All users
The Security Incidents: all users
template provides a number of rules
that track and report on possible security incidents that might be encountered at run time. You can
choose which rules you need for your security scenario.
Some rule definitions are tagged as either PCI or GDPR. These tags indicate that the rule can help meet compliance with either payment card information (PCI) or General Data Protection Regulation (GDPR) rules.
Many rules include the MARK SESSION action, which sets the trust for this session to LOW and
generates an exception in the Security Incidents report.
Note: The security incident policies
analyze authentication methods, but do not log or analyze passwords.
The
Security Incidents: all users
contains the following rules: - DB user using plain text password
- This rule identifies when plain-text passwords are used in the authentication process for database users. Any connection to a database that uses a driver or a database that allows sending a password in clear text over the network generates a security incident.
- Password spraying attack detection
- This rule identifies when an attacker attempts to gain unauthorized access to user accounts or systems by systematically trying commonly used passwords or a small set of passwords against multiple user accounts. This rule generates an exception message when more than 10 connection attempts are made by different users with the same password.
- Source application using plain text password
- This rule identifies when plain-text passwords are used in the authentication process for applications and programs. Any program or application that allows sending a password in clear text over the network generates a security incident.
- Repeated failed login per server IP and user (5 in 3 minutes)
- This rule generates a security incident for repeated failed log-ins.Note: This rule is similar to the
User Activity Monitoring
policyFailed Login - Alert if repeated
rule. However, the rule triggers only when a user unsuccessfully attempts to log on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes). - Password sent using vulnerable encryption method
- Guardium® generates a security incident when passwords are sent using insufficiently secure methods. For example, when a database uses a driver with outdated encryption methods or a database sends passwords that use outdated or vulnerable encryption methods over the network.
- Repeated login failures from same Program and different DB users per period of time (5 in 3 minutes)
- Repeated failed log-ins by a database user (specified as five log-ins within 3 minutes)
generates a security incident.Note: This rule is similar to the
User Activity Monitoring
policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully logs on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes). - Data exfiltration setup
- Data exfiltration that exceeds a defined threshold during a session or in a session generates a security incident. This rule sets the thresholds for session and response exfiltration. In the CONFIGURE rule action, define the thresholds for SESSION, RESPONSE, or both.
- Session data exfiltration
- This rule identifies data exfiltration by monitoring the amount of information that is extracted from the database during a single session.
- Response data exfiltration
- This rule identifies data exfiltration by monitoring the amount of information that is extracted from the database from a specified response.