Download 9.5: Database Security - TFE

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
Document related concepts

Database wikipedia , lookup

Relational model wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Functional Database Model wikipedia , lookup

Object-relational impedance mismatch wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Chapter 9
© 2015 Pearson Education Ltd.

Explain the necessity for backup.

Describe backup scope and methods.

Describe the different RAID (redundant array of independent
disks) levels.

Explain the need for data storage policies.

Explain database protections.

Explain the need for database access controls, auditing, and
encryption.

Describe the difference between data leakage and data theft.

Explain data deletion, destruction, and disposal.

Explain digital rights management (DRM) and how it can
prevent data loss.
9-2
© 2015 Pearson Education Ltd.
9-3
© 2015 Pearson Education Ltd.

In prior chapters we focused on
◦ Protecting data as it passed over networks (Chapter 3)
◦ Hardening hosts that store data (Chapter 7)
◦ Securing applications that process data (Chapter 8)

This chapter will emphasize the protection of
stored data
9-4
© 2015 Pearson Education Ltd.
9.1 Introduction
9.2 Data Protection: Backup
9.3 Backup Media and RAID
9.4 Data Storage Policies
9.5 Database Security
9.6 Data Loss Prevention
9-5
© 2015 Pearson Education Ltd.


Data are the principal elements of any
information system
Businesses gather enormous amounts of data
◦ Information is then extracted for decision making
◦ Data are valuable assets that are core components
of a larger corporate strategy
◦ Source code, intellectual property, user data, etc.
must all be protected
9-6
© 2015 Pearson Education Ltd.


This chapter will primarily focus on securing
data while it is being stored
More specifically:
◦
How backup can prevent accidental data loss
◦
How to securely store data in a database
◦
How to prevent data from being taken out of the
corporation
◦
How to securely dispose of data
9-7
© 2015 Pearson Education Ltd.
9.1 Introduction
9.2 Data Protection: Backup
9.3 Backup Media and RAID
9.4 Data Storage Policies
9.5 Database Security
9.6 Data Loss Prevention
9-8
© 2015 Pearson Education Ltd.

Image Backup
◦ Everything, including programs and settings
◦ Image backup is very slow
◦ Data files change the most rapidly, so doing several
file/directory data backups for each image backup
may be appropriate

Shadowing
◦ A backup copy of each file being worked on is
written every few minutes to the hard drive, or to
another location
9-9
© 2015 Pearson Education Ltd.
9-10
© 2015 Pearson Education Ltd.

Continuous Data Protection (CDP)
◦ Used when a firm has two server locations
◦ Each location backs up the other in real time
◦ Other site can take over very quickly in case of a
disaster, with little data loss
◦ Requires expensive high–speed transmission link
between the sites
9-11
© 2015 Pearson Education Ltd.
PCs back up one another.
Data is stored redundantly.
Security issues must be addressed.
9-12
© 2015 Pearson Education Ltd.
9.1 Introduction
9.2 Data Protection: Backup
9.3 Backup Media and RAID
9.4 Data Storage Policies
9.5 Database Security
9.6 Data Loss Prevention
9-13
© 2015 Pearson Education Ltd.

Data Retention Policies
◦ There are strong legal requirements for how long
certain types of data must be kept
◦ The legal department must get involved in retention
policies

Auditing Policy Compliance
◦ All policies should be audited
◦ Includes tracing what happened in samples of data
9-14
© 2015 Pearson Education Ltd.

Benefits of Retention
◦ Major part of corporate memory
◦ Can retrieve old e-mail for current purposes

Dangers of Retention
◦ Legal discovery process
◦ Defendant must supply relevant e-mails
◦ Potentially very damaging information
◦ Always expensive
◦ Even though very expensive to retrieve, firms must
pay whatever is necessary to do so
9-15
© 2015 Pearson Education Ltd.

Accidental Retention
◦ Even if firms delete e-mail from mail servers, may
be stored on backup tapes
◦ Users will often store copies on their own
computers
9-16
© 2015 Pearson Education Ltd.

Message Authentication
◦ Spoofed messages can frame employees or the firm
itself
◦ Need message authentication to prevent spoofed
sender addresses

User Training
◦ Never put anything in a message that you would not
want seen in court, printed in the newspaper, or
read by your boss
9-17
© 2015 Pearson Education Ltd.
9.1 Introduction
9.2 Data Protection: Backup
9.3 Backup Media and RAID
9.4 Data Storage Policies
9.5 Database Security
9.6 Data Loss Prevention
9-18
© 2015 Pearson Education Ltd.

Databases
◦ Often used in mission-critical applications
◦ Require additional security precautions
◦ Relational databases: Tables (relations) with rows
(records) and columns (attributes)
◦ As discussed earlier, avoid SQL injection attacks
9-19
© 2015 Pearson Education Ltd.
9-20
© 2015 Pearson Education Ltd.

Databases
◦ Restrict Access to Data
 Restrict users to certain columns (attributes) in
each row
 For instance, deny access to salary column to most users
 Limit access control to rows
 For instance, only rows containing data about people in
the user’s own department
9-21
© 2015 Pearson Education Ltd.
9-22
© 2015 Pearson Education Ltd.

Databases
◦ Restrict granularity (level of detail)
 Prevent access to individual data
 Allow trend analysts to deal only with sums and
averages for aggregates, such as departments
◦ Restrict information about the structure of the
database itself (data model)
 Knowledge about the data model can make SQL
injection much easier
9-23
© 2015 Pearson Education Ltd.

Database Access Control
◦ Restrict access to databases via database management
systems (e.g., Microsoft SQL Server, MySQL, IBM DB2,
Oracle, etc.)
◦ Rename administrator account, disable guest/public
accounts, lowest possible permissions necessary

SQL Injection Attacks
◦ Data must be sanitized to remove unacceptable characters
◦ Stored procedures can be used to sanitize and validate
incoming data
9-24
© 2015 Pearson Education Ltd.
1. Windows
authentication
2. SQL Server
authentication
3. Password
policy options
9-25
© 2015 Pearson Education Ltd.

Database Auditing
◦ Collect information about users’ interactions with
databases
◦ Policy driven, reflecting legal and regulatory obligations

What should be audited?
◦ Logins, changes to the database, warnings, exceptions, and
special access
9-26
© 2015 Pearson Education Ltd.


Trigger - Code that is automatically run when
changes are made to a database
Data Definition Language (DDL) trigger
◦ Used to produce automatic responses if the structure of the
database has been altered (e.g., create new table, drop a
table, alter properties of an existing table)

Data Manipulation Language (DML) trigger
◦ Used to produce automatic responses if the data has been
altered (e.g., data are inserted, updated, or deleted)
9-27
© 2015 Pearson Education Ltd.
CREATE TRIGGER EmployeeSalaryChange
ON Employees
FOR UPDATE
AS
DECLARE @EmailBody varchar(1000)
DECLARE @FirstName varchar(20)
DECLARE @LastName varchar(20)
DECLARE @OldSalary int
DECLARE @NewSalary int
IF UPDATE (Salary)
SELECT @FirstName = First_Name,
@LastName = Last_Name,
@OldSalary = Salary
FROM deleted d
SELECT @NewSalary = Salary
FROM inserted
SET @body = 'I just wanted to let you know that @FirstName ' ' @LastName '
changed their salary from' @OldSalary ' to ' @NewSalary
EXEC master..xp_sendmail
@recipients = '[email protected]',
@subject = 'Somebody changed their salary',
@message = @body
GO
9-28
© 2015 Pearson Education Ltd.
9-29
© 2015 Pearson Education Ltd.

Key Escrow
◦ Loss of the key is disastrous
 Not like losing a password that can be reset
◦ Key escrow stores a copy of the key in a safe place
◦ Bad if managed by user
 May not do it
 May not be able to find it
 If fired, may refuse to give it back, locking up all
data on the computer
◦ Central key escrow on a corporate server is better
9-30
© 2015 Pearson Education Ltd.
9.1 Introduction
9.2 Data Protection: Backup
9.3 Backup Media and RAID
9.4 Data Storage Policies
9.5 Database Security
9.6 Data Loss Prevention
9-31
© 2015 Pearson Education Ltd.

Spiders (crawlers) - Navigate the web gathering,

Web Scraper - Tool that extracts predefined data
organizing, and indexing web content
from specified webpages
 Can aggregate extracted data from multiple websites

Mashup - Combining data from various sites or
applications
9-32
© 2015 Pearson Education Ltd.

Data Destruction Is Necessary
◦ Backup media are not needed beyond their
retention dates if…
 a computer is to be discarded
 the computer is to be sold or given to another
user
◦ Drive-wiping software for hard drives
 Reformatting the hard drive is not enough
◦ Shred CDs and DVDs
9-33
© 2015 Pearson Education Ltd.
9-34
© 2015 Pearson Education Ltd.

www.ntbugtraq.com

www.securityfocus.com

www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/current.asp

www.cert.org

www.sans.org

www.incidents.org

www.microsoft.com/security
© 2015 Pearson Education Ltd.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written
permission of the publisher.
© 2015 Pearson Education Ltd.
Related documents
Recall Worksheet R 6.3 Using a rule to fill a table A rule allows us to
Recall Worksheet R 6.3 Using a rule to fill a table A rule allows us to
Slide 1 - Fullfrontalanatomy.com
Slide 1 - Fullfrontalanatomy.com
Slide 2
Slide 2
June 2016 - Maths Genie
June 2016 - Maths Genie
23933630-Marketing-Chapter
23933630-Marketing-Chapter
faculty of science -
faculty of science -
activity sheet
activity sheet
E-Commerce: business. technology. society.
E-Commerce: business. technology. society.
Natural Selection (22) The Evolution of Populations (23)
Natural Selection (22) The Evolution of Populations (23)
gravitational potential energy
gravitational potential energy
14_Clicker_Questions
14_Clicker_Questions
Chapter 3 Equations and Inequalities in Two Variables;
Chapter 3 Equations and Inequalities in Two Variables;