Download Database Security - University of Scranton: Computing Sciences Dept.

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Wireless security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Unix security wikipedia , lookup

Information security wikipedia , lookup

Access control wikipedia , lookup

Information privacy law wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cross-site scripting wikipedia , lookup

Data remanence wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
DATABASE SECURITY
Proposed by
Abdulrahman Aldekhelallah
University of Scranton – CS521 Spring2015
Outline

Why is database security important?

Properties of Database Security

Categories of Attacker

Different Types of Attacks

Web Security Threats

Database Security Considerations

Recent Used Database Security Techniques
Why is Database Security Important ?
Databases often store data which is sensitive in
nature
 Incorrect data or loss of data could negatively
affect business operations
 Databases can be used as bases to attack other
systems from

The Properties of Database Security

Confidentiality

Integrity

Availability
Confidentiality

What does confidentiality mean ?



Privacy or the ability to control or restrict access so
that only authorized individuals can view sensitive
information.
One principles of confidentiality is “ Need-to-Know”
or “Least Privilege”.
The most common method:
Encryption
 Authentication
 Access Control

Integrity :( Data Integrity)



Information is accurate and reliable and has not
been subtly changed or tampered with by an
unauthorized party.
Authenticity : The ability to verify content has
not changed in an unauthorized manner
Non-repudiation & Accountability: The origin of
any action on the system can be verified and
associated with a user.
Availability


Availability is the proportion of time a system is
in a functioning condition.
As the reliability increased, so does the
availability.
Categories of Attacker

Intruder :


Insider :


An unauthorized user means accessing a computer system
in an illegal manner and attempts to take out valuable
information.
Trusted users who make violence of his/her privileges and
tries to get information beyond his own access
permissions.
Administrator:

An authorized user who uses the administration privileges
in unauthorized way according to organization’s security
policy to get valuable information.
Different Types of Attacks

Direct attacks
Attacking the targeted data directly
 These types of attacks are successful only if the
database does not contain any protection mechanism.


Indirect attacks
These attacks are not directly executed on the target
but information from or about the target can be
received through other intermediate objects.
 Difficult to find out or track
 Combinations of different queries

Attacks on Database classified into two types

Passive Attack

Attacker only observes data present in the database.
Static leakage
 Linkage leakage
 Dynamic leakage
 Active Attack

Actual database values are modified.
 These are more problematic than passive attacks because
they can mislead a user.
 There are different ways of performing such kind of
attack: Spoofing - Splicing - Replay

Web Security Threats

AJAX Security:
In recent years, adding AJAX elements in sites has
become a very popular style
 JavaScript :

is a widely client-side scripting language, it
has been broadly used to reduce the load on
the server
 Run-time error can only be found during
running time of program


Cross site scripting (also known as XSS or CSS):
By utilizing the XSS bugs in the web programs,
malicious attackers construct a trap page and the
malicious script can be saved in the page content
or URL
 If the visitors visit URL, the JavaScript will be
executed by attackers’ browser.

Database Security Considerations


Every organization must
having its own security
policy and that security
policy should be strictly
enforced.
A strong security policy
must contain well defined
security features.
Access Control




Ensures all communications with the databases
and other system objects are according to the
policies and controls defined.
No obstruction occurs by any attacker neither
internally nor externally
Protects the databases from potential errors.
Minimizing the risks that may directly impact
the security of the database.
Inference Policy



Inference policy is required to protect the data at
a particular level.
Some data are required to be protected at a
certain higher security level.
The policy also determines how to protect the
information from being released.
User Identification/ Authentication


The identification method describes a set of
people that are allowed to access data and provides
a complete mechanism of accessibility
To ensure security, the identity is authenticated
and it keeps the sensitive data secure and from
being modified by any ordinary user.
Accountability and Auditing


These two checks are required to ensure physical
integrity of the data which requires defined access
to the databases and that is managed through
auditing and record keeping.
Helps in analysis of information held on servers for
authentication, accounting and access of a user.
Encryption


Encryption is the process of transforming information
by means of a cipher or a code so that it becomes
unreadable to all other people except those who hold a
key to the information.
Various Types of encryption offered by SQL :
Column Level
 Database Level
 Instance Level


This encrypts ALL traffic to and from SQL server
Recent Used Database Security Techniques

Securing Database using Cryptography

Securing Database using Steganography

Securing Database using Access Control
Securing Database using Cryptography

A database encryption scheme

users are divided into two levels:
Level 1: users have access to their own private encrypted data
and the unclassified public data.
 Level 2: users have access to their own private data and also
classified data which is stored in an encrypted form.


A novel database encryption mechanism




Classify the data into sensitive data and public data.
Encrypt only the sensitive and critical data
Helps the performance is not degraded.
Mixed Cryptography Database scheme
designing a framework to encrypt the databases.
 the data is grouped depending upon the ownership and on
other conditions.

Securing Database using Steganography



Various techniques in steganography that can be
implemented to hide critical data and prevent them
from unauthorized and direct access.
the data is embedded in the least-significant-bit’s of
the pixel values.
The pixels values are categorized into different
ranges and depending on the range certain number of
bits is allocated to hide the sensitive data.
Securing Database using Access Control

the access to the database only after verifying the
credentials of that user

The credentials may not just be the user-id but it
may be the characteristics

There two techniques:

A generalized authorization model

An authorization model
Securing Database using Access Control
Techniques:

A generalized authorization model


involves integrating the three most common and widely used
access control mechanisms namely: Mandatory –
Discretionary – and role-based model into a single
framework to allow unified access to the protected data
An authorization model

queries are acceptable only when the queries can be verified
using the information contained in the authorization rules.
Questions or Comments?
Related documents
Introduction - Computer Science
Introduction - Computer Science
Lect 1 - Intro
Lect 1 - Intro
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
Skating on Stilts
Skating on Stilts
No Slide Title
No Slide Title
E-Commerce and Bank Security
E-Commerce and Bank Security
Here are the PowerPoint slides with links - Auto
Here are the PowerPoint slides with links - Auto
ppt - College of Engineering | SIU
ppt - College of Engineering | SIU
Authentication and Access Control
Authentication and Access Control
Forms of Network Attacks
Forms of Network Attacks
Direct Marketing
Direct Marketing
Some topics in application level security
Some topics in application level security
Databases and data security
Databases and data security
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
CS 494/594 Computer and Network Security - UTK-EECS
CS 494/594 Computer and Network Security - UTK-EECS
The Internet and Security
The Internet and Security
Important Concepts.
Important Concepts.
18_DataCenter_Security_Overview
18_DataCenter_Security_Overview
Annex 1
Annex 1
Database Alternatives
Database Alternatives
Good practice guide: General advice on securing operating
Good practice guide: General advice on securing operating
Mobile Appliance Security: Challenges and Concerns
Mobile Appliance Security: Challenges and Concerns