Flylib.com

Books Software

 
 
 

Category list


Similar pages

Master Checklist


Buy on amazon.com >>
Davis C. Schiller M. Wheeler K.
    << Previous page
    Table of contents
    Next page >>

    Master Checklist

    Auditing Databases

    Checklist for Auditing Databases

    1. q Verify that database permissions are granted or revoked appropriately for the required level of authorization.

    2. q Review database permissions granted to individuals instead of groups or roles.

    3. q Ensure that database permissions are not implicitly granted incorrectly.

    4. q Review dynamic SQL executed in stored procedures.

    5. q Ensure that row-level access to table data is implemented properly.

    6. q Revoke PUBLIC permissions where not needed.

    7. q Restrict access to the operating system.

    8. q Restrict permissions on the directory to which the database is installed.

    9. q Restrict permissions on the registry keys used by the database.

    10. q Check for default usernames and passwords.

    11. q Check for easily guessed passwords.

    12. q Check that password management capabilities are enabled.

    13. q Check that auditing is enabled.

    14. q Verify that network encryption is implemented.

    15. q Verify that encryption of data-at-rest is implemented where appropriate. Ensure that encryption key management is part of the disaster-recovery plan.

    16. q Verify that the latest patches for the database have been installed.

    17. q Verify that the database is running a version the vendor continues to support.

    18. q Verify that policies and procedures are in place to identify when a patch is available and to apply the patch.

    19. q Check the integrity of the database by looking for root kits, viruses, backdoors, and Trojan horses.



    Chapter 10: Auditing Applications

    This chapter should be used to generate thoughts and ideas regarding audit program steps more specific to the application being audited . Staying on top of every new technology that attaches itself to your environment is tough. It's our job as auditors to quickly drill down into new applications to find potential control weaknesses. We're going to discover how to examine applications conceptually using big-picture and abstract frameworks. We also will suggest a fairly comprehensive set of checks that will greatly assist you in covering the vast majority of common control weaknesses.

    Application Auditing Essentials

    It's perfect when you have a perfect audit program you can apply quickly to your perfect application. However, the reality is that you're faced with new ideas and approaches for solving business problems with new technology that requires a new audit program. As you struggle with the questions to ask, you will find the frameworks and best practices below helpful.



    Generalized Frameworks

    Generalized frameworks are useful for meetings where you've been put on the spot to come up with questions and possible risks associated with a new application. You might even find yourself walking into a meeting, taking out a blank sheet of paper, and writing "PPTM," "STRIDE," and "PDIO" at the top before the meeting ever starts.

    PPTM

    People, processes, tools, and measures (PPTM) is a great brainstorming framework to examine an application from the macro level. Detailed specific technical review steps dominate this chapter. PPTM helps you to come up with your own steps quickly and efficiently as they apply to your unique situation.

    People People in PPTM describes every aspect of the application that deals with a human. Ensure that the right people are involved in the planning, design, implementation, or operations for the project and that the right stakeholders are involved. If the application involves end users, then ensure that the application has controls around provisioning and deprovisioning access and that the end users have been involved in the components that they ultimately will interface with. There is little that's more embarrassing than to spend time and money rolling out an application just to find out that upper management doesn't approve or that the end users find that the interface is too complicated to use.

    Process Process in PPTM describes every aspect of the application that is involved in a policy, procedure, method, or course of action. Review the interaction of the application with interfacing systems and verify compliance in security models or ensure firewalls are in place to protect the application from external applications, users, business partners , and the like. Procedures and policies should be written to support how the application is intended to be used. Adequate documentation also should exist to support technicians that need to maintain the application.

    Tools Tools in PPTM describe every aspect of the application that deals with a concrete technology or product. Ensure the right hardware and environment exists to support the application and that the application interfaces with recommended technologies appropriate to your intended policies and procedures. Verify the application and infrastructure are tested and audited appropriately.

    Measures Measures in PPTM describe every aspect of the application that is quantifiable conceptually, such as the business purpose or application performance. For example, verify the application meets well-documented and well-thought-out acceptance criteria. The application should solve the business problem it is intended to solve. Logs should be meaningful, and you should be able to measure the performance of the application and ensure you can support it.

    STRIDE

    STRIDE is a methodology for identifying known threats. The STRIDE acronym is formed from the first letter of each of the following categories and is an example of a simplified threat-risk model that is easy to remember and apply.

    Spoofing Identity Identity spoofing is a key risk for applications that have many users but provide a single execution context at the application and database levels. In particular, users should not be able to become any other user or assume the attributes of another user .

    Tampering with Data Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side validation, GET and POST results, cookies, HTTP headers, and so forth. The application should not send data to the user, such as interest rates or periods, that are obtainable only from within the application itself. The application also should carefully check data received from the user and validate that it is sane and applicable before storing or using it. For web and other applications with a client component, ensure you perform your validation checks on the server and not the client, where the validation checks might be tampered with.

    {% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

    Repudiation Users may dispute transactions if there is insufficient auditing or recordkeeping of their activity. For example, if a user says, "But I didn't transfer any money to this external account!" and you cannot track his or her activities through the application, then it is extremely likely that the transaction will have to be written off as a loss.

    Therefore, consider if the application requires non-repudiation controls, such as web access logs, audit trails at each tier , or the same user context from top to bottom. Preferably, the application should run with the user's privileges, not more, but this may not be possible with many commercial off-the-shelf applications.

    Information Disclosure Users are rightfully wary of submitting private details to a system. If it is possible for an attacker to publicly reveal user data at large, whether anonymously or as an authorized user, there will be an immediate loss of confidence and a substantial period of reputation loss. Therefore, applications must include strong controls to prevent user ID tampering and abuse, particularly if they use a single context to run the entire application.

    Also consider if the user's web browser may leak information. Some web browsers may ignore the no-caching directives in HTTP headers or handle them incorrectly. In a corresponding fashion, every secure application has a responsibility to minimize the amount of information stored by the web browser just in case it leaks or leaves information behind which can be used by an attacker to learn details about the application or the user, possibly using that information to assume the role of an authorized privileged user.

    Finally, in implementing persistent values, keep in mind that the use of hidden fields is insecure by nature. Such storage should never be relied on to secure especially sensitive information or to provide adequate personal privacy safeguards.

    Denial of Service Application designers should be aware that their applications may be subject to a denial-of-service attack. Therefore, the use of expensive resources such as large files, complex calculations, heavy-duty searches, or long queries should be reserved for authenticated and authorized users and not be available to anonymous users.

    For applications that don't have this luxury, every facet of the application should be engineered to perform as little work as possible, to use fast and few database queries, and to avoid exposing large files or unique links per user in order to prevent simple denial-of-service attacks.

    Elevation of Privilege If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot elevate his or her role to a higher privileged one. In particular, simply not displaying privileged-role links is insufficient. Instead, all actions should be gated through an authorization matrix to ensure that only the permitted roles can access privileged functionality.

    PDIO

    PDIO comes from Cisco Systems and stands for planning, design, implementation, and operations. Sometimes it's important to consider the potential challenges at each stage of a project. You might find this framework useful as you look at a new application and think ahead to the upcoming challenges. There might be a problem, for example, if system administrators are tossing around ideas in a planning or design session for a network solution and the senior networking engineer isn't in the room. If you as an auditor are asked to look at the implementation of a new solution, you should immediately ask questions about the ongoing operations of the solution.



    Buy on amazon.com >>
    Davis C. Schiller M. Wheeler K.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy