Data Security IE2042 Lecture Notes PDF
Document Details
Uploaded by NoteworthySmokyQuartz1895
SLIIT
Tags
Summary
This document is a lecture on database security, focusing on concepts like confidentiality, integrity, and availability. It also outlines different database attacks and preventative measures.
Full Transcript
DATABASE SECURITY IE2042- Database Management Systems for Security- Lecture10 Learning Outcomes (LO4) ▸ Understand the three important aspects of security ▸ Apply appropriate solutions to address security and performance concerns related to databases. Database Security The data stored i...
DATABASE SECURITY IE2042- Database Management Systems for Security- Lecture10 Learning Outcomes (LO4) ▸ Understand the three important aspects of security ▸ Apply appropriate solutions to address security and performance concerns related to databases. Database Security The data stored in a DBMS is often vital to the business interests of the organization and is regarded as a corporate asset. In addition to protecting the intrinsic value of the data, organizations must consider ways to ensure privacy, and to control access to data that must not be revealed to certain groups of users for various reason. Aspects of Database Security There are three main objectives to consider, while designing a secure database application: Confidentiality: Information should not be disclosed to unauthorized users. Integrity: Only authorized users should be allowed to modify CIA data. Availability: Authorized users should not be denied access. Confidentiality (C) This term covers two related concepts. Data confidentiality. Assures that confidential information is not made available or disclosed to unauthorized individuals. Privacy. Assures that the owners have control on: What information related to them may be collected and stored, By whom and to whom that information may be disclosed. NIST’s Requirement: Preserve authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information 5 Integrity (I) This term covers two related concepts. Data integrity: Information and programs are changed only in a specified and authorized manner. System integrity: A system performs its intended function in an unimpaired manner, and free from deliberate or inadvertent unauthorized manipulation of the system. Requirement: Guard against improper information modification or destruction, including ensuring information nonrepudiation authenticity. Loss of Integrity means unauthorized modification or destruction of information. 6 Availability (A) Systems work promptly and service is not denied to authorized users. NIST’s requirement: Ensuring timely and reliable access and use of information. Loss of Availability means disruption to the authorized users in accessing or use of information. 7 Authentication (A) Able to verify that the users are who they claim they are, and the system receives data from a trusted source. NIST includes authenticity as part of Integrity 8 Accountability (A) Able to trace back the actions performed by an entity to that entity. Accountability supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, after-action recovery and legal action. 9 System Resources or Asset Hardware: e.g., Computer System, data storage, communication devices. Software: e.g., operating systems, program utilities and applications. Data and Data Storage systems : e.g., Data and Password files, Databases. Communication facilities and networks: e.g., LAN, WAN, routers, switches. 10 Vulnerability A flaw or weaknesses in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. When the resource is corrupted violate Integrity When the resource is leaky violate Confidentiality When the resource is unavailable violate Availability 11 Threat A possible danger that might exploit a vulnerability. It represents a potential harm to the system resource. 12 Attack A threat that is carried out (threat action) Two attack types: Active attack: An act that has negative effects on system resources Passive attack: An act to make use of system information but it does not affect the system The origin of an attack: Inside attack is carried out by an entity inside the security perimeter. Outside attack is performed by an unauthorized users. 13 Database Attacks Yahoo (2013) Equifax (2017) eBay (2014) Marriott (2018) Facebook (2019) MySpace (2013) LinkedIn (2012) Adobe (2013) SolarWinds (2020) 14 Brute force Attack A brute force attack is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. How to Prevent Increase password length: More characters equal more time to brute force crack Increase password complexity: More options for each character also increase the time to brute force crack Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success. 15 SQL Injection (SQLi attack) A type of vulnerability in the code of websites and web apps that allows attackers to hijack back-end processes and access, extract, and delete confidential information from your databases. How to Prevent Avoid the use of dynamic queries within applications. Use of prepared statements with parametrized queries will stop SQL injection. Implement user input validation before that input is passed to the application. 16 Privilege Abuse and Impersonating Users may abuse legitimate data access privileges for unauthorized purposes. How to prevent User access to data should be rate limited. Use multifactor authentication mechanisms. 17 Buffer overflow Buffer overflow takes place when a process tries to write a large amount of data to a fixed-length block of memory, more than it is permitted to hold. Attackers might use the excess data, kept in adjacent memory addresses, as the starting point from which to launch attacks. 18 How to prevent database threats Better employee training so best practices are used daily. Determining the attack surface of your network and database. Using a zero-trust system. Deleting inactive accounts and limiting privileges for standard users. Encrypting the database and all backups. Blocking potentially malicious web requests. Monitoring who accesses the database and analyzing usage patterns. Using masking to hide database fields that contain sensitive information. 19 The End… Complete the tutorial 20
