Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Monitoring DB Admin

from [Ackley, Alex] Network Security [Permanent Link]
Subject: RE: Monitoring DB Admin
Date: Tue, 29 May 2007 12:13:10 -0400 
I'm not sure you'll be able to do preventive controls on a DB Admin as a
role.  But you can do it on a person by rotating duties and basing
permissions on role not person.

There are a few good apps out there to monitor database activities.  So
combine a good monitoring tool with role based permissions and you may
be able to appease them.

If you have more then one DB Admin; ask yourself if they all need the
same access?  Can they be segregated by database or databases?

What the auditors want to see are tools in place to limit the damage any
single person can cause.  It's the same reason you don't want to give
your developers admin access to your network.  They may never do
anything bad; but giving them more access then is required is asking for
trouble.

Alex Ackley, CISSP, GSEC
Security Administrator

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of WALI
Sent: Monday, May 28, 2007 11:31 PM
To: security-basics@securityfocus.com
Subject: Monitoring DB Admin

....And the auditors report mentions that I (the internal IT Security 
Admin) should have independent monitoring of DB Admin activities, the
likes 
of DROP, ALTERS etc on an inhouse developed accounting package using
Oracle 
9i backened.

Not only this, the crazy auditing guys want to have preventive rather
than 
detective controls in place for DB Admin.

How secure can we make an application if we start doubting the guys we 
trust...the next thing the auditors would want is preventive controls
over 
me...Grrr!!

But still...is this doable!!??
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Disclosure of vulns and its legal aspects..., Craig Wright
Next by Date:  Re: Importing Security Product Output Into A Database, Ken Swain
Previous by Thread:  Monitoring DB Admin, WALI
Next by Thread:  RE: Monitoring DB Admin, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]