Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Group

Lesson Learned with Database Monitoring

Created: 27 Sep 2011
jduff's picture
+1 1 Vote
Login to vote

A story from a client site: I was involved in an annual systems audit for a financial firm. Part of the audit included a review of database security and internal auditing processes. In talking with the information security team they had great difficulty with database monitoring and had run into a catch 22 situation. The database monitoring/auditing tool they had purchased was very complex to configure and relied upon a database to store all the rules and alerts. They also had real trouble determining the significance of all the alerts being generated and weren’t able to decide whether an alert was real or a false positive. They determined that they needed to hire a DBA to manage the monitoring system. At the time there was a hiring freeze so they ended up going to the DBA team to ask for assistance. This made the DBA team chuckle as the they now had access to both the production databases and the systems recording all their actions.

 

The second part of this story is that the monitoring/auditing solution used the same database account in terms of username and password across all database servers to be monitored. Due to the nature of the database auditing, the auditing account had full system access to all tables and database structures. The password for this account trivial and was cracked with Cain and Abel in about one hour and was the first password to be cracked out of the list of passwords we audited. Using the compromised password we are able to gain full access to all the systems being monitoring.

 

The moral of the story, beware that good intentions don’t make things worse.

Blog Entry Filed Under: