When I first caught sight of that huge orange moon, I was driving home from work, having a mental conversation with myself about how often abnormalities indicate a risk or a threat...or a security obsessed DBA (one, or all of those) and then I saw that beautiful moon…and I thought….I have to find a way to tie this into my blog. Guess I just did.
Was that lead-in a sneaky way to bring part of my day into the blogsphere? I plead guilty, but at no time was a database at risk.
Questions: From a systems perspective, do you know what 'normal' looks like? If not, how would you know that something was abnormal? How would you know if the abnormal was the "new" normal? How would you determine whether the "abnormal" events were ok, or not, without a baseline of some kind to compare against?
This really isn't a pop quiz. I'm actually hoping to inspire you to reach out and discover the wealth of information that is sitting on your servers just waiting to be "found"; information that may have been ignored up until now, but that might point you to a potential breach, or even just a potential "broken". Information like file system permissions, system users and groups, DB and DBM configurations, audit trails, diagnostic logs, system logs.....and anything else that might have a nugget of information that could eventually lead someone to take advantage of a slight vulnerability in the enterprise electronic armor. These could be discovered if you have your eyes trained to look for abnormalities.
Do you ever look through the administration notification log (instancename.nfy) or the db2diag.log just to see what's there? Do you know what entries they typically show when things are normal? Have you ever associated timing of events recorded there with unusual activity on the database? Have you ever questioned why a LOAD operation was being performed at 2:45 am that had never been performed at that time of day before?
I guess I really do have an "inquiring" mind but I like to know what's going on at 'odd' hours...ok, I'm a DBA...all my hours are 'odd', but you know what I mean.
Looking for abnormalities is one way to 'think like a hacker' without doing jail time. By that I mean, explore those abnormalities as if they WERE being caused by a hacker until you find out the facts.
Sometimes "abnormal" isn't bad at all, it's just a new way of doing things....like that LOAD operation that was automated to start in the middle of the night to avoid using CPU during the online transaction day...but what if it that event could not be explained by improved workflow processing? What might it signify? Could it be that someone has managed to escalate their privileges on the database and is up to no good? Might it be a good idea to check?
If you want to help me make this blog better, please use the voting option at the top of the page to indicate whether you found this post helpful. You can rate it between zero(not so great) and five (ok). If you have specific comments regarding the content, or if you'd like to make suggestions, I would like to hear from you !