Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Segregation of Duities and least priviliges for DB

from [Nabil MALIK / KTEFH - OTAS] Network Security [Permanent Link]
Subject: Segregation of Duities and least priviliges for DB
Date: Fri, 15 Jul 2005 10:17:32 +0300 

In order to avoid fraudulent or malicious acts on sensitive data in a database 
(DB) , how do we segregate the duties of high privileged employees like DBA 
and/or DB Security Administrator. What controls need to be established to 
prevent an undesirable change or transaction from a highly privileged employee, 
with out being noticed.

Should the DBA and DB security admin be separate personal? For e.g.: The DBA 
has rights to modify tables or data, but only security admin can change DB 
access control and system/transaction logs. In case if the DBA conducts some 
malicious activates, it will be there in the logs which the DBA cannot delete.

On the other side, the DB security admin does not have permission to create 
tables and access core data. But then again, the security admin can change his 
permissions, do fraudulent acts, and then deleted the logs.. and hence go 
un-noticed.

How to deal with the above? Making sure that no one person with high access 
rights and can go un-noticed after committing a fraud. Particularly looking for 
suggestion for the Database Environment.


Thanks...

Regards,
 
-Nabil.

DISCLAIMER:
Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine 
gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki 
dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda 
gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve 
eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec 
ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine 
güvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz.
This e-mail & its content have been sent to the attention of the receiver named 
above. If you are not the intended recipient (or have received this e-mail in 
error), Please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this e-mail 
is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held 
liable for the arrival of this e-mail & its content as modified or late, the 
protection of integrity and secrecy and shall not be liable to any person who 
acts or omits to do anything in reliance upon it.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIN policy, Starnes, Richard
Next by Date:  Re: Re: Risk Assessment Modelling, Karan Saberwal
Previous by Thread:  Infosec User Awareness And Training Handbook, Cyber Gardie
Next by Thread:  RE: Segregation of Duities and least priviliges for DB, Derick Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]