Databases remain a prime target for cybercriminals and insider threats. Ensuring enterprises can achieve their business objectives without concerns about sensitive data security is a value-add proposition for internal audit departments looking to perpetuate their role as trusted advisors to executive management. Databases are best secured using a defense-in-depth approach using control assessment. This approach is a great starting point for assessing core areas of a database, including host security, database access and encryption configurations.
In the 2022 Verizon Data Breach Investigations Report (DBIR), database-related incidents from the report period (Q1 2020-Q4 2021) were reviewed and a staggering 718 data breaches were reported, with 705 of these security breaches involving lost personal and enterprise data. The report shows that misdelivery of information to unintended recipients and misconfiguration of enterprise databases are driving this trend. The takeaway is that perpetuating a secure default database configuration is a critical step in maintaining sound enterprise security. As the technology landscape changes and enterprises add applications or shift their deployment strategy, perpetuating database security should remain a core security and audit focus.
Database compromise is a primary end goal for cybercriminals, whether it is stealing the data or making the database and stored records inaccessible to the enterprise.
An audit guidance for assessing the security control posture for enterprise database deployments was recently developed. The assurance guidance and controls cover general database controls with additional consideration given to securing MySQL, Oracle and Microsoft Windows SQL server deployments. The larger audit package is detailed in the ISACA Microsoft SQL Server Database Audit Program.
When using the program, it is best to begin with reviewing your database environments using the general controls section as this part of the program is generally applicable to any database deployment, whether its MySQL or MariaDB. Targeted audit guidance is then provided for the three most popular database technologies in MySQL, Microsoft SQL and Oracle database. Use of the technology-specific audit guidance will allow key controls to be assessed across all major control categories (i.e., access control, audit logging). If you are looking to expand the audit program for your environment, it may be helpful to research vendor security guides or other industry guidance as they provide a wealth of valuable database security auditing instruction.
Editor’s note: For further insights on this topic, read Adam Kohnke’s recent Journal article, “Managing Security Across Disparate Database Technologies,” ISACA Journal, volume 4 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!