It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]

The set of knowledge around database security is not nearly as vast as the knowledge around network or operating system security. There is, however, enough detail to effectively get the job done.

Below is a list of books written to assist in securing and understanding security in databases. If you do need to run an audit, it is recommended you review one of these books that apply to your specific database platform.

• Oracle Security Handbook, by Marlene L. Theriault and Aaron C. Newman

• Oracle Security Step-by-Step, by Pete Finnigan

• The Database Hacker's Handbook, by David Litchfield, Chris Anley, Bill Grindlay, and John Heasman

• Implementing Database Security and Auditing, by Ron Ben Natan

• SQL Server Security, by Chip Andrews, David Litchfield, Chris Anley, and Bill Grindlay

• SQL Server Security Distilled, by Morris Lewis

• SQL Server Security: What DBAs Need to Know, by K. Brian Kelley

• Oracle Privacy Security Auditing, by Arup Nanda and Donald Burleson

• Effective Oracle Database 10g Security by Design, by David Knox

• Special Ops, by Erik Birkholz et al.

• Mysql Security Handbook, by Wrox Author Team

• Cryptography in the Database: The Last Line of Defense, by Kevin Keenan

• Database Security, by Maria Grazia Fugini, Silvana Castano, and Giancarlo Martella

• Database Security and Auditing: Protecting Data Integrity and Accessibility, by Sam Afyouni

There are many online technical guides as well. The advantages of these guides are that they are often free, more update to date, and can be accessed from anywhere. Of course, they are also typically incomplete and not nearly as comprehensive as the books just listed.

• Oracle Database Security Checklist, by Oracle Corporation; available at http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

• A Security Check List for Oracle9i, by Oracle Corporation; available at http://www.otn.oracle.com/deploy/security/oracle9i/index.html

• SANS Oracle Security Checklist; available at http://www.sans.org/score/checklists/Oracle_Database_Checklist.doc

• Ten Steps to Securing SQL Server 2000; available at http://www.microsoft.com/sql/techinfo/ administration/2000/security/securingsqlserver.asp

• SQLSecurity.com Checklist; available at http://www.sqlsecurity.com

• NIST Security Checklists; available at http://www.checklists.nist.gov/repository/ category.html

• ISACA Auditing Guidelines; available at http://www.isaca.org/

You also can gain practical, hands-on experience by attending a training course on database security. Below is a list of the more popular training courses:

• Red-Database-Security

• SANS course

• MIS Training

The majority of database vulnerabilities discovered and fixed can be credited to a relatively small subset of security researchers. While some groups, including many of the database vendors, view this work as "malicious," security researchers have done the database security market a huge service, and to top it all off, they have done it free of charge. The database vendors themselves have gone as far as to threaten law suits and revoke partnership agreements, and they have been particularly vocal about telling customers about how security researchers are "evil." The silver lining is that these security researchers are real watchdogs in the community. A good number of the really simple security vulnerabilities have been eliminated or at least reduced because of the work of these security researchers. Of course, the vendors have been dragged into securing and fixing their databases kicking and screaming the whole way.

The most prominent database security research teams include

• Argeniss Information Security at http://www.argeniss.com

• Red-Database-Security at http://www.red-database-security.com

• Application Security, Inc., Team SHATTER at http://www.appsecinc.com/aboutus/ teamshatter/index.html

• NGS Research at http://www.ngssoftware.com

• Pentest Limited at http://www.pentest.co.uk

• Pete Finnigan at http://www.petefinnigan.com

• Integrigy at http://www.integrigy.com

• Chip Andrews at http://www.sqlsecurity.com

These websites serve as the most definitive source of vulnerability information on databases. If you have a question about a particular vulnerability, search these locations, and you're likely to find an answer.

As always, never forget the most up-to-date source of database security–Google. Simply search on any term of interest such as "Oracle Exploits" or "Auditing MySQL." Google provides a great list of resources to explore to help you do your job.