CIPFA CATS Information Technology Seminar

1
CIPFA CATSInformation Technology Seminar

• How Secure Are Your Personal Details?
• Monday 14 September 2009

2
Presentation

• Data Security - Whats Been In The News
• Factors Now Driving Action
• How Are These Issues Being Resolved?
• How Can The Effort To Me Be Minimised?
• How Does It Protect Me?
• Q A

3
Data Security Whats Been In The News
Retail giant admits stolen 45 million credit
card details
600,000 people have identities lost by theft of
Ministry of Defence laptop
Taxman loses sensitive personal
data on 25m people
FSA fines Nationwide 980,000 for information
security lapse
 Société Générale uncovers 3.7bn fraud by rogue
trader 
Information on 84,000 prisoners in England and
Wales lost
Nine NHS trusts lose patient data
Government attacked over DNA records again
4
Risk of Data Compromise

5
Factors Now Driving Action

• Deeper focus and attention from Industry
  Regulators and Information Commissioners for
  demonstrable evidence of data systems integrity
• Increased pressure from external Audit Firms and
  Govt Departments for more accurate sign off of
  data protection controls by Audit Committee
  Chairmen and Board Executives ACCOUNTABLE!
• Data Handling in Government and Security
  Policy Framework documents

6
Factors Now Driving Action

• Potential risk of new, emerging fraudulent data
  activity
• Increasing temptation of financial data abuse in
  time of economic hardship
• Drive to reduce costs, including IT spend, in
  2009 and 2010
• Pressure on Internal Audit and Risk Compliance
  functions to come up with strategies to protect
  their organisations!

7
How Are These Issues Being Resolved?
Vulnerability AssessmentWhat can happen
Activity Auditing MonitoringWhat did happen

• Audit what people actually did
• Continuous automated audit
• Forensics with detailed incident reporting
• Complete and trusted audit record

• Proactive security posture of existing
  environment
• Look at how configuration differs from policy
• Provide baseline differencing
• Include industry best practice assessments

8
Database Security The Issues

• Top 5 Database Control Weaknesses
• Auditing Privileged User Activity
• Inadequate Review of Audit Logs
• Separation of Duties
• Timely Identification of Anomalous Activity
• Managing User Account Terminations
  Entitlements

9

• Database
• Auditing
• Monitoring

10
Database Audit Challenge
11
Database Audit Challenge
12
Database Audit Challenge
13
Database Audit Solution
14
Database Audit Solution
15
Database Audit Solution
16
Database Audit Solution
17
Statement Audit v Data Audit
Audit Requirement Audit Privileged User access
to company sensitive data. What did privileged
user John do?
SQL Statements
Network Monitoring A record of what action
Privileged User John took
Update scott.emp set salval 200 where emprole
MGR
Stored Procedures
Exec sp_hrmful 200, MGR

• The Problem
• Audit data is incomplete. It raises more
  questions
• What is sp_hrmfull?
• What does it touch?
• What is 200?
• What is MGR?What was the effect on the data?

The Impact Significant manual time
effort to answer questions that those solutions
based exclusively upon Network Monitoring leave
unanswered
18
Statement Audit v Data Audit

Potential Business Impact Results
Network Monitoring A record of what action
Privileged User John took
SQL Statements
Update scott.emp set salval 200 where emprole
MGR
Stored Procedures
Exec sp_hrmful 200, MGR
Data Auditing The impact the action caused on
the data
19
Database Activity Monitoring

• Audit trail of data activity onmultiple servers
• Changes to database schema and permissions (DDL),
  logins
• Data changes (DML activity)
• Data views who looked at what tables (SELECTs)
• Shared repository for archival storage
• Centralised data collection
• Independent of audited servers
• Consolidation of data for ease of reporting
• Long-term archival management
• Secure Enterprise Database (i.e. Microsoft,
  Oracle, IBM, Sybase)

20
Database Audit Architecture
Configuration Console
Microsoft
Oracle
Sybase
IBM
Audit Rules Policies
Audit Results Database
Corporate Policies
Compliance Reporting
Security Policy Analysis
Anomaly Detection
21
Creating a Rule
22
Adding a New Rule
23
Reporting User Privilege Access Changes
24
Data Access Violation
Acceptable Use Policy Violation Unauthorised
Update to Customer Table
25
Solutions Landscape
Native Auditing
Statement Auditing
Data Auditing
26
Key Database Audit Questions
Repeatable and Cost Effective Audit Process
27

• Database
• Vulnerability
• Management

28
Database Vulnerability Management

• Privileged Users
• - Identify current privileged users
• - Identify privileged user entitlements
• User Accounts
• - Identify and remove obsolete / dormant
  user accounts
• - Validate password policies are enforced
• Database Configuration Security
• - Review access to key database objects by
  roles / users
• - Review access to key database objects by
  approved procedure vs SQL
• - Review operating system configuration settings
  / changes
• - Review DBMS configuration settings /
  changes
• - Review DBMS versions / patch levels

29
Solutions Landscape
PFCLScan
30
Framework for Automated IT Controls
Policy Management System
Business Systems
Auditing and Monitoring
Solutions
Controls Intelligence Repository
Applications
Solutions
Databases
Solutions
Operating Systems
Supporting Riskand Control Matrix
Solutions
Networks
Solutions
Change Management

• Service Desk/Help desk
• Change Management
• Testing and Release Mgmt

31
Structured Approach For Success

• Quick Win Identify the key Privileged Users and
  key Databases you wish to audit
• External Requirements Identify key Regulatory,
  Compliance, and Audit requirements which you need
  to meet
• Internal Requirements Identify key internal
  audit controls you need to implement
• Specify Map External and Internal audit
  requirements to defined Policies map to your
  Database estate
• Rollout Deploy automated auditing and reporting
  of Audit Policies across your estate
• Monitor Implement Alerts, Monitoring and Review
  processes

32
How Can The Effort To Me Be Minimised?

• Define Corporate Policies
• Identify Rules to Audit the Policies
• Automate the Rules to the Policies
• Automate Alerting and Reporting Process
• Result Automated / Sustainable Audit Process

Define Specific Auditing Rules
Automate the Auditing Rules
Assess Compliance Alert on Violations
33
How Does It Protect Me?

• Provides fully documented audit trails for
  management, regulators and audit firms of
  database activity for accurate sign off
• Vindicates the good guys from the bad guys ie
  immediately identifies the real perpetrators of
  fraudulent database activity
• Provides independent evidence, and automation, of
  your current manual audit processes ie true
  separation of duty
• Stores forensic audit information for future
  analysis
• Proves Best Database Audit practices across all
  your organisations databases
• Saves time and money!

34

• Q A

35
Contact Details

• Lindsay Hamilton CEO
• lindsay.hamilton_at_cervello.co.uk
• 0870 977 9128
• London Edinburgh