Enrol for this course

Course Description

The course will address the security of the main types of relational database management systems, using a risk-based approach.  Each risk will be considered in relation to each type of database, allowing RSM auditors to learn how the risk is addressed by the databases under consideration.

(Duration: 3 days)

Databases and their relationship to the host operating system

• Security of the physical DBMS files – risks of deletion of database files
• Tablespace and control file risks
• Database archiving and recovery risks

Database schemas and the risk of improper separation of access

Network access controls

• Risks of improper client configuration
• Security issues of client/server network transmission
• Risks of database links
• Risks of web-based access to databases and applications

Database login controls

• Authentication risks – internal, external and global authentication
• Database logins and how to audit them
• Risks of default accounts and passwords
• Database roles and their risks
• Improper allocation of built-in roles
• Server and database roles and their risks

Database administrators and privileged users

• The database owner and database administrator
• Risks of improper use of DBA privilege
• Database privileges and how to audit them
• Risks of allocating excessive privileges to users
• Risks of the admin option
• User profiles and control of resources – risks of default profiles

Database objects

• Tables and views and how to identify them
• Risks of improper use of views – why does it matter?
• Procedures and packages - identifying the high-risk ones
• Database ownership chains and their associated risks

Object access permissions and how to audit the high-risk ones

Virtual Private Databases, Row-level security and their uses in enforcing separation of duties

Database auditing

• Risks of default database audit settings
• Activating database auditing
• What’s being audited? How to list the audit settings
• Limitations of built-in database auditing
• Use of triggers to overcome standard auditing limitations
• Risks of improper access to the audit trail
• Oracle Fine-Grained Auditing

Developing database auditing tools with scripting languages and SQL

Course presentation style and format

The course will be presented in hands-on format for Windows, Oracle 9, 10g, 11g and SQL Server 2000/2005, structured around a series of audit risk areas.  For each area, the course will describe the nature of the risk, any available controls and countermeasures, and the exposure if the controls are not implemented.  A course manual in PowerPoint format will be provided, together with a detailed audit program, structured into risk areas to correspond with the course manual.  Guidance will be provided on how to perform a ‘limited time’ review, indicating which areas in the audit programs should receive the highest priority. 

For the ‘hands-on’ aspects of the course, students will be provided with a laptop containing VMWare images of Windows 2003R2 servers, Oracle and SQL Server databases, with full database administrator access.

The courses will be presented by our Senior IT Management Consultant, Steve Rimell