Scribd
Upload
22 views3 pages

D 2

The document outlines the examination details for the course CCF 3251: Database Security at Meru University of Science and Technology for the academic year 2017/2018. It includes various questions related to database security concepts, access control, SQL injection attacks, and vulnerabilities, requiring students to demonstrate their understanding through explanations and SQL statements. The exam consists of five questions, with students required to answer question one and any two additional questions.

Uploaded by

tnyange909
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views3 pages

D 2

The document outlines the examination details for the course CCF 3251: Database Security at Meru University of Science and Technology for the academic year 2017/2018. It includes various questions related to database security concepts, access control, SQL injection attacks, and vulnerabilities, requiring students to demonstrate their understanding through explanations and SQL statements. The exam consists of five questions, with students required to answer question one and any two additional questions.

Uploaded by

tnyange909
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

MERU UNIVERSITY OF SCIENCE AND TECHNOLOGY

P.O. Box 972-60200 – Meru-Kenya.


Tel: +254(0) 799 529 958, +254(0) 799 529 959, + 254 (0) 712 524 293,
Website: info@must.ac.ke Email: info@must.ac.ke

University Examinations 2017/2018

SECOND YEAR SECOND SEMESTER EXAMINATION FOR THE DEGREE OF


BACHELOR OF COMPUTER SECURITY AND FORENSICS

CCF 3251: DATABASE SECURITY

DATE: SEPTEMBER 2018 TIME: 2 HOURS

INSTRUCTIONS: Answer question one and any other two questions

QUESTION ONE (30 MARKS)

a) Briefly describe the following concepts as applied in database security (6 marks)

i. Subject

ii. Object

iii. Access right (privileges)

b) Differentiate between account level and relation level privileges that may be
configured on a database to protect its confidentiality (4 marks)

c) While giving examples give key differences discretionary access control and
mandatory access control (4 marks)

d) Data is a valuable resource that must be strictly protected as with any corporate
resource. Describe two threats to data stored in a database and give one mechanisms
employed by database management systems to protect data from each of the threats
identified (4 marks)

e) Write an SQL statement that gives user U1 the select privileges on branch table and
allows U1 to grant this privilege to others (4 marks)

Meru University of Science & Technology is ISO 9001:2015 Certified


Foundation of Innovations Page 1
f) Differentiate between

i. Read and insert authorization (4 marks)

ii. Update and delete authorization (4 marks)

QUESTION TWO (20MARKS)


a) SQL injection is a common attack that target database on web-based applications
i. Briefly describe a typical SQL injection attack (6 marks)
ii. Give two ways of preventing SQL injection attacks (4 marks)
b) Access control ensures that all direct accesses to object are authorized and protects
against accidental and malicious threats by regulating the read, write and execution of
data and programs.
i. Briefly describe two access control components of database security
(4 marks)
ii. Compare authorization in application layer vs. Database layer (6 marks)

QUESTION THREE (20 MARKS)


a) Data stored in a database or in transit to or from a database has several
levels/dimension of protection. Briefly describe the control measures that can be
applied on the following levels of database security (6 marks)
i. Physical level
ii. Operating system
iii. Database
b) In relation to bell-lapudula model, describe the following properties (4 marks)
c) Write an SQL statement to demonstrate the following access control commands
i. Revoke (5 marks)
ii. Grant (5 marks)

QUESTION FOUR (20 MARKS)


a) While describing the following vulnerabilities discuss the effect on a database and at
least one mitigation strategy (8 marks)
i. Privilege abuse
ii. The SQL injection

Meru University of Science & Technology is ISO 9001:2015 Certified


Foundation of Innovations Page 2
iii. Misconfigured database
iv. Programmers
b) Briefly describe how man in the middle attacks/impersonation can be prevented in a
database (4 marks)
c) Differentiate between application level and database level audit trail (4 marks)
d) In relation to mandatory access control, give the four possible security labels in their
order of dorminace from the highest to the lowest (4 marks)

QUESTION FIVE (20 MARKS)


a) In relation to access control, illustrate the four main levels of granularity of object
protection (8 marks)
b) Describe four powerful capabilities of super user accounts recommended for database
administrators (4 marks)
c) Describe the RAID mechanism and how it improves reliability and time performance
(4 marks)
d) Differentiate between software RAID and hardware RAID (4 marks)

Meru University of Science & Technology is ISO 9001:2015 Certified


Foundation of Innovations Page 3

You might also like