Professional Documents
Culture Documents
Security Problems
Security Problems
Security Problems
CT069-3-3-DBS (VE1.0)
Topic 1
Security Problems
Learning
Outcomes
• Vulnerability
– Weakness in the system that makes the data vulnerable to
• unauthorized access
• manipulation, or destruction by authorized/unauthorized
• Threat
– Security attack that can happen any time because of a security
vulnerabilities
• Risk
– Damage that can happen if the threat attack happens
• Human
– Insufficient training, careless , ill intention
• Applications
– Bugs in the application software typically unpatched and
developed using outdated technology or without good
security features
– Default values and/or Misconfigurations can leave loopholes
in the systems
• DBMS Applications
– Bugs in the DBMS software typically unpatched
– Old versions being used
– Default values and/or Misconfigurations can leave loopholes
in the systems
People
• Individuals who have been granted privileges and permissions to access
applications, networks, servers, databases, data files and data.
How to Secure
• Establishment of security policies/procedures
• Physical limits on access to HW and documents
• Identification and authentication
• Training on the importance of security and how to protect information
assets
How to Secure
• Authentication and authorization of users who access applications
• Good design - hide database implementation details, perform code reviews,
implements good error handling and not user facing
• Business rules to limit access
• Prevent SQL Injection
• Patched to the latest version
Network
• Is the most sensitive security access point.
• Use best effort to protect the network.
How to Secure
• Firewalls
• VPN
• Authentication
Operating system
• The authentication to the system and the gateway to the data.
How to Secure
• User accounts/authentication/authorization
• Intrusion detection
• Password policy
• Patched to the latest version
DBMS
• Holds our data
• Logical structure of the database, include memory, executables, and other
binaries.
How to Secure
• Authentication & Authorization of People & Application
• Database Encryption
• Password Policy
• Database Auditing
• Backup Database
• Replication / Redundancy
Data files
• Physical files
How to Secure
• File encryption, permission management and access monitoring
Data
• Actual data as can been seen by the users
How to Secure
• Validation, constraints, encryption, access
• Data protection
• Obfuscation - Anonymization, Masking, Hashing, Encryption
• Backup
• High Availability
• User action validation to protect against accidental or intentional data loss
• Auditing – passive
• Try to identify what could happen (potential risk) - future
• Captured what happened – past
• Monitoring - active
• Keeping track of is happening (monitoring) – present