Audit Findings: SQL Database

Audit Findings: SQL Database

Audit Findings: SQL Database Yingyan Wang, Jing Jiang, Parneet Toor, Xinteng Chen, Vittorio DiPentino Scope Confidentiality Database Authentication Strong password protection Database Authorization Access control model Read/write privileges

Data Transmission Data encryption Integrity Logging and Monitoring Record of metadata Log in times, edits and viewed data System Backup Backup schedule and methodology Out of Scope Employee Training Programs Previously audited in same calendar year Databases in the operating system

IA has a separate operating system to cover OS Finding 1: Root Account Not Renamed Fact The default administrative account for the database has a username of root. Standards NIST Special Publication 800-63A,63B Root Cause of the issue: No documented procedures to define change/rename default administrative root account name. Risk Rating: High Impact to the business: Data confidentiality & integrity is lost. Recommendations: Document a process for root name change and implement the process for all major databases.

Finding 2: Unencrypted Data Transmission Fact Data is not encrypted when it is transferred through internet. Standards: NIST SP 800-175, FIPS PUB 140-2 Root Cause of the issue: Lack of security awareness and automatically encryption setting. Risk Rating: High Impact to the business: Privacy data could be disclosed and modified, which may cause lawsuit, reputation problems, and financial losses. Recommendations: Reasonable encryption method in place based on security level of data.

Finding 3: Lack of Login Monitoring Fact Employees can try all possible passwords to enter the database without a login attempts limitation. Standards NIST 800-63B- section 5.2.2 Root Cause of the issue Lack of logins monitoring setting (to limit failed login attempts) and ignorance of the importance of the login monitoring. Impact to the business Unauthorized access, loss of information confidentiality and integrity, loss of competitive advantages, and reputational damage. Risk Rating Moderate Recommendations Require login attempts limitation.

Finding 4: Database Authentication Fact Password requirements Contain between 8 and 15 characters. Include at least one upper case character, one lowercase character, and one number Employees used simple passwords such as Abcd1234 or their name with a number (ie. Jonathan1) Standards NIST Special Publication 800-63B

Authentication Assurance Level 1 Root Cause of The Issue No blacklisted passwords Impact to the Business Dictionary attacks can be used to hack into accounts that use simple passwords Risk Rating

Moderate Recommendations Require complex more passwords Finding 5:System Backup and Recovery Fact Data backup is not conducted regularly and Recovery Point Objective (RPO) is not clear

Standards NIST Special Publication 800-34 Rev. 1 Root Cause of the issue: No Business continuity plan to specify the minimum frequency and scope of backups based on data criticality Risk Rating - High Impact to the business: Loss of data integrity, financial and reputational loss, lower performance and efficiency Recommendations: Establish business continuity plan to specify backup and recovery requirements. Conclusion Risk Ratings:

High risk: Finding 1, 2 and 5 Moderate risk: Finding 3 and 4 Overall Risk Rating High Final Audit Opinion: The review of the SQL database shows a gap between current and expected security. The database has high risk of attack and confidentiality and integrity of data are not fully protected by controls. It is our final opinion that each recommendation be met with a solution to satisfy it.

Recently Viewed Presentations

  • NATHADVARA NATHADVARA  Pranama mantra  Location  Deity  Temple Architecture

    NATHADVARA NATHADVARA Pranama mantra Location Deity Temple Architecture

    The Lord is most regal and resplendent for this darshan. Fresh garlands and lotuses are offered to the Lord. ... It is also the first courtyard immediately outside the Lord's inner chambers. Three gates lead into this courtyard, leading into...
  • Drawing Abilities Teacher

    Drawing Abilities Teacher

    Drawing Abilities Teacher - Index Orthographic Topics How to create a 2D or Orthographic drawing from a 3D shape Introduction to creating a Sectional View of a 3D shape
  • Blood Splatter - pnhs science

    Blood Splatter - pnhs science

    Blood Splatter. 1939—splatter patterns first analyzed. Blood may splatter when a wound is inflicted. Blood splatter pattern—a grouping of blood stains. Patterns help to reconstruct the events surrounding a shooting, stabbing, or beating.
  • Coordinate Systems  Rectangular coordinates, RHR, area, volume  Polar

    Coordinate Systems Rectangular coordinates, RHR, area, volume Polar

    Unit vectors. Can write any vector as combination of scaled unit vectors. ?=????+????. where . a. x. and . a. y. are . unit vectors (1 unit long) in x and y direction. Can think of vector addition/subtraction as ....
  • D-Day

    D-Day

    D+3 would then mean D-Day plus 3 days. Less than a week later, June 11, the beaches were secure and 326,000 troops had landed at Normandy. By the end of June the number was 850,000, and by the end of...
  • Setting the Stage - Bible

    Setting the Stage - Bible

    The Old testament makes up 75% of our Bible. The Old Testament lays out the plot while the New Testament gives us the resolution. Analogy- the OT is setting the rules of the game and beginning to play while the...
  • Fossils and the Law of Superpostition

    Fossils and the Law of Superpostition

    Arial Gill Sans MT Wingdings 2 Verdana Calibri Times New Roman Arial Black Mangal Solstice 1_Solstice 2_Solstice 3_Solstice 4_Solstice 5_Solstice 6_Solstice Fossils and The Law of Superposition Fossils and Superposition Relative Age Dating and Index Fossils Activity # 1 PowerPoint...
  • DOPPLER SPECTRA OF WEATHER SIGNALS (Chapter 5; examples

    DOPPLER SPECTRA OF WEATHER SIGNALS (Chapter 5; examples

    Mention aliasing when mean Doppler velocity exceeds the unambiguous velocity. * These three domains are the key to all weather radar signal processing techniques. Note that Rv(m) is a complex function having magnitude and phase; we only show the magnitude....