Implementing Database Security and Auditing,9781555583347

Implementing Database Security and Auditing

by
ISBN13: 9781555583347
ISBN10: 1555583342
Format: Paperback
Pub. Date: 2005-04-18
Publisher(s): Elsevier Science
  • Complimentary 7-Day eTextbook Access - Read more
    When you rent or buy this book, you will receive complimentary 7-day online access to the eTextbook version from your PC, Mac, tablet, or smartphone. Feature not included on Marketplace Items.
List Price: $88.76

Buy New

Usually Ships in 8 - 10 Business Days.
$84.53
Add to Cart

Buy Used

Usually Ships in 24-48 Hours
$62.21
Add to Cart

Rent Textbook

Select for Price
Add to Cart
There was a problem. Please try again later.

Rent Digital

Rent Digital Options
Online:30 Days access
Downloadable:30 Days
$28.79
Online:90 Days access
Downloadable:90 Days
$34.55
Online:120 Days access
Downloadable:120 Days
$37.43
Online:150 Days access
Downloadable:150 Days
$39.34
Online:180 Days access
Downloadable:180 Days
$43.18
Online:1825 Days access
Downloadable:Lifetime Access
$95.94
*To support the delivery of the digital material to you, a non-refundable digital delivery fee of $3.99 will be charged on each digital item.
$43.18*
Add to Cart
Buy from our Marketplace starting at $6.72

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

This book is about database security and auditing. You will learn many methods and techniques that will be helpful in securing, monitoring and auditing database environments. It covers diverse topics that include all aspects of database security and auditing - including network security for databases, authentication and authorization issues, links and replication, database Trojans, etc. You will also learn of vulnerabilities and attacks that exist within various database environments or that have been used to attack databases (and that have since been fixed). These will often be explained to an internals level. There are many sections which outline the anatomy of an attack before delving into the details of how to combat such an attack. Equally important, you will learn about the database auditing landscape both from a business and regulatory requirements perspective as well as from a technical implementation perspective.

Table of Contents

Preface xv
1 Getting Started
1(34)
Getting Started
1(5)
1.1 Harden your database environment
6(14)
1.1.1 Hardening an Oracle environment
7(3)
1.1.2 Hardening a SQL Server environment
10(3)
1.1.3 Hardening a DB2 UDB (LUW) environment
13(1)
1.1.4 Hardening a Sybase environment
14(2)
1.1.5 Hardening a MySQL environment
16(1)
1.1.6 Use configuration scanners or audit checklists
17(3)
1.2 Patch your database
20(9)
1.2.1 Track security bulletins
21(3)
1.2.2 Example of a class of vulnerabilities: Buffer overflows
24(1)
1.2.3 Anatomy of buffer overflow vulnerabilities
25(4)
1.3 Audit the database
29(1)
1.4 Dfine an access policy as the center of your database security and auditing initiative
30(1)
1.5 Resources and Further Reading
31(2)
1.6 Summary
33(1)
I.A C2 Security and C2 Auditing
33(2)
2 Database Security within the General Security Landscape and a Defense-in-Depth Strategy
35(26)
2.1 Defense-in-depth
36(2)
2.2 The security software landscape
38(4)
2.2.1 Authentication, authorization, and administration
38(1)
2.2.2 Firewalls
39(1)
2.2.3 Virtual private networks (VPNs)
39(1)
2.2.4 Intrusion detection and prevention
39(1)
2.2.5 Vulnerability assessment and patch management
40(1)
2.2.6 Security management
40(1)
2.2.7 Antivirus
40(1)
2.2.8 Cutting across categories
41(1)
2.3 Perimeter security, firewalls, intrusion detection, and intrusion prevention
42(6)
2.3.1 Firewalls
42(1)
2.3.2 Intrusion detection systems (IDS)
43(3)
2.3.3 Intrusion prevention systems (IPS)
46(2)
2.4 Securing the core
48(1)
2.5 Application security
49(2)
2.6 Public key infrastructure (PKI)
51(1)
2.7 Vulnerability management
52(3)
2.7.1 Why are there so many vulnerabilities?
53(1)
2.7.2 Vulnerability scanners
54(1)
2.7.3 Monitoring and baselining
55(1)
2.8 Patch management
55(2)
2.9 Incident management
57(2)
2.10 Summary
59(2)
3 The Database as a Networked Server
61(34)
3.1 Leave your database in the core
62(1)
3.2 Understand the network access map for your database environment
63(3)
3.3 Track tools and applications
66(5)
3.4 Remove unnecessary network libraries
71(10)
3.4.1 SQL Server (and Sybase) networking layers
72(3)
3.4.2 DB2 networking layers
75(1)
3.4.3 Oracle networking layers
76(3)
3.4.4 Implementation options: Use TCP/IP only
79(2)
3.5 Use port scanners-so will the hackers
81(3)
3.6 Secure services from known network attacks
84(2)
3.6.1 Anatomy of a vulnerability: SQL Slammer
84(2)
3.6.2 Implementation options: Watch vulnerabilities that can be exploited over the network
86(1)
3.7 Use firewalls
86(1)
3.8 Summary
87(1)
3.A What is a VPN?
88(2)
3.B Named Pipes and SMB/CIFS
90(5)
4 Authentication and Password Security
95(32)
4.1 Choose an appropriate authentication option
96(12)
4.1.1 Anatomy of the vulnerability: Weak authentication options
97(1)
4.1.2 Implementation options: Understand what authentication types are available and choose strong authentication
98(10)
4.2 Understand who gets system administration privileges
108(1)
4.3 Choose strong passwords
109(8)
4.3.1 Anatomy of the vulnerability: Guessing and cracking passwords
109(2)
4.3.2 Implementation options: Promote and verify the use of strong passwords
111(6)
4.4 Implement account lockout after failed login attempts
117(2)
4.4.1 Anatomy of a related vulnerability: Possible denial-of-service attack
118(1)
4.4.2 Implementation options for DoS vulnerability: Denying a connection instead of account lockout
119(1)
4.5 Create and enforce password profiles
119(1)
4.6 Use passwords for all database components
120(2)
4.6.1 Anatomy of the vulnerability: Hijacking the Oracle listener
120(2)
4.6.2 Implementation options: Set the listener password
122(1)
4.7 Understand and secure authentication back doors
122(1)
4.8 Summary
123(1)
4.A A brief account of Kerberos
124(3)
5 Application Security
127(50)
5.1 Reviewing where and how database users and passwords are maintained
128(11)
5.1.1 Anatomy of the vulnerability: Database passwords in application configuration files
129(5)
5.1.2 Implementation options: Knowing and controlling how database logins are used
134(5)
5.2 Obfuscate application code
139(9)
5.2.1 Anatomy of the vulnerability: Source code and psuedo-code
140(6)
5.2.2 Implementation options: Precompilation and obfuscation
146(2)
5.3 Secure the database from SQL injection attacks
148(20)
5.3.1 Anatomy of the vulnerability: Understanding SQL injection
149(8)
5.3.2 Implementation options: Preempt, monitor/alert, and block
157(11)
5.4 Beware of double whammies: Combination of SQL injection and buffer overflow vulnerability
168(2)
5.4.1 Anatomy of the vulnerability: Injecting long strings into procedures with buffer overflow vulnerabilities
168(2)
5.4.2 Implementation options: Patches and best practices
170(1)
5.5 Don't consider eliminating the application server layer
170(1)
5.6 Address packaged application suites
171(4)
5.6.1 Anatomy of the vulnerability: All applications have bugs
172(2)
5.6.2 Implementation options: Patch and monitor
174(1)
5.7 Work toward alignment between the application user model and the database user model
175(1)
5.8 Summary
175(2)
6 Using Granular Access Control
177(26)
6.1 Align user models by communicating application user information
179(6)
6.2 Use row-level security (fine-grained privileges/access control)
185(4)
6.3 Use label security
189(4)
6.4 Integrate with enteprise user repositories for multitiered authentication
193(5)
6.5 Integrate with existing identity management and provisioning solutions
198(2)
6.6 Summary
200(3)
7 Using the Database To Do Too Much
203(30)
7.1 Don't use external procedures
203(11)
7.1.1 Disable Windows extended stored procedures
204(6)
7.1.2 Disable external procedures in Oracle
210(3)
7.1.3 Prefer SQL/PL in DB2 UDB over external runtime environments
213(1)
7.2 Don't make the database a Web server and don't promote stored procedure gateways
214(5)
7.2.1 Mod_plsgl
215(3)
7.2.2 Mod_ose
218(1)
7.2.3 Implementation options: Remove modules and/or remove the HTTP server
218(1)
7.3 Don't generate HTML from within your stored procedures
219(1)
7.4 Understand Web services security before exposing Web services endpoints
220(7)
7.4.1 XML Web services for SQL Server 2005
221(2)
7.4.2 DB2 Web services
223(1)
7.4.3 Web services callouts from Oracle
224(2)
7.4.4 Web services security
226(1)
7.5 Summary
227(1)
7.A Cross-site scripting and cookie poisoning
228(2)
7.B Web services
230(3)
8 Securing database-to-database communications
233(34)
8.1 Monitor and limit outbound communications
233(4)
8.2 Secure database links and watch for link-based elevated privileges
237(5)
8.3 Protect link usernames and passwords
242(1)
8.4 Monitor usage of database links
243(3)
8.5 Secure replication mechanisms
246(13)
8.5.1 Replication options
247(2)
8.5.2 Secure replication files and folders
249(3)
8.5.3 Secure and monitor replication users and connections
252(2)
8.5.4 Monitor commands that affect replication
254(5)
8.5.5 Monitor other potential leakage of replication information
259(1)
8.6 Map and secure all data sources and sinks
259(7)
8.6.1 Secure and monitor log shipping schemes
262(1)
8.6.2 Secure and monitor mobile databases
262(4)
8.7 Summary
266(1)
9 Trojans
267(30)
9.1 The four types of database Trojans
268(1)
9.2 Baseline calls to stored procedures and take action on divergence
269(1)
9.3 Control creation of and changes to procedures and triggers
270(4)
9.4 Watch for changes to run-as privileges
274(1)
9.4.1 Anatomy of the vulnerability: Oracle's PARSE_AS_USER
274(1)
9.4.2 Implementation options: Monitor all changes to the run-as privileges
274(1)
9.5 Closely monitor developer activity on production environments
274(4)
9.6 Monitor creation of traces and event monitors
278(12)
9.6.1 Anatomy of the vulnerability: Setting up an event monitor or a trace
278(11)
9.6.2 Implementation options: Monitor event/trace creation and/or audit all event monitors and traces
289(1)
9.7 Monitor and audit job creation and scheduling
290(3)
9.8 Be wary of SQL attachments in e-mails
293(1)
9.9 Summary
294(1)
9.A Windows Trojans
294(3)
10 Encryption 297(30)
10.1 Encrypting data-in-transit
299(17)
10.1.1 Anatomy of the vulnerability: Sniffing data
300(6)
10.1.2 Implementation options for encrypting data-in-transit
306(10)
10.2 Encrypt data-at-rest
316(8)
10.2.1 Anatomy of the vulnerability: Prying SELECTs and file theft
317(1)
10.2.2 Implementation options for encrypting data-at-rest
318(3)
10.2.3 What to consider when selecting an implementation option
321(3)
10.3 Summary
324(1)
10.A Tapping into a TCP/IP session
324(3)
11 Regulations and Compliance 327(22)
11.1 The alphabet soup of regulations: What does each one mean to you?
328(7)
11.1.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
329(3)
11.1.2 Gramm-Leach-Bliley Act of 1999 (GLBA)
332(1)
11.1.3 Sarbanes-Oxley Act (SOX or SarBox)
333(1)
11.1.4 California Senate Bill 1386
334(1)
11.2 Understand business needs and map to technical requirements
335(5)
11.2.1 Use "reverse mappings"
336(1)
11.2.2 Timetable, data, and process mappings
337(2)
11.2.3 Example: SOX and Excel
339(1)
11.3 The role of auditing
340(4)
11.4 The importance of segregation of duties
344(3)
11.5 Implement a sustainable solution
347(1)
11.6 Summary
348(1)
12 Auditing Categories 349(26)
12.1 Audit logon/logoff into the database
349(5)
12.2 Audit sources of database usage
354(2)
12.3 Audit database usage outside normal operating hours
356(1)
12.4 Audit DDL activity
357(2)
12.5 Audit database errors
359(3)
12.6 Audit changes to sources of stored procedures and triggers
362(2)
12.7 Audit changes to privileges, user/login definitions, and other security attributes
364(5)
12.8 Audit creations, changes, and usage of database links and of replication
369(1)
12.9 Audit changes to sensitive data
370(2)
12.10 Audit SELECT statements for privacy sets
372(1)
12.11 Audit any changes made to the definition of what to audit
373(1)
12.12 Summary
374(1)
13 Auditing Architectures 375(22)
13.1 Don't create a false sense of security
375(1)
13.2 Opt for an independent/backup audit trail
376(1)
13.3 Architectures for external audit systems
377(3)
13.4 Archive auditing information
380(2)
13.5 Secure auditing information
382(2)
13.6 Audit the audit system
384(1)
13.7 Sustainable automation and oversight for audit activities
385(1)
13.8 Thinks in terms of a data warehouse
386(1)
13.9 Implement good mining tools and security applications
387(1)
13.10 Support changing audit requirements
388(2)
13.11 Prefer an auditing architecture that is also able to support remediation
390(1)
13.12 Summary
391(1)
13.A PGP and GPG
391(6)
Index 397

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.