Scribd Logo
Upload

Welcome to Scribd!

  • DBSEC

    Uploaded by

    Kannan A
    6 views22 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    6 views22 pages

    DBSEC

    Uploaded by

    Kannan A

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 22

    Database Security

    Information Security
     Not disclosed to inappropriate entities or processes.
    – CONFIDENTIALITY

     Can not be created, changed, or deleted without


    authorization.
    – INTEGRITY

     Prevents the originator of a message from denying


    authorship at a later date
    – NON-REPUDIATION
    2
    Information Security
     Mechanisms which are used to verify the identity of a
    user.
    – AUTHENTICATION
     Authorization/Authentication:
     Authorisation usually comes after Authentication
    – i.e. once the service knows who it is
    (Authenticated), it then proceeds to decide
    what that person/subject can do
    (Authorisation)
    3
    Information Security
    Confidentiality / Modification /
    Interception Integrity

    Authentication / Non-repudiation
    Fabrication / Disown

    4
    Database Security
     Authentication (Password, Pin, OTP)
     Authorisation (Permission)
     Access Control -- Discretionary Access Control
    --- Mandatory Access Control
    --- Roll Based Access Control

     Intrusion Detection
     Intrusion Prevention
     Key Management Techniques
     Cryptography
    Basic Security Concepts: Users

     The first key to database security.


     Access Control.
     User Levels.( Oracle provides three types
    of users. Connect, Resource and DBA)
     Login Procedure.
    Basic Security Concepts:
    Privileges
     Login.
     Access to a specific database.
     SELECT allows user to "read" data.
     INSERT allows user to create new data.
     UPDATE allows user to change existing data.
     DELETE allows user to delete rows.
    REFERENCES allows user to make sure that the
    data being entered to a child table matches a value
    in the parent table.
     EXECUTE allows user to run a stored procedure.
    Basic Security Concepts:
    Database Objects

     Tables.
     Views.
     Stored Procedures (SQL SERVER).
     ORACLE( Procedures, Functions and
    Triggers).
     Every user can be granted different privileges
    on each database object.
    Basic Security Concepts: Roles

     Used to group users.


     Can reduce hundreds of thousands of
    security settings to tens and hundreds of
    security settings.
     If user is in multiple roles, the user will
    gain privileges of each role.
    SQL Server: Granting, Revoking,
    & Denying Privileges
     Grant gives permissions
     Deny specifically denies permissions, even if it is got from another
    role
     Revoke counteracts a previous Grant or Deny
     Permissions
    o SELECT CREATE DEFAULT
    o INSERT CREATE PROCEDURE
    o UPDATE CREATE RULE
    o DELETE CREATE TABLE
    o REFERENCES CREATE VIEW
    o EXECUTE BACKUP DATABASE
    o CREATE DATABASE BACKUP LOG
    Oracle: Assigning Privileges to
    Database Objects
     Privileges
    – SELECT
    – INSERT
    – UPDATE
    – DELETE
    – REFERENCES
    – EXECUTE
    – INDEX
    – ALTER
     The INSERT, REFERENCES, and UPDATE can be
    applied to just certain columns by following the privilege
    with a list of columns in parentheses, separated by
    commas.
     WITH GRANT OPTION allows you to grant the right to
    grant rights to a particular user or role.
    Password and Role Strategies
    One User per Person, One Person per User
     The rule of thumb on networked databases: each
    person should have own login
    – With generic logins, lose ability to audit activity of any employee
    – Also temptation to assign more privileges to the generic login
    than some of the users of that login should have
     On many web sites users do not login - web pages
    access the database using a generic login
    – Should not be the master user for the database
     On in-house databases, users should not be regularly
    logging in with the master user
    – Ability to audit the activity of each employee
    – More practical to give master user a very difficult password
    Password and Role Strategies
    Password Structure
     Passwords should not be English words
     Passwords should not be birthdays, social security numbers,
    names of spouses, children, pets, or other easily discoverable
    pieces of information
     Passwords can be unusual word combinations (dog-chair)
     Passwords can be words letters mixed with numbers and/or
    punctuation marks
     Passwords should be at least four characters in length
     The more characters the better
     Once passwords get beyond seven or eight characters, users complain
     If you require passwords users cannot remember they will respond by
    writing them down on notes near their computer
    Password and Role Strategies
    Password Expiration
     In general it is good idea to have passwords expire.
    – Users will share their login information with other users
    intentionally or unintentionally.
    – Periodically forcing a change in passwords clears this
    security breach.
     Having passwords expire too often may actually
    cause a decrease in the quality of security.
    – Users will use easily-guessable passwords (March)
     Set an expiration period short enough to deal with
    security issues, long enough to avoid user issues.
    – Probably at least 90 days but no less than one year.
    Password and Role Strategies
    Login Controls

     What should you do if a user enters a bad user name


    and password combination?
    – Tell them of the failure.
    – Will you give them additional chances?
    – How many?
     Generally the number of attempts is set at from three
    to five
    – If the user fails that many times, then the system can
    disable the account for a specified period of time.
    – Another alternative is to simply close the application,
    allowing them to restart it and try again.
     Depends on a corporate choice in favor of security
    versus ease of use.
    Intrusion Detection
     Anomaly Based Intrusion Detection
    Systems (IDS)
     Misuse based IDS
     Host based IDS
     Network based IDS
    Data Set
     KDD cup dataset
     41 Features
     Feature Selection
     Classification
     False Positive rate
     Attacks
    Intrusion Prevention

     Intrusion Prevention.
     Anomaly Prevention System.
     Misuse Prevention System.
     Hybrid Intrusion Prevention System.
     Attacks
     DoS
    Database Auditing

     Auditing.
     Statement-level, Privilege-level and
    Object-level auditing.
     Why Object-level Auditing?
    Audit Record

     SQL trace utility.


     User Name.
     Host Identifier & IP address.
     Session Identifier.
     Transaction Time.
     Valid Time.
    Audit Metrics

     Audit the frequency of certain commands


    execution(Command Stroke Rate) by an user on a
    object in a session.
     Audit Execution Denials or Access Violations on a
    object in a session.
     Audit the Object utilization by an user for certain
    period.
    Conclusions
     Database Security
     Security Goals
     Access Control
     Key Management
     Authentication
     Authorization
     Password
     Database Auditing

    You might also like