Database Security Quiz

Questions and Answers

What are the three main areas affected by common database threats?

Integrity, Flexibility, Privacy

Scalability, Availability, Cost

Performance, Accessibility, Security

Integrity, Availability, Confidentiality (correct)

Loss of confidentiality occurs when secret information is accessed by unauthorized users.

True

What is the role of a Database Administrator (DBA) in database security?

To grant privileges and ensure overall system security.

The main objective of database security is to protect sensitive data from __________ access.

unauthorized

Which type of access control allows users to manage their own access rights?

Discretionary Access Control (DAC)

Policy management in database security involves setting rules on which data should be available to users.

False

Name one strategy to protect databases from unauthorized access.

Access control.

Match the following threats with their definitions:

Loss of Integrity = Unauthorized changes to data Loss of Availability = Users cannot access data when needed Loss of Confidentiality = Sensitive information is exposed to unauthorized users

Which strategy focuses on managing who can access and modify database information?

Access Control

Inference Control helps prevent unauthorized discovery of private data even when some data is publicly available.

True

What is the primary objective of Flow Control?

To prevent sensitive data from being accessed or leaked to unauthorized users.

Data _____ encodes information to protect it during storage and transmission.

encryption

Match the following strategies with their definitions:

Access Control = Ensures only authorized users can access data Inference Control = Prevents extraction of private info from public data Flow Control = Prevents unauthorized access or leakage of data Data Encryption = Encodes data for secure storage and transmission

Which of the following is an example of Inference Control?

Masking salary data published by departments

Covert channels are intended measures to leak information without anyone noticing.

False

Give an example of Access Control in a university database.

Professors can access and modify grades, while students can only view them.

What is one of the key responsibilities of a Database Administrator (DBA)?

Granting privileges to users

What is the primary purpose of data encryption?

To protect sensitive information from unauthorized access

Mandatory Security Mechanisms (MSM) are flexible and can be adjusted by administrators.

False

A DBA account has the same capabilities as regular database users.

False

What is the role of a database administrator (DBA)?

To manage and control access rights to the database.

What must users do to access the database?

Apply for an account.

Data is encoded using an __________ to make it unreadable.

encryption algorithm

The DBA is responsible for classifying data and users based on their __________.

sensitivity

Match the following security methods with their characteristics:

Discretionary Security Mechanisms = Controlled by administrators, flexible access rights Mandatory Security Mechanisms = Strict rules based on data sensitivity Database Administration = Managing user permissions and security Data Encryption = Transforming data into a secure format

Match the following DBA account capabilities with their descriptions:

Account Creation = Controls access to the DBMS system Privilege Granting = Gives specified roles and resource access Privilege Revocation = Removes access when necessary Security Level Assignment = Determines access to confidential data

Which of the following is an example of a discretionary security mechanism?

A professor modifying course grades

What is essential for ensuring that only authorized personnel can access the database?

User accounts and login procedures

Revoke access is a function of the DBA that is rarely used.

False

Data flow control is unnecessary for data transmission security.

False

What does the DBMS do to verify a user's access?

Verifies the account ID and password.

Why is data encryption important during online purchases?

It protects credit card information from being accessed by unauthorized users.

What is the primary purpose of system logs?

To record every action performed by users

A database audit is primarily focused on improving database performance.

False

What command is used to grant privileges on a database object?

GRANT

An audit trail is also referred to as a _____ in a database log.

database audit

Match the following commands with their functions:

GRANT = Provide permissions to users REVOKE = Take back permissions from users SELECT = Retrieve data from a database DELETE = Remove data from a database

What might prompt the need for a database audit?

Suspected tampering with the database

The WITH GRANT OPTION allows users to give their granted privileges to others.

True

List two actions that can be granted using the GRANT command.

SELECT, INSERT

What does the GRANT command allow a user to do?

Assign privileges to a database object

The REVOKE command can only take away privileges entirely, not just the ability to grant them to others.

False

What must be specified when using the REVOKE command?

privileges, object, users

In mandatory access control, a user with __________ clearance cannot access secret data.

confidential

Which of the following is NOT an advantage of Discretionary Access Control (DAC)?

It provides rigid security measures

Mandatory Access Control (MAC) offers more flexibility than Discretionary Access Control (DAC).

False

What is the highest security class in the mandatory access control system?

Top Secret

Study Notes

Database Security

• Database security involves legal, ethical, policy, and technical dimensions
• Legal and ethical considerations ensure only authorized users access sensitive information
• Policy management establishes rules for confidential data
• Technical aspects involve setting up security at different system levels (hardware, OS, DBMS) to prevent unauthorized access and breaches

Common Threats

• Loss of Integrity: Unauthorized or incorrect modifications to data
• Loss of Availability: Legitimate users cannot access required data due to blocking
• Loss of Confidentiality: Sensitive information is accessed by unauthorized individuals

Strategies to protect Databases

• Access Control: Only authorized users can access data
• Inference Control: Prevents users from discovering secret information from available data
• Flow Control: Manages data paths to prevent unauthorized access
• Data Encryption: Protects data during storage and transmission, so only authorized users can read it

Access Control

• Objective: Ensure only authorized users access the database
• How it works in databases: Setting up rules and permissions to restrict unauthorized access.
• Methods: Using user IDs and passwords to manage permissions
• Example: University database allows professors to modify grades, while students can only view them.

Inference Control

• Definition: Prevents extraction of private information from publicly available data
• Importance: Prevents unauthorized discovery of private data
• Example: Salary data is published without naming individuals.
• Inference Control: Mask or aggregate data to prevent guessing individual salaries.

Flow Control

• Definition: Measures to prevent unauthorized data access.
• Covert Channels: Unexpected ways information leaks
• Importance: Preventing sensitive data leakage outside authorized pathways
• Example: Employee uses a shared printer to view restricted documents

Data Encryption

• Definition: Method to protect sensitive data (e.g., credit card numbers)
• How it works: Data is transformed into a secure format that can only be accessed with a special key (encryption and decryption).
• Importance: Protects sensitive information during transmission, preventing unauthorized access and theft
• Example: Online purchases encrypt credit card information during transmission.

Types of Database Security Mechanisms

• Discretionary Security Mechanisms (DSM): Flexible, controlled by administrators. Allows assignment of specific access rights to users
• Example: Professor can modify course grades, but a student can only view them.
• Mandatory Security Mechanisms (MSM): Strict, controlled by predefined rules. Enforces rules based on data sensitivity and user clearance levels
• Example: Classified information requires matching security clearance for access.

Database Security and the DBA

• Definition of DBA: Central authority for managing a database system
• Key Responsibilities
  • Granting privileges: Assigning permissions to users based on roles
  • Classifying data and users: Organizing data and users based on sensitivity and clearance levels.
• DBA is responsible for overall database security.

Access Control, User Accounts, and Database Audits

• DBA manages security using Access Control, User Accounts, and Database Audits
• User Account Creation: Unique account ID and password for each user
• Login Process: Users log in with their credentials, DBMS verifies
• Database Audits: Track database activities (e.g., login, updates, deletions); aids in security and error diagnosis/recovery
• Database log, audit trail

Discretionary Access Control

• Discretionary access control is based on the granting and revoking of privileges
• Grant Command (e.g., GRANT privileges ON object TO users [WITH GRANT OPTION])
• Revoke Command (e.g., REVOKE [GRANT OPTION FOR] privileges ON object FROM users)

Mandatory Access Control

• A stricter security measure
• Data and users are classified based on security sensitivity
• Users can only access data with matching security levels
• Top Secret (TS), Secret (S), Confidential (C), Unclassified (U). TS > S ≥ C ≥ U

Comparing Discretionary and Mandatory Access Control

• Discretionary Access Control (DAC):
  • Advantages: Flexible, customizable, easily adapt to different applications
  • Disadvantages: Security risks due to potential vulnerabilities to attacks
• Mandatory Access Control (MAC):
  • Advantages: High degree of security, prevents unauthorized data flow
  • Disadvantages: Can be rigid, may not be suitable for dynamic environments

Description

Test your knowledge on key concepts of database security. This quiz covers various strategies to protect sensitive data, the role of a Database Administrator, and access control mechanisms. Enhance your understanding of how to safeguard databases from common threats.