Janet Pietrofere, CIA, CISA, CICA, CRISC IS Digital Risk & Security Compliance Lead National Grid Corporation

Transcription

1 MS SQL Database Auditing Janet Pietrofere, CIA, CISA, CICA, CRISC IS Digital Risk & Security Compliance Lead National Grid Corporation Donald Campanaro, CRISC, MBA Senior Compliance Analyst National Grid Corporation May 8, 2012

2 National Grid Corporation National Grid is an international electricity and gas company and one of the largest investor-owned energy companies in the world. Supplies electricity to approximately 3.4 million customers in the northeastern US Delivers e gas to almost 11 million homes and businesses in the US and UK. High voltage transmission owner and operator in England and Wales US Electric Territory US Gas Territory UK Gas Territory 2

3 Sample Company s Investment in Wintel Operating System Count Microsoft Windows 2000 Advanced Server 12 Microsoft Windows 2000 Professional 1 Microsoft Windows 2000 Server 125 Microsoft Windows Server 2008 R2 Enterprise 32 Microsoft Windows Server 2008 R2 Standard 53 Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition 37 Microsoft(R) Windows(R) Server 2003 Standard x64 Edition 28 Microsoft(R) Windows(R) Server 2003, Enterprise Edition 84 Microsoft(R) Windows(R) Server 2003, Standard Edition 1,190 Microsoft Windows Server 2008 Enterprise 2 Microsoft Windows Server 2008 Standard 30 1,594 Total Windows Clients (desktops and laptops) ~ 35,000 3

4 Sample of SQL Applications Electric SCADA System Gas SCADA system Field Force Automation System Graphical Information System Outage Management System Gas and Electric Revenue Transfers 4

5 Goals of the Session Learn to adapt the user and schema design to maximize SQL server reliability and to ensure that your enterprise is able to maximize delivered analytics Identify the audit and security review objectives right for your enterprise Discover what htaudit services are required dto dt determine underlying design and implementation to ensure reliability 5

6 Common Database Types 101 I. Hierarchical Model The hierarchical data model organizes data in a tree structure. There is a hierarchy of parent and child data segments (i.e. IMS). II. Relational Model In such a database the data and relations between them are organized in tables. A table is a collection of records and each record in a table contains the same fields (i.e. DB2; SQL Server). III. Relational Object Model relational model which integrates management oftraditional fielded data, complex objectssuchastime seriessuch time series and geospatial data and diverse binary media such as audio, video, images, and applets (i.e. Oracle). IV. Object Oriented one to one mapping of object programming language objects to database objects (i.e. C++; Java; Smalltalk) 6

7 SQL Schemas A database schema is a way to logically group objects such as tables, views, stored procedures etc. You can assign a user login permissions to a single schema so that the user can only access the objects they are authorized to access. Inversions prior to SQL Server 2005, schemas were equivalent to individual data base users. Starting with SQL Server 2005, schemas are collections of data base objects that are independent of individual users and can be owned by multiple users. This change makes the data base administration function more manageable and flexible an advantage over other data base types. 7

8 According to the Privacy Rights Clearinghouse, from February 2005 to April 2012: Over 596,357,000 data records have been breached! Over 3,000 breaches have been publicly reported! 8

9 The Cost of Data Breaches According to a study conducted by Symantic and the Ponemon Institute In 2011 theaverage cost of a data breach was US $5.5 million 9

10 Significant Data Breaches 2011 Nemours Assets Stolen/Affected: Names, addresses, dates of birth, Social Security numbers, insurance data, medical treatment data, and bank account information for 1.6 million patients, vendors, and employees. Tricare/SAIC Assets Stolen/Affected: Protected health information from 5.1 million patientsofu U.S. military hospitals andclinics clinics. SK Communications Assets Stolen/Affected: t Thirty five million names, addresses, phone numbers, and resident registration numbers of social media users at South Korean sites Cyworld and Nate. 10

11 Significant Data Breaches 2011 (cont) Valve, Inc. Assets Stolen/Affected: Personally identifiable information for 35 million users of Valve's online gaming gsite. RSA Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens. Sutter Physicians Services and Sutter Medical Foundation Assets Stolen/Affected: Personally identifiable information of 3.3 million patients supported by Sutter Physicians Services and medical information of another 934,000 Sutter Medical Foundation patients. SONY Corporation Assets Stolen/Affected: Names, addresses and credit card information from over 77 million user accounts from its online gaming network. In addition, SQL injection attacks exposed data on SONY Music Japan and SONY Music Greece. 11

12 Discussion of Top Threats Break out into groups Brainstorm/Discussion Chart it Share and Compare 12

13 Top 10 Database Threats (BSC s List) 1. Excessive privileges Users (or applications) are granted database privileges that exceed the requirements oftheirjobfunction function 2. Privilege abuse Users may abuse legitimate data access privileges for unauthorized purposes. 3. Unauthorized privilege elevation Attackers may take advantage of vulnerabilities in database management software to convert low level access privileges to highlevel access privileges. 4. Platform vulnerabilities i Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. 13

14 Top 10 Database Threats (cont) 5. SQL injection SQL injection attacks involve a user who takes advantage of vulnerabilities in front end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. 6. Weak audit Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery. 7. Denial of service Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. 14

15 Top 10 Database Threats (cont) 8. Database protocol vulnerabilities Vulnerabilities bl in database protocols may allow unauthorized ddata access, corruption or availability. 9. Weak authentication ti ti Weak authentication schemes allow attackers to assume the identity of legitimate database users. 10. Exposure of backup data Some recent high profile attacks have involved theft of database backup tapes and hard disks. 15

16 SQL Injection Example 16

17 Where to Begin? Auditing using a Consolidated Control Approach 1. Define a consolidated control universe that maps to your companies policies, standards and regulatory requirements 2. Identify the controls appropriate for your auditing scope 3. Build a detailed audit plan using the identified controls as a guideline 17

18 Define the Control Universe Ngrid IS Consolidated Control Set May-2011 The IS Consolidated Control Set is an culmunation of internal policies, standards, external authoritative sources, governing bodies for best practice and required IS controls for Nationalgrid compliance. IS Control Category Number of Controls 1 ACCESS CONTROL 19 2 ASSET MANAGEMENT (LOGICAL AND PHYSICAL) 9 3 SECURITY AWARENESS 7 4 BUSINESS CONTINUITY AND DISASTER RECOVERY 7 5 CHANGE MANAGEMENT 9 6 COMPLIANCE 8 7 DEVELOPMENT (ACQUISITION, DEVELOPMENT, CHANGE) 17 8 HUMAN RESOURCE MANAGEMENT 5 9 EVENTS (INCIDENT, PROBLEM, SUPPORT) 6 10 LOGGING AND MONITORING 7 11 OPERATIONS MANAGEMENT PHYSICAL SECURITY POLICY 5 14 PRIVACY 8 15 RISK MANAGEMENT 3 16 SYSTEMS AND DATA PROTECTION THIRD PARTY MANAGEMENT 10 Total

19 Indentify the Controls to be Audited Control Num Short Description Control Description ACCESS CONTROL ACS-001 Access Management Program An access management program is established and is periodically reviewed and approved. ACS-002 "Need to Know" Access Access to information and systems is granted based on a "need to know" basis. ACS-003 Segregation of Duties Incompatible access rights are properly segregated or are mitigated and monitored. ACS-004 User Authentication An approved unique username and password or authentication item (i.e., token, securid, certificates, public key, biometrics etc.) is required before access is granted. ACS-005 User Access - New An established and documented process for authorizing new users is in place. ACS-006 Privileged User Access - New Number of users with privileged access rights (i.e., systems administrators, super users, database administrators) is limited. ACS-007 Privileged Account Use Privileged accounts are not used for regular user activities ACS-008 User Access Review User access, included privileged access, is reviewed on a periodic basis to ensure access is commensurate with job responsibilities. Inappropriate access is promptly removed. ACS-009 Password Encryption Passwords stores and transmissions are encrypted. ACS-010 Access Configuration Settings Systems are configured to require the following: (1) use of complex passwords (i.e., minimum length; alpha, numeric, and/or special characters) (2) password change on a regular basis (3) previous password cannot be reused (4) system lockout ou after a predetermined e number of unsuccessful u logon attempts Application Security Database Security Platform Security Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Network Security 19

20 Build the Detail Audit Plan Control Number Short Description Control Description ACCESS CONTROL ACS-001 Access Management Program An access management program is established and is periodically reviewed and approved. Documentation Requirement 1. Copy of organization's Access Management Policy ACS-002 "Need to Know" Access Access to information and systems is granted based on a "need to know" basis. 1. Copy of the Database Access Management standards/procedures 2. System generated access listing from the database servers with the query/screen used to generate it. The listing should list username, id, access/security group, date access provided and last login date. ACS-004 User Authentication An approved unique username and password or authentication item (i.e., token, secured, certificates, public key, biometrics etc.) is required before access is granted. 1. Screen Shot of Login Screen 2. Screen shot of error message encountered for failed login attempt. 3.Screen Shot/ Script of Configuration setting for user access management. ACS-005 User Access - New An established and documented process for authorizing new 1. Policies/procedures related to providing access to new user. users is in place. 2. List of new employees/contractor/third Party that started during the audit period. This list should include employee name, employee number, start date, job title, department, and manager's name 3. Current roles/access table 4. For selected sample copy of the New User Request form 5. For selected sample screen print of the actual user access that has been configured or setup for the individuals. ACS-006 Privileged User Access - New Number of users with privileged access rights (i.e., systems administrators, super users, database administrators) is limited. 1. Standard/Procedure for providing privileged access. 2. System generated list of all active IDs and the query/screen used to generate it. The listing should have username, id, access/security group, date access provided and last login date. 3. System generated list of all administrators accounts in production environment (Operating system, Database) and the query/screen used to generate it. The listing should ldhave username, id, access/security group, date access provided dand dlast tlogin date. 20

21 Suggested Audit Tests Access Provisioning of new Id s Does access to the data base/application require a unique Id and password? Have all default Id s/passwords (i.e. guest user) been turned off in the databases and applications? Are generic or shared Id s/passwords protected and how (manual al procedure)? re)? Is access granted only after documented approval? Is access granted commensurate with the request (SQL injection use of least privileges)? Emergency access Requests Is there a background check performed for users who have direct access to strictly confidential data and/or cyber assets (i.e. servers; data bases)? 21

22 Suggested Audit Tests Access Password configuration are strong passwords being utilized? 22

23 Suggested Audit Tests Access Privileged Access Reviews (Environment) Are periodic reviews of Domain Admin groups performed to determine if the members of the group are limited and legitimate? Are periodic reviews of Server Admin groups performed to determine if the members of the group are limited and legitimate? Is there periodic sampling of critical servers to see which groups/id s have local admin rights on the servers? 23

24 Snap Shot of Local Administrators for a SQL data base server 24

25 Suggested Audit Tests Access Privileged Access Are there periodic reviews of users and groups with sysadmin rights at the application level? In the following example: sa standard SQL Server system admin id managed by DBA s op is the SQL Server standard login id that is used to execute jobs NMPC\Group 1 contain all of the DBA's network id's NMPC\Group 2 contain all of the DBA's admin network id's sqlbackup is the SQL Server standard login that is used to execute the backup/recover jobs through Tivoli TDP NMPC\Account 1 is the domain account that is used to run SQL Server service NMPC\Account 2 is the cluster name that is used to run SQL Server service 25

26 26

27 Suggested Audit Tests Access Terminates and Transfers Are the DBA and application administrators notified in a timely manner when employees and contractors terminate or transfer? Does a sample of terminated and transferred employees and contractors verify that data base access is being removed in a timely manner when no longer needed? 27

28 Suggested Audit Tests Change Management Is there a classification system in place to identify critical applications and data? Are all changes to databases and applications approved before being migrated to production? Is access to production (data bases, executables, source libraries) adequately protected? Are migration tools adequately protected and does segregation of duties exist between the developers, migrators and DBA s? Are direct updates to data approved prior to being made? 28

29 Suggested Audit Tests Patch Management Is there a process in place to apply security patches in a timely manner? Does a sample of servers reveal that they are patched with the latest service pack and patch level? Does a sample of client workstation laptops indicate that they contain the latest service pack and patches? 29

30 Patch Management Process 30

31 Suggested Audit Tests Configuration Management Is there a baseline security configuration document for server builds? Do all active ports and services match those approved in the baseline document and are they supported according to the documented and approved use (NetIQ)? Has a recent vulnerability study has been performed to identify security exposures (Foundstone, Nessus)? If there were exposures identified in the latest vulnerability study, have they been mitigated? 31

32 Check Sever Configuration using NetIQ 32

33 Check Client Security Status using Microsoft Baseline Security Analyzer (MBSA) 33

34 Perform Vulnerability Assessment using Foundstone Enterprise 34

35 Suggested Audit Tests Logging and Monitoring i Are critical SQL data bases protected in a secured electric security perimeter (ESP)? Is activity logging turned on for all critical cyber assets? Are privileged accounts monitored? Is there a regular review of the activity logs? Is there on going performance monitoring of the data bases to ensure reliability? Is there a defined incident management program and escalation procedure to handle breaches? 35

36 Monitoring Activity Logs using Counterpane 36

37 Monitoring Privileged Accounts using Guardium 37

38 Performance Monitoring Using Spotlight Enterprise 38

39 Suggested Audit Tests Backups Are back ups of critical SQL data bases being performed on a regular basis? Has a recent restore test been performed? If physical tapes are being cut are they cataloged/handled properly and being stored at a secured site? Is logical access to back up data protected? If virtual tapes are being utilized are there enough copies being retained to meet business and regulatory requirements? 39

40 Suggested Audit Tests Physical Security Are critical data base servers secured in a six walled physical security perimeter (PSP)? Is unescorted access to the PSP reviewed on a regular basis? Are visitor logs utilized (and saved) to document escorted access? If managed by a third party are the data base servers, etc. segregated and protected from access by individuals not working on your account? 40

41 In Sum What the Audit Should Ensure Limited access least privileges Production changes are appropriately approved Timely security patching Regular monitoring of activity logs and performance indicators Configuration vulnerabilities are limited Viable back up and recovery strategy Strong physical security around infrastructure and media 41

42 Questions 42

43 Collaborate Contribute Connect The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!