Database
Security
Chapter One
Security and Information Technology
� Objectives
▪ Define the nature of database and information systems security
▪ Identify the three main security objectives when protecting
information systems
▪ Identify security threats
▪ Define and identify the characteristics of viruses and how they
infiltrate systems
▪ Identify specific types of operational security and describe how
to implement them
Database Security 2
� Objectives (cont’d.)
▪ Describe the information security life cycle
▪ Describe the multilayered nature of security architecture
Database Security 3
� Why Database Security?
▪ Most databases provide access spanning several networks and
across the world
▪ Most online transactions involve a database
▪ Water supplies, electricity grids, and gas and oil production
depend on a computer network to thrive
▪ Breach could have disastrous impact
▪ Network intruders are well trained and growing more
sophisticated
Database Security 4
� A Secure Data
Environment
▪ Multiple layers of security / Defense In Depth
▪ The more security layers that we can apply, the more secure our
environment will be.
▪ Most effective approach to minimizing risk of data breach
▪ Requires intruders to bypass several layers of security controls
▪ Example of multiple security layers to protect against malicious
e-mail attachments
▪ User awareness training
▪ Filter on exchange server to remove known malicious attachments
▪ Firewall configured to deny certain types of traffic
Database Security 5
� A Secure Data
Environment
Database Security 6
� A Secure Data
Environment
▪ Policies, Procedures, and Awareness
▪ Password policies, security
training, data classification,
and enforcement of security
guidelines.
▪ It’s often called administrative
or procedural controls.
▪ Physical Controls
▪ This includes tangible
safeguards like locks, fences,
security guards etc
▪ Perimeter (Network Edge)
▪ Protects against external
threats using tools such as
firewalls, VPNs, and packet
filters to inspect and regulate
network traffic.
Database Security 7
� A Secure Data
Environment
▪ Internal Network Security
▪ Inside the perimeter: IDS, IPS, internal
firewalls, and encryption used to secure
traffic within the network.
▪ Host Security
▪ Focuses on individual systems: patch
management, endpoint protection
(antivirus, EDR), hardening practices, and
secure configurations.
▪ Application Security
▪ Ensures secure operation of apps: single
sign-on (SSO), authentication and
authorization, supporting secure code and
SDLC integration.
▪ Data Security (Core Layer)
▪ Database encryption, access controls etc.
Database Security 8
� A Secure Data Environment
Database Security 9
� Class Activity
▪ Identify the
different types of
technical controls ?
Database Security 10
� 3 Database Security
Domains
Our Security strategy should
address the following three
areas:
- Database Security
- Computer Security
- Network Security
Database Security 11
�A Secure Data
Environment
(cont’d.)
▪ Database security
▪ Set of established procedures, standards,
policies, and tools
▪ Protects against theft, misuse, and attacks
▪ Deals with permission and access to the data
structure
▪ Common vendor features for database security
▪ Database-level access control
▪ Database-level authentication
▪ Data storage encryption
Database Security 12
� A Secure Data
Environment (cont’d.)
Are security controls applied
only at the database level
sufficient on their own?
Database Security 13
� A Secure Data
Environment
(cont’d.)
▪ Computer security
▪ The hardware and software upon which
the database is installed.
▪ Necessary element of database security
▪ A set of established procedures,
standards, policies, and tools that are
used to protect a computer from theft,
misuse, and unwanted intrusions,
activities, and attacks.
▪ Common computer security features
▪ Operating system-level access control
▪ Operating system-level authentication
▪ Hardware and software monitors and
logs
Database Security 14
� A Secure Data
Environment
(cont’d.)
▪ Network security
▪ Outermost layer of the database
▪ Arguably biggest security concern as
it is a gate way for adversaries
▪ Set of established procedures,
standards, policies, and tools
▪ Goal: protect network from theft,
misuse, and attacks
▪ Hardware and software devices
used to secure a network
▪ Firewalls, network monitors,
intrusion detections systems,
proxy servers, and
authentication servers
Database Security 15
� What are the objectives of
database security ?
Database Security 16
� Database Security
Objectives
▪ Security measures
▪ Keep information private from outside viewing
▪ Maintain consistency of data
▪ Ensure resources remain at a high degree of availability
▪ Key to achieving effective data security architecture
▪ Organization must maintain confidentiality, integrity, and availability
of its environment
▪ CIA triangle
Database Security 17
� Figure 1-1 C.I.A. triangle
Database Security 18
� Database Security
Objective 1
▪ Confidentiality requirements
▪ Ensure information remains private by limiting authorized access to
resources
▪ Block unauthorized access to resources
▪ Confidentiality protected using authentication and access
controls
▪ State and federal laws may apply to these measures
▪ Breaches in confidentiality could result in:
▪ Stolen identity
▪ Exposed business trade secrets
Database Security 19
� Database Security
Objective 2
▪ Integrity
▪ Reliable, accurate, and consistent data stored in and retrieved from
the database
▪ Protected by preventing accidental or deliberate modifications
▪ Most difficult item to measure
▪ Auditing used to compare data with older, backed-up versions of
the data
▪ Results of integrity breaches
▪ Unreliable data, flawed programs, system failures
Database Security 20
� Database Security
Objective 3
▪ Availability
▪ Maintaining accessible network or database resources
▪ Business cannot operate without it
▪ Must identify potential threats to availability
▪ Assess threat level
▪ Plan appropriate intervention
▪ Example of threats: technical failures, natural disasters, intrusions,
user-caused harm
Database Security 21
� Who Are We Securing
Ourselves Against?
Key Points to understand:
▪ Must understand what poses a threat
▪ More threats exist on the inside of a network than on the outside
▪ Overly restrictive databases are as ineffective as those that give
too much access
▪ Healthy balance is needed
Database Security 22
�Security Threats
• Cracker
• Social Engineers
• Computer Users
• Network and Database Administrators
• The Internet
• E-mails
• Instant Messages
• Tweets
• Misleading Applications
• Malware
� Hackers
▪ Hacker
▪ Person who has mastered firmware
and software of modern computer
systems
▪ Person who enjoys exploration and
analysis of network security without
intent to cause harm
▪ Cracker
▪ Person who breaks into a network
to destroy or steal information
Database Security 24
� Table 1-1 Types of online intruders
Database Security 25
� Social Engineers
▪ People who manipulate
others to gain access to
systems, unauthorized
areas, or confidential
information
▪ Often build trust with
authorized user
▪ Use deception and trickery
to convince people to break
normal security policies
▪ Example: asking for a
password
Database Security 26
� Computer Users
▪ Network users cause over half of
security breaches
▪ Everyone is a security threat (Zero Trust)
▪ Major contributing factors
▪ Lack of education
▪ Disregard of policy
▪ Examples of most common user errors
▪ Opening unknown e-mail
attachments
▪ Disregard for company policy
(downloading unauthorized
software)
▪ Poor habits (computers unlocked
and unattended)
▪ Writing passwords on sticky notes)
Database Security 27
� Computer Users (cont’d.)
▪ Inappropriate disclosure
(giving information over the
phone to a social engineer)
▪ Procrastination (failing to
report computer issues in a
timely manner)
▪ Computer-literate users
may take risks and find
shortcuts to security
measures
▪ Disgruntled employee on a
network can abuse access
rights and destroy files
Database Security 28
� Network and Database
Administrators
▪ Not often viewed as threats to networks they run
▪ Room for error exists
▪ Their mistakes have consequences for
integrity, availability, and reliability of the
network
▪ Dynamic nature of the data environment
▪ Employees gets hired, retired, fired etc.
▪ Users are added, removed and permissions
changes all the time.
▪ Can cause new security flaws to be created
▪ Network components must be regularly
audited
▪ Common mistake
▪ Not removing a user’s rights and account
credentials
Database Security 29
� Class Activity
What are the biggest errors of all times made by
database administrators ?
▪ Accidentally destroyed production database on
first day of a job, and was told to leave, on top
of this i was told by the CTO that they need to
get legal involved, how screwed am i?
▪ Summary of the December 24, 2012 Amazon ELB
Service Event in the US-East Region
Database Security 30
� The Internet
▪ 5.6 billion Internet users (according to
Statista)
▪ 1.13 billion websites (According to
Forbes)
▪ Hundreds of Millions of US residents have
Internet access
▪ More and more services are offered
online
▪ Threats on the Internet continue to
increase
▪ Opens up an opportunity for criminal
groups to steal financial recourses,
intellectual properties, information etc.
Database Security 31
� The Internet (cont’d.)
▪ The internet infrastructures have security flaws/vulnerabilities
and can be targeted and manipulated.
▪ Hijacking
▪ Web pages rewritten to distribute malicious code or redirect user to
attacker’s Web site
▪ Malware
▪ Malicious software
▪ Often intended to be harmful and destructive
Database Security 32
� The Internet (cont’d.)
▪ Domain name server (DNS)
▪ Database of domain names and their respective IP addresses
▪ DNS poisoning
▪ Cracker gains control over DNS server
▪ Cracker substitutes their site IP address for the legitimate domain
name IP address
▪ User may be fooled into providing personally identifiable information
(PII)
▪ Browser menu settings can also be manipulated
Database Security 33
� Misleading Applications
▪ Applications designed to
deceive users into believing
their computer’s security has
been breached
▪ User downloads and purchases
fake antivirus tools
▪ Tools deliver malware to user’s
computer
▪ User has no knowledge of true
security breach
Database Security 34
� E-mails
▪ One of most common forms
of communication today
▪ Biggest threat to network
and database environment
▪ Simple channel of attack for
crackers
▪ Most common way malicious
code gains access to a
business
Database Security 35
� E-mails (cont’d.)
▪ Attachments
▪ Difficult to identify a fake attachment
▪ Crackers use attachment names and file extensions to gain trust
▪ Invoice.pdf.exe with hidden extension
▪ Scripts delivered as a document.
▪ Once run, the script downloads additional malware from a remote
server
▪ Spoofing e-mail address
▪ Using a false e-mail address in the “from” and “reply” fields
▪ Increases likelihood that user will open the attachment
Database Security 36
� E-mails (cont’d.)
▪ Phishing
▪ Act of trying to fish
information out of people or
an attempt to obtain PII
▪ May include convincing a
user to click a link to a
cracker-owned Web site
▪ Common technique: fake
holiday and birthday card e-
mails
Database Security 37
� ▪ Capable of performing
harmful and destructive tasks
on victim’s computers
▪ Can be written in many
programming languages
▪ Types of malware
Malware
▪ Computer viruses
▪ Worms
▪ Trojans
▪ Spyware
▪ Adware
▪ Bots
Database Security 38
