Tuesday, March 06, 2007

On Database Logging and Auditing (Teaser + NOW Full Paper)

Here is a excerpt from a fun paper on database logging that I just wrote:

"Database security have been capturing more and more attention in recent years, even though most of the security issues surrounding the databases existed since the first day commercial database systems were introduced in the market.

Nowadays, database security is often seen as containing the following principal components:
• access control to database software, structures and data
• database configuration hardening
• database data encryption
• database vulnerability scanning

It is interesting to see that logging and auditing underline all of the above domains of database security. Indeed, the only way to verify what access control decisions are being made and who views what data from the RDBMS is to look at the authentication logs. Database configuration hardening includes enabling and increasing the auditing levels. Similarly, data encryption might be verified by log and configuration review. And, vulnerability exploitation usually leaves traces in logs despite what some say (the challenge is more often with understanding what the log said and not with having the logs)

In recent years, insider attacks gathered more attention than periodic outbreaks of malware; and database logging happens to be in the forefront of this fight against insider attacks. Database systems are usually deployed deep inside the company network and thus insiders are usually has the easiest opportunity to attack and compromise them, and then steal (or “extrude” as some would say) the data..."

Read more here if you are a CSI Member. If you are not, the only way to get my paper is to ask me (sorry, copyrighted stuff)

UPDATE: another similar paper by me is posted here.

UPDATE2: full paper mention above is posted, finally! Enjoy my "Introduction to Database Log Management" at InfosecWriters!

Dr Anton Chuvakin