A few weeks ago, I gave a presentation about addressing the insider threat to database security at the ISACA Network Security conference in Las Vegas (thanks ISACA for having me!).
My session covered database security issues in general, then focused in on the threat from insiders and what organizations can do to protect themselves.
It was a very well attended and interactive session. Great to see the audit community showing such interest in data and database security issues!
The real interesting parts of these presentations for me are the Q&A session that happens at the end of my talk. The types of questions that get asked provide great insight into the data security problems that folks are dealing with day in and day out.
This time around, the most interesting questions were asked after the session during some one-on-one discussions. There was one question in particular I'd like to discuss:
My DBAs tell me that they have enabled logging on their databases and therefore their DB security work is done. They won't consider adhering to any best practices for configuration, nor are they willing to discuss patching vulnerabilities or fixing weak passwords. What can I do?
This came from an internal auditor at a large public company. Sadly, it's not that unusual a situation. The auditor is rightfully concerned about potential security issues in the databases that could lead to major data loss. The DBAs however want nothing to do with it, claiming logging is more then enough. They couldn't be more wrong.
Logging is important. It provides an audit trail of what actions have been taken in a database. Logging however does nothing to improve the security of the database. If weak and default passwords are in place, logging won't stop someone from breaking in and stealing data.
Have you read these related articles?
Newsletter:
