Taking The 5 First Steps To Enhancing Security With Date Auditing

BY MURRAY S. MAZER

Data auditing solutions can help financial services firms protect the integrity of their databases.

| SYNOPSIS | Data auditing is a process that financial institutions can use to protect their databases. The five first steps include: recognizing the risk; establishing goals for data auditing; weighing the benefits of a commercial solution versus in-house; evaluating current approaches on the market; and considering a strong enterprise-class solution based on tracking at the database.

In today's environment of heightened expectations for the integrity of corporate information, there is a greater need for increased scrutiny of data usage. Government regulations, for example, have increased the requirements to identify and manage data-related risk. Regulators, shareholders, board members and customers all insist that companies know who's done what to their databases and when.

A comprehensive data auditing program can provide that information. Data auditing can be defined as the ability to continuously monitor, record, analyze and report on all user-level database activity. It supplements perimeter security measures and ensures that the enterprise is not compromised by unauthorized and inappropriate access or changes to data by internal users.

Related chart Dollar Losses Are Up in two data access categories

Such an automated, continuous data auditing process has only recently begun to be adopted by financial services companies, which previously either had no database security process in place or used "database triggers," an internal code that was only partially effective at correcting problems. Any data auditing programs in place before 2004 were driven by operational teams for internal purposes, such as detecting accidental changes to software, and were not designed with today's requirements in mind.

The following are five initial steps to take when considering the use of data auditing.

1 Recognize The Risks

Unaudited corporate data use puts your business at a higher risk for fraud, failed audits, lost customers and loss of brand/reputation. Banks concerned with the costs of customer acquisition and retention know that there is real value in a brand; it's been estimated that up to six percent of a firm's market capitalization can be attributed to brand equity. So, putting the organization's reputation at risk due to an information security breach is costly.

Those costs could be minimal if the incident is caught quickly, but most are not. It's more likely that a breach of the database will run into millions of dollars from disclosure costs, stock market impact and operational constraints. As an example of what can happen, a regional commercial bank - one of our customers that prefers not to be named - recently failed an internal audit and needed to shut down database administrator (DBA) access to certain critical Information Technology (IT) systems. The DBA was required to go to the security team, get an access code, and be escorted by the security team, who then watched the DBA perform his/her update. After the DBA completed the work, the access code was then destroyed.

The net result is that this bank spent thousands of dollars each week on additional security and IT staff hours as regular employees were diverted from their normal activities, slowing down business operations.

Consider also another customer, a large, New York-based financial services institution, which suffered from an employee's fraudulent activities because her access to the database went undetected for months. This individual stole a few hundred thousand dollars. Had her fraud not been discovered when the company implemented a data auditing solution, the cost would have been higher.

Such incidents occur because many organizations are still not adequately protected against data misuse. Before you begin to consider how to implement a data integrity program, estimate the potential losses that could occur through a data security breach at your bank. You'll probably discover, even through a "guesstimation" process, that the business risk implications are significant.

Then consider that a data auditing solution can be purchased and implemented for $10,000 to $50,000 for a small organization; solutions for the largest corporations can cost approximately $500,000.

Because data auditing is a preventative measure rather than a revenue-generating system, it is difficult to calculate a traditional return on investment (ROI) for its implementation. The highest value and greatest return from data auditing is in the prevention of catastrophic events that could put the bank at risk. The 2005 Computer Crime and Security Survey by the Computer Security Institute and Federal Bureau of Investigation identified information security investments as "must-do" projects not subject to standard ROI measures.

Often the decision to implement a data auditing solution involves a build vs. buy analysis, which almost always favors the buy. One mid-size southeastern-based brokerage firm reported an ROI of 16:1, just on IT staff labor costs alone, because its automated data auditing solution saved hundreds of man-hours that would have been devoted to manual checking of the database or modifications of applications on the IT system.

Once you understand the value of a data auditing solution to your bank, it is important to consider sources of risk. There are basically three pertaining to a corporate database: outsiders, non-privileged users and privileged users.

Studies consistently show that insiders are by far the greatest source of compromise to corporate systems. The 2004 Insider Threat Study by the U.S. Secret Service and CERT Coordination Center ("Illicit Cyber Activity in the Banking and Finance Sector") states that in most cases of insider manipulation, theft or sabotage to information, the insiders used "simple, legitimate user commands to carry out the incidents." A more technical knowledge of network security was required in only a small number of cases. In 78% of the incidents, "the insiders were authorized users with active computer accounts at the time of the incident," and 17% of the insiders possessed "system administrator/root access within the organization," the report says.

While companies have invested heavily in securing the perimeter against outside intrusion, little attention is paid to the "backdoor," through which privileged users like DBAs and other employees can access and change data without oversight. What if a DBA makes an error or maliciously changes data? How does the institution discover these events without strong, tamper-proof oversight mechanisms?

An organization needs to ensure that all users - especially these privileged users - are granted only the access that's absolutely necessary. And there must be an audit trail that details any and all data-related activity.

2 Establish Goals For Data Auditing

Data auditing can help a company manage risks and assure regulatory compliance by providing a record of all data access and use. A comprehensive audit trail can assure that application controls and security measures are actually working, enable executives to confidently attest to financial statements, and help the organization to identify and respond quickly to areas of extremely high business risk, such as fraud or user error.

Enterprises with effective data auditing solutions are driven by dual goals of accountability and visibility. While these organizations developed suitable, company-wide privacy and security policies and mechanisms, they also recognized that these policies are meaningless without validation, so they implemented auditing to understand what actually happened.

Capturing records of data activity is an essential step, but this must be done in a trusted, comprehensive way. Several possible approaches (used currently in end-user organizations) cannot capture key activities. They may also introduce a false sense of security and interfere with runtime database performance. By understanding the required capabilities of an effective solution, enterprises can overcome these shortcomings.

A comprehensive data auditing solution should allow enterprises to:

• Validate compliance with internal corporate policies and improve business processes;
• Detect and analyze breaches in user and computer application behavior, intentional or accidental;
• Perform forensic analysis for detecting fraud, outsider intrusion and employee misbehavior;
• Rapidly respond to violations and vulnerabilities;
• Answer ad hoc business questions;
• And provide an evidentiary trail to support legal action.

3 Think Twice About Building Your Own

Some enterprises have developed data auditing software themselves, only to find out months later that it doesn't satisfy the auditor's demand for separation of duties, which requires that a system for monitoring user activity cannot be administered or manipulated by anyone who may be the subject of the monitoring system. Auditing software developed in-house uses database-provided audit features, which can be easily disabled by privileged users.

Additionally, in-house software has other drawbacks: It cannot capture needed information, it drags down performance of the critical line-of-business applications, there are holes that can't be plugged, or it consumes enormous staff time to manage it.

Data auditing is more than just gathering information on events that occur within the database. There must be means for software deployment, incident alerting, archiving of information, reporting, fitting into business processes and more. The task of developing a credible data auditing solution is far more than an IT department in a bank should undertake.

A proven commercial solution would provide a tamper-proof audit trail; the ability to validate an institution's policies and safeguards; an evidentiary trail; and an at-a-glance view of the health of your data-related controls.

4 Evaluate Data Auditing Approaches On The Market

Once your institution has decided to deploy a data auditing solution, it's critical to choose one that meets the goals listed above. Certain technological approaches to data auditing contain weaknesses that may create compliance risk or increase the costs of a compliance solution. Executives, perhaps from compliance, risk management and individual lines, should work with the chief information officer to insure that data auditing solutions capture all relevant activity, monitor privileged users, fit effectively into the existing IT infrastructure, and are straightforward to deploy and manage.

One approach sometimes considered for capturing activity information is "application modification," which entails changing the source code of every computer application that might be used to access the data of interest. This approach requires each application to be modified - or perhaps replaced, in the case of legacy applications. Planning, implementing and testing these changes is costly and time-consuming. And it is difficult to guarantee complete coverage. Furthermore, access to the data through means other than the modified applications, such as through a database administrative console, is not captured, implying incomplete protection.

A second problematic approach is using a "network-sniffing appliance" that captures network packets traveling between applications and the database. Designed for network intrusion detection, this scheme does not address the biggest challenge with data integrity - capturing direct access to the database from insiders, and cannot capture critical information, such as the history of how values were changed.

Another option is "trigger-based collection" at the data source. Triggers are instructions stored in database systems that are set to automatically execute when certain events take place. However, most IT experts dread using triggers on the database because the triggers are hard to write correctly and substantially increase the time it takes to run the application. Fear of this additional "overhead" leads DBAs to minimize the use of triggers and leaves the database vulnerable to undetected intrusion.

Yet another weakness of triggers: they cannot capture many of the items needed in a database audit trail - such as when a database administrator gives another user extraordinary permission - leading to an incomplete audit record. And, the DBA can turn triggers off, thereby gutting any protections offered.

5 Consider A Strong Enterprise-Class Solution

A recommended audit approach is "tracking at the database," where audit agents harvest information about data-related activity at the database server. This captures all relevant data activity, regardless of the application used, including direct "backdoor" access by privileged users. With this approach, there is no need for application modification, and there is no interference from triggers with the timely execution of transactions.

Once the data auditing solution is selected, it is important to monitor its output to insure that the institution's controls are working correctly. A comprehensive data auditing solution should provide a range of complete audit reports, both scheduled and ad hoc, that can be reviewed by IT, information security and financial staff. Regular reviews of these reports will insure that all the information required to meet compliance requirements and corporate security policies is being generated by the data auditing solution. The solution should offer the capability to order new and different reports and modify what is being monitored, if it is deemed to be too narrow in scope from the initial deployment.

Questions or comments about this article? Post them at the Banking Strategies blog.