0x034 – Auditing for Security

INTRODUCTION

Today we have methods to make it possible to audit systems, which can be used for good or for the worse, and it is something that can be achieved through external or third-part systems, or it can be implemented with some methodology and techniques which allows the investigation and analysis of events which occurred while the operation of information systems Piattini (1999, pp. 3-5).

EXPERIENCE WITH THE ORGANIZATION

 Some years ago, I worked as a consultant for the “Tribunal Regional do Trabalho” (freely translated to Regional Labor Court), which was responsible for the labor related process in the states of Parana and Santa Catarina. As the systems where all important, the need of auditing was something important, since it had to log who was the user who was imputing information in the system, for instance. This was something common with the type of framework which we were using at that time, which was also based on the concept of auditing, and making it available for its subsystems Alvim (2017).

METHODS TO MAKE SYSTEMS AUDITABLE

 The auditing can be achieved on customized software by developing its functionalities and adding  security proceedings like logging the user and using logical exclusion, for instance. I will give the example of record auditing on relational databases.

Once you have a table, you may have two additional columns to that, username and date and hour. By having this two additional columns and making your software input the user logged in and the hour and date of the event, you have the desired auditing which will allow the proceedings of investigations on your software.

There is also a resource which can help a lot on investigation, which is the database logging. Some commercial and open source SGDB’s support this feature, however there are some alternatives like Huang & Liu (2009) presents in their paper entitled “A Logging Scheme for Database Audit”, which is based on intercepting the database communication, parsing and processing the database protocol and making it auditable for further investigation procedures.

CONCLUSION

 Today, with the penetration of the information systems in all the spheres of the governmental and private market, the systems auditing became a very important subject, with many ways of implementing it, as seen in the Huang & Liu (2009) article, which uses alternative resources to implement security and auditing in a very creative and original manner.

REFERENCES

Piattini, M (1999) Auditing Information Systems. London: Idea Group Publishing.

Paulo A. (2017) Java EE 6 Open Source com jCompany Developer Suite [online] Available at: http://www.powerlogic.com.br/powerlogic/ecp/comunidade.do?app=portal&pg=540&idConteudo=1263 (Accessed 17 September 2017).

Huang Q & Lianzhong L (2009) ‘A Logging Scheme for Database Audit’, IEEE Conference Publications, 2, pp-390-393.