IN FOCUS:

Database Access, Audit, Remediation and Recovery

By Santiago Tula, Enterprise Systems Associates, Inc.

Protecting sensitive corporate data in distributed environments is of vital importance.

While mainframe security software and Db2® privileges protect against most types of
unauthorized access to Db2 tables, they do not report all of the breaches to Db2,
changes made to the tables, or what data was selected/updated from the tables.
Exploiting sensitive information by bad players impacts corporations negatively and
exposes the privacy of customers and employees. Many countries have enacted
laws to criminalize unauthorized acquisition and/or disclosure of such information.

This is not a new issue, and the discussions of securing the Db2 subsystem and its
data dates back to this databases inception. What has changed over time has been
the evolution of ever more sophisticated means and technologies to breach existing
protections. Originally limiting access to the hardware (i.e., mainframe) was
sufficient. Having Db2 provide and extra barrier to intrusion has also proven to
enhance security. However, the rise of “insider access” by either rogue employees,
customers or hackers with stolen credentials has become a much more critical
security issue. Various studies published in trade journals indicate that at present
upwards of 70% of all data breaches originate from actors with “insider access”.

This article discusses the needs for Db2 data security and recovery at this time.
There is no doubt that every passing day will bring a new threat and it is essential to
be ready to prevent and recover. Prevention is the best outcome we can expect, but
when one occurs, it is essential to have efficient remediation procedures in place.

Auditors, DBAs, Systems and Application Programmers are all on the front line to
deal with security, data integrity, privacy and recovery. The management and policy
issues revolving around the handling of data breaches is fodder for another time. Our
concern is with the hardworking people who must deal the event.

If prevention prevailed then the issue becomes one of analysis and identifying the
source and method of the attempt. This is vital because it provides proof that the
measures taken work, but it may also reveal new tactics being tested. Evolution
whether natural or man-made has a way or wreaking havoc at some point in time.
One interesting source that can create holes in our security wall is the software
upgrades that are produced regularly to enhance the existing systems. That is why
preventive measures need to always be on alert.

1340 TUSKAWILLA RD, STE 106, WINTER SPRINGS, FL 32708

PHONE: 1-866-GO-4-ESAI • E-MAIL: INFO@ESAIGROUP.COM
When an intrusion does occur, and they always will, it is essential to be prepared to
analyze the available data and have remediation procedures ready. The main focus
of this article is to deal with what is needed to minimize the impact of an intrusion.

When an intrusion has occurred it is essential to identify the nature of the intrusion.
When data has been simply extracted, all remediation activities must center on
evaluating the possible uses and impacts to be dealt with. On the other hand, when
data has been altered it is necessary to also restore the data integrity.

One of the most cyber secure countries, Singapore, had a serious data breach
affecting 1.5M healthcare patients including the Prime Minister. The attack started on
June 27, 2018 but was first detected on July 4, 2018.The government described the
attack as deliberate, targeted and well planned, but assured that no medical data
had been tampered with. However, security experts warned that compromised
financial data will probably end up for sale on the Dark Web. This is a perfect
example of where there is no need to restore the data integrity, but rather, to address
the data access failing.

When action has been taken on the data or Db2 Subsystem, the issue is much more
time critical. For example, the Monetary Authority of Singapore (MAS) has issued an
IT security guidance document that clearly outline actions to be taken. It specifies
the reporting of critical events, a verified capability to restore critical systems to
operation within 4 hours and details auditing requirements. It is quite comprehensive
worth reading. The main take away is that not even one of the most tightly managed
societies is free from cyber attack, and that being prepared to deal with security
breaches is essential for everyone.

To deal effectively with maintaining Db2 security and integrity it is essential to have
the necessary monitoring and surveillance tools in place at all times and running
24x7. The first basic function of these is to control, report and document all accesses
of interest. The second is to pro-actively impede access to specific Db2 tables when
certain specified filtering criteria is not met. This last function is mostly directed at
“insider access intrusions”. The main constraint on the use of monitoring and data
collection in production and real time has always been the high hardware resources
demanded by these.

Addressing the Issue

It is now time to discuss what features a state of the art product needs to fulfil to be
useful, to be sure the following list is limited to the most essential functions:

1340 TUSKAWILLA RD, STE 106, WINTER SPRINGS, FL 32708

PHONE: 1-866-GO-4-ESAI • E-MAIL: INFO@ESAIGROUP.COM
• Be capable of monitoring Db2 activity 24x7 in production and other
environments
o Surveillance is a full time job that never rests. The time lapse between
intrusion and detection may be minutes, hours, days, months or years.
Those breaches that have yet to be discovered are leaving an audit
trail that the proper tools can capture.
• Maintain a level of hardware consumption that does not impact
operations
o Unfortunately the logging and tracing features that come with Db2 are
hardware intensive and the resources they consume often make them
a costly alternative to run 24x7. An effective audit tool needs to offer a
resource and cost effective way to run in all required environments
with minimal impact.
• Collect the raw data needed to address all audit and remediation needs
o The raw data collected must provide the answers that auditors need to
analyze the impact of a data breach. The basic when, where, how,
what and who questions need to be answered. This process is far from
trivial because each event is made up of several subevents taking
place over time. It is essential that each event is captured whole so it
can be properly studied. It is also a reality that there is a high level of
noise (useless data) that needs to be discarded appropriately.
• Support the transformation of that raw data into useful information
o How a product assists auditors, technical staff and application groups
in converting the raw data into information they can use quickly is a
major distinguishing feature amongst competing products. Simple
logging tools provide the data and the staff need to process it for
actual use in resolving breaches. More comprehensive products will
provide a number of pre-coded functions that will in an almost
automated fashion produce high quality reports and files. The time
required to obtaining useful information can be extremely critical
depending on the nature of the attack.
• Take immediate preventive measures, such as, locking tables prior to
invalid access
o The software should immediately lock down access to any tables
being accessed in violation of company defined restrictions. This layer
of protection should detect intrusions that have penetrated system
access (i.e., RACF®, Top Secret®, etc.) or Db2 security features.
When stolen credentials or security shortfalls allow access to restricted
tables, it is important to detect when these intrusions are about to take
place and impede them. Prevention is far better than remediation.
• Support real time notification capabilities that follow user defined
escalation
 o Real time alerting of staff is the corner stone of securing Db2 data.
Data breaches are not just a technical issue, they are a management
concern. Defining an appropriate response to a breach is essential so
that all impacted parties can respond properly.
• Support historical archives
o The ability to access historical information and data is often the key to
both remediation and developing preventive measures.
• Offer an attractive ROI
o The cost benefit ratio needs to high enough to make Db2
audit/remediation software a viable solution. Just like and insurance
policy premium needs to be in-line with the protection it offers, the
software used to audit/protect Db2 data needs to be cost/staff
effective.

The Bottom Line

Db2 subsystem and table breaches cannot be completely eliminated. There are no
doubt a number of undiscovered code frailties currently in existence. Even more,
every time Db2 is enhanced and new features added there is a possibility that an
undetected and unwanted access point has been added. Stories of this happening
as new applications are being released is not novel. The best safeguard is to have
Db2 auditing/locking software that provides companies with the ability to prevent
table access to critical data under specified conditions. When a breach does occur,
all the raw data and information needed for dealing with the situation should be
immediately available to staff and management. Any software worth its weight will
also provide the data needed to implement a recovery.

There is a solution to address this vital need. DBARS® (Database Access Recording
Services), software from ESAi & SPR, is a high-speed, low impact solution that
intercepts all Db2 database activities including modifications and all reads. No Db2
tracing needed as it can intercept all Db2 SQL statements regardless of origin. You
can use DBARS for audit reports of Db2 activity or report events as an agent to a
SIEM tool. Further, it provides the ability to block suspicious SQL activity giving you
the ability to prevent fraudulent access attempts based on specific parameters or
patterns.

See the Enterprise Tech Journal story by IBM Gold Consultant Craig Mullins titled
“Auditing Database Access and Change: A Necessity More Than A Nicety” at
https://mydigitalpublication.com/publication/?m=23234&i=741337&p=10&ver=html5 .

1340 TUSKAWILLA RD, STE 106, WINTER SPRINGS, FL 32708

PHONE: 1-866-GO-4-ESAI • E-MAIL: INFO@ESAIGROUP.COM
Information on ESAi’s mainframe and distributed products can be found at:
http://www.ESAIGroup.com .

©Copyright 2022 ESAi All Rights Reserved www.ESAIGroup.com

* All trademarks are of their respective owners.