Databases Reference
In-Depth Information
Figure 11.2
Login/logout
audit trail.
pliance report with a value for each rule, as shown in Figure 11.4. Another
example of a penetration test (this time for Oracle) is shown in Figure 11.5.
Penetration testing and vulnerability assessments check the configura-
tion of your database, the patches installed, and try to find mistakes and
problems that may exist in your database. However, they do this in an iso-
lated manner and only look at the database as a server. Another breed of
assessment tools merges the notion of audit with the notion of auditing to
support continuous assessments that evaluate potential flaws in the database
environment—not in how it is configured but how it is used. Rather than
scanning the database and its configuration, it scans all access to the data-
base from all applications and assesses whether there are weaknesses and
problems in the way the database is being used.
A simple example will clarify the difference. A static vulnerability assess-
ment will try to sign onto the database using an empty password, a trivial
password (e.g., sa for the sa user in SQL Server), or one of the default pass-
words (e.g., change_on_install for the SYS user in Oracle). A data access
assessment will look at all applications and users in terms of how they are
signing onto the database. It will alert you when, for example, the same
login name is being used for a large number of different network nodes.
This is a serious vulnerability and a weakness in the database and applica-
tion environment as a whole. In another such example, it can report on
Search WWH ::
Custom Search