This chapter describes:
The Guardium Vulnerability and Threat Management solution is the first step in the security and compliance lifecycle management for any IT environment. A set predefined and custom, along with a process workflow, allow organizations to identify and address database vulnerabilities in an automated fashion—proactively improving configurations and hardening infrastructures.
Included in the Guardium Vulnerability and Threat Management solution are:
Database Auto-Discovery –performs a network auto-discovery of the database environment and creates graphical representation of interactions among database clients and servers.
Database Content Classifier –automatically discovers and classifies sensitive data, such as 16-digit credit card numbers and 9-digit Social Security numbers—helping organizations quickly identify faulty business or IT processes that store confidential data.
Database Vulnerability Assessment –scans the database infrastructure for vulnerabilities and provides evaluation of database and data security health, with real time and historical measurements.
CAS (Change Audit System) –tracks all changes to items such as database structures, security and access controls, critical data values, and database configuration files.
Compliance Workflow Automation –automates the entire compliance process through starting with assessment and hardening, activity monitoring to audit reporting, report distribution, and sign-off by key stakeholders.
The Guardium Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion. Guardium’s assessment process evaluates the health of your database environment and recommends improvement by:
Assessing system configuration against best practices and finding vulnerabilities or potential threats to database resources, including configuration and behavioral risks. For example, identifying all default accounts that haven’t been disabled; checking public privileges and authentication methods chosen, etc.
Finding any inherent vulnerabilities present in the IT environment, like missing security patches,
Recommending and prioritizing an action plan based on discovered areas of most critical risks and vulnerabilities. The generation of reports and recommendations provide guidelines on how to meet compliance changes and elevate security of the evaluated database environment
Guardium’s Database Vulnerability Assessment combines three essential testing methods to guarantee full depth and breadth of coverage. It leverages multiple sources of information to compile a full picture of the security health of the database and data environment.
Agent-based-Using software installed on each endpoint (e.g. database server). They can determine aspects of the endpoint that cannot be determined remotely, such as administrator’s access to sensitive data directly from the database console.
Passive detection-Discovering vulnerabilities by observing network traffic.
Scanning-Interrogating an endpoint over the network through credentialed access.
Predefined tests are designed to illustrate common vulnerability issues that may be encountered in database environments. Because of the highly variable nature of database applications and the differences in what is deemed acceptable in various companies or situations, some of these tests may be suitable for certain databases but totally inappropriate for others (even within the same company). Most of the predefined tests are customizable to meet requirement of your organization. Additionally, to keep your assessments current with industry best practices and protect against newly discovered vulnerabilities, Guardium distribute new assessment tests and updates on quarterly bases as part of its Database Protection Subscription Service. Please refer to Guardium Administration Guide for more details.
This set of tests assesses the security health of the database environment by observing database traffic in real-time and discovering vulnerabilities in the way information is being access and manipulated.
As an example, some of the behavioral vulnerability tests included are:
Default users access
Access rule violations
Execution of Admin, DDL, and DBCC commands directly from the database clients
Excessive login failures
Excessive SQL errors
After hours logins
Excessive administrator logins
Checks for calls to extended stored procedures
Checks that user ids are not accessed from multiple IP addresses
This set of assessments checks security-related configuration settings of target databases, looking for common mistakes or flaws in configuration create vulnerabilities.
As an example, the current categories, with some high-level tests, for configuration vulnerabilities include:
Privilege
Object creation / usage rights
Privilege grants to DBA and individual users
System level rights
Authentication
User account usage
Remote login usage
Password regulations
Configuration
Database specific parameter settings
System level parameter settings
Version
Database versions
Database patch levels
Object
Installed sample databases
Recommended database layouts
Database ownership
Guardium provides an interface to define custom assessment tests, either as a Java class or through the Guardium’s query builder facility. A custom assessment test is a user-written vulnerability assessment test implemented as a Java class. Custom tests must be uploaded to the system by the administrator before they can be used. For information about creating and maintaining custom tests, see the Custom Assessment Tests topic in the Administrator Guide.
A query based tests are user defined tests that can be quickly and easy created by defining or modifying a SQL query, which will be run against database datasource and results compared to a predefined test value.