Tuesday, March 06, 2007

On Database Logging and Auditing (Teaser + NOW Full Paper)

Here is a excerpt from a fun paper on database logging that I just wrote:

"Database security have been capturing more and more attention in recent years, even though most of the security issues surrounding the databases existed since the first day commercial database systems were introduced in the market.

Nowadays, database security is often seen as containing the following principal components:
• access control to database software, structures and data
• database configuration hardening
• database data encryption
• database vulnerability scanning

It is interesting to see that logging and auditing underline all of the above domains of database security. Indeed, the only way to verify what access control decisions are being made and who views what data from the RDBMS is to look at the authentication logs. Database configuration hardening includes enabling and increasing the auditing levels. Similarly, data encryption might be verified by log and configuration review. And, vulnerability exploitation usually leaves traces in logs despite what some say (the challenge is more often with understanding what the log said and not with having the logs)

In recent years, insider attacks gathered more attention than periodic outbreaks of malware; and database logging happens to be in the forefront of this fight against insider attacks. Database systems are usually deployed deep inside the company network and thus insiders are usually has the easiest opportunity to attack and compromise them, and then steal (or “extrude” as some would say) the data..."

Read more here if you are a CSI Member. If you are not, the only way to get my paper is to ask me (sorry, copyrighted stuff)


UPDATE: another similar paper by me is posted here.

UPDATE2: full paper mention above is posted, finally! Enjoy my "Introduction to Database Log Management" at InfosecWriters!

6 comments:

Augusto Barros said...

OK, may I ask for the paper through the comments section? :-)

Augusto Paes de Barros

Anton Chuvakin said...

Is the address in your blogger account the best way to send the paper?

PaulM said...

I am also interested in reading your paper. Database and app->db logging and log analysis is something I'm working on right now. And unlike firewall log analysis, it's not *that* easy. ;-)

Sending to my Blogger account address would work fine.

Thanks,
PaulM

Anonymous said...

Hi Anton,

I am interested in this paper too. If you can send it to dcid at XX ossec . net. I would appreciate.

Unknown said...

Hi Anton,

Your teaser is certainly very teasing. Can you pls send a copy of your paper to me (wkchow at ncs.com.sg)

I'm trying to convince my mgt to undertake database logging ..

MalwareAnalysis said...

Do we have guide which clearly talk about each Oracle Even id?

Becos its very difficult to know what each oracle even id does?

Your help will be mauch appreciated?

Dr Anton Chuvakin