Databases Reference
In-Depth Information
When defining what a divergence from the baseline means, you need to
distinguish between different categories of procedures and different catego-
ries of users. For example, DBAs will typically use many of the built-in sys-
tem stored procedures, and your baseline should include all of these even if
they are seldom used. Otherwise, a DBA using a legitimate stored proce-
dure for the first time may be flagged as an intruder. A good rule of thumb
in a production environment is to have two groups of users (DBAs, and all
other users) and two groups of stored procedures (application-specific and
system stored procedures). You can then create a baseline that allows DBA
users to access system stored procedures in addition to the real observed
usage patterns for all users (DBA or not) accessing the application-specific
stored procedures.
9.3
Control creation of and changes to procedures
and triggers
Monitoring the execution of stored procedures is ineffective when com-
bating Trojans of type 3 and type 4, because the party executing the stored
procedure is a legitimate party that has probably been recorded in the
baseline. For example, if the party causing the Trojan to be invoked is the
ERP system initiating the closing of the topics, then you will have no way
of flagging this operation as divergence because it is not. Instead, you
must be able to identify the change or creation of the code that the Trojan
was initiated as. This is usually a simple thing, especially in a production
environment that should not exhibit commands of the form CREATE
PROCEDURE or ALTER TRIGGER without a rigorous change manage-
ment process.
Like the actions available to you when monitoring executions of proce-
dures, you have three options when tracking creation or changes that may
be hiding an injection of a Trojan. You can choose to log these events for
later viewing in a report, to fire off a real-time alert, or to deny such an
operation using a SQL firewall. Tracking changes to procedural objects is
usually simpler than tracking execution of procedures because it can usu-
ally be done explicitly, whereas tracking procedure execution must be
based on a baseline and is therefore less precise. You can normally assume
that you don't want any procedure changes in a production environment,
and therefore you do not need to evaluate such operations based on histor-
ical analysis.
The rules for identifying a possible injection can be defined in one of
two ways. The more extreme method will be based on any use of the proce-
Search WWH ::
Custom Search