CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why Inefficiency is a Database Auditor’s Worst Nightmare

The data protection ecosystem within an enterprise features a collection of roles that all play their part in securing the business. Internal auditors serve as one of the central figures in providing oversight, assessing where pockets of cyber risk are located and communicating them to the security organization, who then mitigate any issues found.

When it comes to database protection—also referred to as “securing the last mile”—the work at hand can be incredibly cumbersome and complicated for auditors but is nonetheless a critical part of reducing cyber risk within the business. Many times, auditors don’t have all the time in the world to produce an audit trail, so time is money. The problem lies in the inefficient approach to database auditing that many take, especially when they audit database for compliance and security, not just for compliance.

No matter if it’s an internal or external auditor, at the end of the day it’s their job to inspect, find, and report on the risk that an audit customer has, says Thomas Patterson, senior product manager at Trustwave.

“What they have to show is the risk level and the advice that they suggest as it relates to it,” Patterson says. “I’d say that 99 percent of the time they’re conducting their job because there’s a belief that there’s a problem, so they need to report what kind of risk they’ve detected in the database.”

Seeing as inefficiency can be seen as an auditor’s worst nightmare in this case, below you’ll find the three areas where it primarily comes into play and how it can result in a dire cyber risk scenario for organizations:

Error-Prone Identification

The discovery phase of a database audit is likely the most important one. This would indicate if the security organization has to address any vulnerabilities or misconfigurations—which have led to very notable breaches recently.

Given that dispersed data is the norm for any modern-day enterprise, many auditors have to manually locate all databases that house sensitive information, which is an incredibly tedious task, Patterson says.

“At that point, you’d have to manually check for patch levels and check all of the configurations, check to see if the operating system is encrypted, if the files are encrypted, in addition to checking if the configuration is using best practices,” he says. “And it doesn’t end there.”

Other manual work tied to the discovery phase could include looking at every user to see who had access to or interacted with data, cross-referencing that information with admin privileges, in addition to manually searching for and analyzing vulnerabilities through custom scripts.

“You’re talking about producing a folder with hundreds of SQL scripts that would then be run on a database, to then manually collate all of that information in a giant report,” Patterson said. 

Apart from the resource and timing challenges, it’s also an error-prone process that could result in overlooked vulnerabilities or misconfigurations that could lead to security incidents.

Manual Assessments

Discovering the information is a time-consuming challenge in itself, but analyzing it is an even more significant challenge for auditors. In many cases, going line by line in specific configurations to ensure that they look at every single section is the norm.

Analyzing that information—which in some cases could be tens of thousands of lines of information including configurations, patch levels, and files—results in an incredible amount of eye strain, all in the quest to determine cyber risk.

“You can only imagine how defeating this could seem,” Patterson says. “Being able to cross-reference the information that’s collected without a tool in place is incredibly difficult and time-consuming, but it’s still happening.”

A database security audit must inspect all of the activity and users to provide contextual information that’s necessary for the security organization to mitigate any issues found. To speed up this process and prevent any significant incident from occurring, the data gathered during the audit’s identification phase would ideally be assessed automatically as it’s being pulled in and identified to determine what type of issue it is, Patterson suggests.

“If it’s a critical finding that needs to be addressed immediately, it would be in this case,” he adds.

Arduous Reporting

Perhaps the most critical component of a database audit is the reporting, and with so much critical information to assemble and compare, the final result needs to communicate the audit’s conclusions and recommendations effectively.

Current ineffective practices include using Excel spreadsheets, Word documents, or a combination of other applications to collate the information into building a report for executive review. Depending on the reader, be it the CEO, CIO or CISO, reports will have to be displayed differently for different audiences, even though it features the same data, Patterson says. “They’ll all be interested in different results depending on the organizational lens they look through,” he says. “An executive report isn’t going to go into the details as to why something is bad, and it may just provide a broad overview of risk.”

Given the importance of communicating cyber risk to key stakeholders, assembling multiple reports for different business leaders on time—simultaneously—is challenging, but a necessary part of the database audit. 

To overcome the efficiency challenges outlined above, many enterprises are having to build their auditing tools, a route that’s much more resourceful than having to develop custom scripts (which require even more manual efforts). Unfortunately, many third-party applications available require a significant investment, in addition to complex implementation that could further delay the audit process.

Given the proprietary information housed in databases, making them a prime target for cybercriminals, expediting the database audit process today requires precise, accurate, and thorough means that allow auditors to have the additional confidence that a trusted knowledge base backs them.

Databases contain incredibly sensitive information that makes them a prime target for digital thieves. Here's how Trustwave can help you overcome resource limitations to uncover database flaws and gaps in security

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More