due to the reasons mentioned above. So what's to be done? As mentioned before, most commercial databases log surprisingly few events by default. For those companies that use database logging capabilities in only the most basic way, a manual log review may be suitable. However, if any kind of database security "best practices" are being followed and more comprehensive logging is enabled, automation of log analysis and log management via some technology is required. Simpler log analysis tools, often provided by database vendors, allow skilled DBAs to review logs on a specific database server and gain some insight into database activity, but do not provide any real-time analysis in the form of alerting or alarms. To ease the necessary burden of log collection and review, leading security technology vendors offer more advanced log management appliances that allow automation of what could be a time-consuming, manual-labour -intensive process (or, worse, an insurmountable obstacle) including monitoring of logs, searches of logs, and instant responses in the case of a breach or suspicious database activities. Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , these tools work across multiple database servers and even across database types in combination with logs from servers, security devices, and other network architecture components. Analysis of all of these logs via one device allows users to put the database data in the context of other enterprise log data and to correlate database activity with other activity elsewhere on the network. This multi-faceted log management solution paints a more accurate picture of IT infrastructure activity and is more desirable to and more efficient than using separate database, security, server, and network logging tools. Imagine a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. connecting to a company's web server, and deploying malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. to hack deeper inside the company in an attempt to access or steal database information. To investigate the situation if it comes to fight (and with the proper security technology, it most definitely would come to light), a company would want to have a single solution or technology that can enable log data from multiple sources (databases, firewalls, routers, servers, applications, operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , and network devices) so that information about the attack and its effects (not just on the database specifically targeted but also on other parts of the IT infrastructure) is coherent and readily available and accessible. A single, one-stop security solution for log management simplifies the process greatly. Another advantage of advanced log management tools is the automation of the log management life-cycle, from the collection of logs and where they are generated to the secure transfer of the log data to the company's central server for analysis and storage. From the issuance of real-time alerts to DBAs in the event of a breach to the provision reports and analytics based on log data. From the secure storage of the logs as long as is mandated by whatever retention policy under which the company operates to the safe destruction of the logs when it is acceptable to do so. Obviously, choosing between a simple analysis tool and a more advanced log management deployment depends on many company factors--budget, IT resources, size, and what sort of regulatory mandates the organisation is subject to. Deploying an enterprise-wide solution is, of course, more complicated than simply installing a tool on an individual server, but the benefits of such broad deployment via a true log management appliance will extend far beyond solving a single tactical problem. Satisfying current operational, security, and compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). requires databases to be configured with detailed logging. Unfortunately, the inevitable result of enabling this detailed logging is a cascade of log data, the likes of which no one person or team would be able to manually process. For enterprises that are serious about securing their system, using log management tools for log automation is absolutely essential. While database-vendor-specific tools are better than nothing, combining database log management with other similar projects that manage logs from other sources and using a single platform for all of them is the desirable option to deter internal and external threats, and make shorter work of regulatory compliance. In summary, getting familiar with database logging and log analysis is a must for today's information security professionals. Security and compliance drivers will make database log management ubiquitous in the coming years, and it's never too late to start getting up to speed with these complicated subjects. Dr Anton Chuvakin Anton Chuvakin is a computer security specialist, currently Chief Logging Evangelist with LogLogic, a U.S. Log Management and Intelligence company. His past positions included a role of a Security Strategist with netForensics, a U.S. Security Information Management company. , GCIA GCIA GIAC Certified Intrusion Analyst (SANS Institute) GCIA Georgia Crop Improvement Association GCIA Global Christian Internet Alliance GCIA Genius Cats Intelligence Agency (humor) , GCIH GCIH GIAC Certified Incident Handler , GCFA GCFA General Council on Finance and Administration (United Methodist Church) GCFA GIAC Certified Forensic Analyst GCFA Grey County Federation of Agriculture (Canada) (http://www.chuvakin.org) is a recognised security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. A frequent conference speaker, he also represents the company at various security meetings and standards organisations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects In his spare time he maintains his security portal |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion