Database Forensics and Auditing - Report Example

? Full Paper In today’s technology-oriented world, information has become the lifeline of businesses. Be they banks orindustries or small shops, information security has become crucial more than ever before. Databases play a critical role in applications that are driven by data, and their security is of paramount importance. The uses of database management systems present opportunities for database administrators to secure databases and minimize security concerns. Database Forensics and auditing have become one of the most important subjects that have received wide attention in the researches. The paper will focus on the differences between database forensics and databases auditing. This paper has focus on the definition of database forensic and database auditing, the regulation under database auditing, the meaning of Data Access Auditing, and Data Monitoring. The goal is to clarify the comparison between database forensic and auditing tools by analyzing some of their features. In addition, the paper will show the threats that may affect the database and how it can affect database forensic and auditing. In conclusion, databases can be secured using a number of strategies that restrict unauthorized access, incorrect alteration of data and enhance data integrity to ignore any kind of hacking or losing data. Introduction The Verizon business risk team did an investigation of 90 data breaches occurred in 2008, which revealed an overall score of 285 million stolen records. Likewise, 80% of data breaches occurred due to weak corporate information security and initiated from external sources i.e. from hackers, malicious codes etc. and 20% data breaches were initiated internally (Goldmann, n.d). Moreover, 49% of data breaches in 2008 were not diagnosed for months. Furthermore, in 2008, 81% organizations affected from credit card breaches were not able to perform their last PCI assessment (Goldmann, n.d). Apart from deploying most updated technology and controls, data is still being compromised. Likewise, tactics of a hacker is categorized as 70 % credentialed users, 10% trading partners and 46% internal threats (Goldmann, n.d). ‘Wikileaks’ and ‘Stuxnet’ virus is one of the recent major security breaches. In summary, the increasing numbers of data breaches are astounding and strive to do more research for database security and protection. It shows that the laws, policies, compliance and regulations are not enough to counter these challenges. In order to protect databases via best practices, we will first differentiate between database forensics and database auditing, as there two terms will demonstrate adequate protection from potential threats and vulnerabilities. After describing these terms, we will incorporate Microsoft Log miner tool for collecting forensic evidence from a database and for auditing or reviewing database current state, SQL auditing will be incorporated. Database Forensics Database forensics that is also called Oracle forensics is relatively a new evolving field. Database forensics is conducted by different tools that facilitate Oracle Database Administrator (DBA) to re-establish actions performed on the database with the exception of deactivated forensic features. Likewise, database forensics identifies the suspect by extracting traces of an attacker from the database and revert the suspicious transactions if possible. The primary goal of database forensics is to analyze the vulnerabilities that were utilized and exploited by the threat and to rollback any unofficial data manipulation operations. However, it is a daunting task, as attackers play safe and prefer attacks from other regions and IP addresses that involve different time zones and mediums before extracting data or compromising security controls of a database. Some of the vulnerabilities associated with database compromises include default and unchanged usernames and passwords, passwords are not long, complex or easily guessable, Database is not up to date and missing critical updated patches, Database is not properly configured and excessive rights are allocated to more than one employee within the organization. Moreover, threats to the database are web application attacks such as SQL injection, Cross site scripting, man in the middle attack, misconfigurations, weak and absence of audit controls and social engineering. However, in order to preserve the evidence for a possible security breach that will be presented in the court of law, certified forensic experts perform digital forensics. It is important to use tools and techniques that are considered as best practices and certified. Courts will only accept evidence based on best practices and as per country’s rules and regulations. Organizations are well aware to protect the evidence and demonstrate an adequate chain of custody before presenting evidence against a cyber-criminal in the court of law. Comprehensive research has been carried out for database forensics and security but they are limited to Database Management Systems (DBMS) that are already installed on systems. However, information on DBMS vulnerabilities is extensively available that defines possibility and type of threats to the DBMS. However, there is no extensive research on database forensics, there are two separate domains i.e. file system forensics and database forensics. Both of these domains focus on stored data retrieval. Likewise, the metadata defines the information that is stored in the database and the file system defines the information stored on the system. Moreover, the output of data from a database defines the file system and metadata. A study conducted by (Peterson, Sujeet Shenoi, n.d) emphases on the collection mechanism of database forensics. Likewise, the collection mechanism is associated with identifying the key evidence along with maintaining its integrity and reliability to protect the evidence. The study defines a structured approach that divides DBMS metadata in to many layers during the data collection process. Study proposes a binary string that is comprised of 4 bits in size ranging from 0000 to 1111. Each abstract layer named as data dictionary, application schema, data model and application data (Peterson, Sujeet Shenoi, n.d) is illustrated either by 1 or 0. Likewise, the 0 value adjacent to the binary string specifies that the particular abstract DBMS layer is not compromised and the investigators can conclude the specific layer as uncompromised. Whereas, 1 value defines that a specific DBMS abstract layer is compromised. (Guimaraes, Austin, & Said, 2010) DBMS at the user level or surface level are identical and most DBMS includes multiple tables, standardized query language, referential integrity, primary key and foreign key and metadata. As per the physical structures of the file, concurrency mechanisms, security mechanisms, data warehousing techniques, query optimization, databases can be dissimilar radically between each other. The issue with forensic tools is time, as they take a lot of processing time when incorporated with huge databases. One of the tools that are used for digital forensic analysis is Log minor. This tool is used for organizing the online redo log files or Oracle database. Likewise, the redo log files include the mandatory information that is utilized for reconstruction of modifications made to the tables of the database (Hotka, 2002). Moreover, these changes are than analyzed in a manual and automatic way by utilizing SQL statements for querying the logs. Furthermore, the tool also allows the modification of timeline to be analyzed from the database. In addition, the tool is also capable of taking the database state to years back in an efficient and simple way and without the requirement of reconstructing the database for analyze old or archived logs (Hotka, 2002). However, it depends on how the archived logs of the database are organized. However, the tool comes in number of packages with different checksums to support different platforms such as Linux, Windows, and Solaris etc. Database Auditing Database auditing is a process for logging and monitoring the access and modification of database objects and resources. However, logging and monitoring applies to the operational databases along with the recollection of records that are accessible at the location where the required information can be extracted and analyzed. Database auditing is also known as data access monitoring, data monitoring and data activity monitoring. In order to secure data, stakeholder requirements incorporate security operations that are related to real time policies, security of audit trails, forensics and data mining. Moreover, compliance audit requirements for stakeholders include separation of duties, reports based on best practices, computerized controls. Similarly, Application and database requirements includes minor impact, change management and performance optimization. All these three requirements must be transparent and clearly visible within the organization. If we further divide database auditing, authorization auditing is defined as which employee has what permissions and access privileges. Access auditing includes, which employee did what and what he is assigned to do. Employees with data modification privileges can update insert and delete data, employees with read only access will only be able to use select function. In addition, duplication auditing checks, which data is duplicated and where. In order to perform database audit, there are several methods available. One method is to start the audit within the DBMS that will incorporate performance trace. The second method includes database audit that focuses on transaction log files, thirdly, auditing over the network will extract SQL request that are travelling along the network. Lastly, one audit focusses against DBMS to analyze vulnerabilities and non-compliance issues. Regulations having Impact on Database security are defined below (Moeller,n.d ): Database Security: Regulations that are application for database security includes PCI-DSS, BASEL II, FISMA, HIPAA, CMS and GLBA. Changes to Data Definition Language (DDL): Likewise, these regulations define audit requirements for access to sensitive data. Regulations that are application for changes to Data Definition Language (DDL) include SOX, PCI-DSS, HIPAA, GLBA, BASEL II, NERC and NIST. Changes to Data Manipulation Language (DML): Regulations that are application for changes to Data Manipulation Language (DML) include SOX, CMS and BASEL II. Exceptions to Security: Regulations that are application for Exceptions to Security include SOX, PCI-DSS, BASEL II, FISMA, HIPAA, CMS, NERC and GLBA. Changes to Data Control Language (DCL): Regulations that are application for changes to Data Control Language (DCL) include SOX, PCI-DSS, BASEL II, FISMA, HIPAA, CMS, NERC and GLBA. In order to perform a database audit with SQL, there is a limitation and it can only be used with relational databases. However, relational databases are extensively used and maintained in organizations. Apart from the relational database, there are two other types of databases that are not compatible or inapplicable SQL, as an auditing tool. The first one is the network database that uses self-access methodology and is only accessible with proprietary protocols. The second one is the hierarchical database that is accessed by syntax almost similar to SQL but no assurance is available to access this type of database in a complex environment. In order to perform database audit, structured query language (SQL) is incorporated, as an audit tool. SQL provides and facilitate the auditors with opportunities along with risks when testing a database. In order to perform a successful audit, auditors must calculate the risk and mitigate them by implementing alternative procedures. However, the server audit procedures define where the auditors must write the data (Walters et al., n.d). Moreover, audit test will be reliant on risk assessment along with a purpose for the type of test for the audit. If any auditor is not very much familiar and wants to learn SQL can enable a ‘starter’ database system for self- learning. Furthermore, SQL adds value in the auditor’s toolkit for performing an efficient and successful audit for a targeted database or system. In addition, SQL also minimizes the interaction of database administrators and support personnel for contribution. Conclusion We have defined each of the two terms i.e. Database Forensics and Database Auditing. Both of these methods have major differences. Database forensics is used for identifying, detecting and tracing violations or a possible security breach. As per law, the evidence is preserved via chain of custody and must follow best practices to present data in the court of law. Moreover, digital forensic analysis must only be performed by a certified forensic practitioner or analyst, who will investigate and collect the data as per required practices and certified forensic analysis tools,in order to preserve and present the data in the court. Whereas, Database auditing is conducted to verify logical and physical control implementations, measurement and performance against the application laws and regulations of the region. Organizations are application for processing maintaining and securing customer data that must not be exposed or compromised. Audits are periodically performed or whenever there is a significant change in the organization’s environment with the primary objective of detecting violation logs, required controls are present or not, database is adequately protected or not, regulatory compliance is present or not, protection mechanisms are implemented as per defined best practices in the applicable regulations and compliance with policy. . References PETERSON, G.A. and SUJEET SHENOI, n.d Advances in Digital Forensics VII: 7th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA, January 31 - February 2, 2011, ... in Information and Communication Technology) Springer. Goldmann, P. n.d, Financial services anti-fraud risk and control workbook Wiley. Guimaraes, M. A. M., Austin, R., & Said, H. (2010). 2010 information security curriculum development conference on - InfoSecCD '10; database forensics pp. 62. Hotka, D. (2002). Oracle 9i development by example . Indianapolis, Ind.: Que. Walters, R., Coles, M. G. H., Robin Dewson, Farmer, D. S., Fabio Claudio Ferracchiati, & Rae, R. Accelerated SQL server 2008 (accelerated) Apress. Moeller, n.d. R. R. Brink's modern internal auditing: A common body of knowledge Wiley. Read More