The data protection ecosystem within an enterprise features a collection of roles that all play their part in securing the business. Internal auditors serve as one of the central figures in providing oversight, assessing where pockets of cyber risk are located and communicating them to the security organization, who then mitigate any issues found.
When it comes to database protection—also referred to as “securing the last mile”—the work at hand can be incredibly cumbersome and complicated for auditors but is nonetheless a critical part of reducing cyber risk within the business. Many times, auditors don’t have all the time in the world to produce an audit trail, so time is money. The problem lies in the inefficient approach to database auditing that many take, especially when they audit database for compliance and security, not just for compliance.
No matter if it’s an internal or external auditor, at the end of the day it’s their job to inspect, find, and report on the risk that an audit customer has, says Thomas Patterson, senior product manager at Trustwave.
“What they have to show is the risk level and the advice that they suggest as it relates to it,” Patterson says. “I’d say that 99 percent of the time they’re conducting their job because there’s a belief that there’s a problem, so they need to report what kind of risk they’ve detected in the database.”
Seeing as inefficiency can be seen as an auditor’s worst nightmare in this case, below you’ll find the three areas where it primarily comes into play and how it can result in a dire cyber risk scenario for organizations:
The discovery phase of a database audit is likely the most important one. This would indicate if the security organization has to address any vulnerabilities or misconfigurations—which have led to very notable breaches recently.
Given that dispersed data is the norm for any modern-day enterprise, many auditors have to manually locate all databases that house sensitive information, which is an incredibly tedious task, Patterson says.
“At that point, you’d have to manually check for patch levels and check all of the configurations, check to see if the operating system is encrypted, if the files are encrypted, in addition to checking if the configuration is using best practices,” he says. “And it doesn’t end there.”
Other manual work tied to the discovery phase could include looking at every user to see who had access to or interacted with data, cross-referencing that information with admin privileges, in addition to manually searching for and analyzing vulnerabilities through custom scripts.
“You’re talking about producing a folder with hundreds of SQL scripts that would then be run on a database, to then manually collate all of that information in a giant report,” Patterson said.
Apart from the resource and timing challenges, it’s also an error-prone process that could result in overlooked vulnerabilities or misconfigurations that could lead to security incidents.
Discovering the information is a time-consuming challenge in itself, but analyzing it is an even more significant challenge for auditors. In many cases, going line by line in specific configurations to ensure that they look at every single section is the norm.
Analyzing that information—which in some cases could be tens of thousands of lines of information including configurations, patch levels, and files—results in an incredible amount of eye strain, all in the quest to determine cyber risk.
“You can only imagine how defeating this could seem,” Patterson says. “Being able to cross-reference the information that’s collected without a tool in place is incredibly difficult and time-consuming, but it’s still happening.”
A database security audit must inspect all of the activity and users to provide contextual information that’s necessary for the security organization to mitigate any issues found. To speed up this process and prevent any significant incident from occurring, the data gathered during the audit’s identification phase would ideally be assessed automatically as it’s being pulled in and identified to determine what type of issue it is, Patterson suggests.
“If it’s a critical finding that needs to be addressed immediately, it would be in this case,” he adds.
Perhaps the most critical component of a database audit is the reporting, and with so much critical information to assemble and compare, the final result needs to communicate the audit’s conclusions and recommendations effectively.
Current ineffective practices include using Excel spreadsheets, Word documents, or a combination of other applications to collate the information into building a report for executive review. Depending on the reader, be it the CEO, CIO or CISO, reports will have to be displayed differently for different audiences, even though it features the same data, Patterson says. “They’ll all be interested in different results depending on the organizational lens they look through,” he says. “An executive report isn’t going to go into the details as to why something is bad, and it may just provide a broad overview of risk.”
Given the importance of communicating cyber risk to key stakeholders, assembling multiple reports for different business leaders on time—simultaneously—is challenging, but a necessary part of the database audit.
To overcome the efficiency challenges outlined above, many enterprises are having to build their auditing tools, a route that’s much more resourceful than having to develop custom scripts (which require even more manual efforts). Unfortunately, many third-party applications available require a significant investment, in addition to complex implementation that could further delay the audit process.
Given the proprietary information housed in databases, making them a prime target for cybercriminals, expediting the database audit process today requires precise, accurate, and thorough means that allow auditors to have the additional confidence that a trusted knowledge base backs them.
Databases contain incredibly sensitive information that makes them a prime target for digital thieves. Here's how Trustwave can help you overcome resource limitations to uncover database flaws and gaps in security.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.