Database Security

CT069-3-3-DBS (VE1.0)

Topic 1
Security Problems
 Learning
Outcomes

At the end of this topic, you should be able to:

1. Define what is “Database Security” and “Sensitive Data”

2. Identify database security vulnerabilities, threats and risks
3. Suggest database security best practices to address and
mitigate the threats

Module Code & Module Title Slide Title SLIDE 2

 Contents & Structure

• Database Security Overview

• Database Security Vulnerabilities, Threats & Risks
• Database Security Best Practices

Module Code & Module Title Slide Title SLIDE 3

 Definition: Database Security

• Database security is the set of measures, policies,

and practices employed to protect a database from
unauthorized access, manipulation, or destruction.

• Database security policies are designed to

prevent sensitive data exposure and ensure the
availability and integrity of records stored within a
database system.

Module Code & Module Title Slide Title SLIDE 4

 Definition: Sensitive Data

• Sensitive data is any kind of information that

is protected against unwarranted disclosure.

• It involves a wide range of categories,

including personal data, financial information,
proprietary details, health records, or trade
secrets.

Module Code & Module Title Slide Title SLIDE 5

 Discussion

• List down 10 data (facts) that you provided to APU during

registration
• Among the 10 data, which ones do you consider sensitive ?
• List down other 5 data that are being stored in/by APU ?
• Among them, which ones do you consider sensitive ?

Module Code & Module Title Slide Title SLIDE 6

 Security News

Module Code & Module Title Slide Title SLIDE 7

 Information Systems (IS)

• Information system - comprised of

components working together to
produce and generate accurate
information
• Central to any Information System is
the database that contains all the
required data and information that
the organization acquires, processes,
generates, stores and uses to run its
business

Module Code & Module Title Slide Title SLIDE 8

 Data vs Database vs DBMS
• Data
– is one of an organization’s most valuable assets
– critical for all individuals and organizations (government,
SME and corporations) to function properly
DBMS Advantages-
• Database • Better control on access and
– An organized collection of structured data to make it security such as encryption
easily accessible, manageable and updatable • Better activity tracing and
• DBMS auditing capabilities
• Efficient backup and recovery
– Typically, a Database Management System or DBMS management
such as MS-SQL , MySQL or Oracle is used to manage • Reduced data redundancy and
the databases increased consistency.
– Integrated system that can be used to store, manage and
secure structured data as well as develop applications to
create data structures and manipulate data

Module Code & Module Title Slide Title SLIDE 9

 Discussion

• Differentiate between data and Information ?

• Differentiate between structured and unstructured data ?

Module Code & Module Title Slide Title SLIDE 10

 Database Security Problems

• Since data is very valuable, it is subject to misuse, damage, loss or being

stolen – by whom ?

• Problems can come in many ways

– Unauthorized access to steal valuable data – How can this happen ?
– Damage caused by unauthorized persons – How can this happen ?
– Damage caused by authorized persons or application – How can this
happen ?
– Other damages caused by power interruptions, hardware, OS or
software failure etc

Module Code & Module Title Slide Title SLIDE 11

 Definitions

• Vulnerability
– Weakness in the system that makes the data vulnerable to
• unauthorized access
• manipulation, or destruction by authorized/unauthorized

• Threat
– Security attack that can happen any time because of a security
vulnerabilities

• Risk
– Damage that can happen if the threat attack happens

Module Code & Module Title Slide Title SLIDE 12

 DB Security Vulnerability Access Points

Module Code & Module Title Slide Title SLIDE 13

‹#›
 DB Security Vulnerabilities

• Human
– Insufficient training, careless , ill intention

• Applications
– Bugs in the application software typically unpatched and
developed using outdated technology or without good
security features
– Default values and/or Misconfigurations can leave loopholes
in the systems

Module Code & Module Title Slide Title SLIDE 14

 DB Security Vulnerabilities

• Network & Hardware

– Weaknesses within an organization’s access infrastructure
that allow cyber attackers to gain access and cause harm.
– Old or low-quality hardware

• Operating system (OS)

– Caused by exposures within an OS typically unpatched and
outdated OS

Module Code & Module Title Slide Title SLIDE 15

 Database Security Vulnerabilities

• DBMS Applications
– Bugs in the DBMS software typically unpatched
– Old versions being used
– Default values and/or Misconfigurations can leave loopholes
in the systems

• Data files and data

– Data not properly classified and protected

Module Code & Module Title Slide Title SLIDE 16

 DB Security Threats & Risks

Threats Explanation Risks

Unauthorized Access / Access by persons that should NOT have access to the Data Theft - data is stolen
Social Engineering system and data
Attack
Insider Threat / Intentional unlawful activity performed by employees Data Leakage –data is intentionally
Privilege Abuse with legimate access to the system, and data exposed to other parties
Human Error Unintentional Mistakes or unlawful activity performed Data Corruption – data become unusable
employees with legimate access to the system, and (partial or fully)
data
Hardware failure Failure of computing, network or storage devices Data Corruption or Data Unavailable
(temporary or permanent)

Module Code & Module Title Slide Title SLIDE 17

 DB Security Threats & Risks

Threats Explanation Risks

Denial of Service Intentional activities that jams up the system to a level Data Unavailable (temporary)
Attack that it stops functioning
SQL Injection Illegitimate access or manipulation of data Data Stolen or Data Corruption
Ransomware Attack Computer malware that is used to hijack data Data Unavailable (temporary or
ownership permanent)
Operating System or Software malfunction that results in accidental data Data Unavailable (permanent)
Application bug corruption or deletion
Computer virus Computer malware that is used to corrupt the data Data Unavailable (permanent)

Module Code & Module Title Slide Title SLIDE 18

 Discussion

• Identify the threats that can be avoided ? What will you do

address the threats ?

• Identify the threats that cannot be avoided ? What will you

do to mitigate the risks ?

Module Code & Module Title Slide Title SLIDE 19

 Securing database environment

• Database Server – physical or virtual machine

hosting your database

• Securing the host also refer to as “hardening” – a

process to stringent human physical access,
network access, including securing the server’s OS.

Module Code & Module Title Slide Title SLIDE 20

 Securing database environment

• Databases are nearly always network-accessible, any

security threat to any component within or portion of the
network infrastructure is also a threat to the database,
and any attack impacting a user’s device or workstation
can threaten the database

• Database security must extend far beyond the confines of

the database alone.

Module Code & Module Title Slide Title SLIDE 21

 Securing database environment

• When evaluating database security in your environment to decide on your

team’s top priorities, consider each of the following areas:
– Physical security
– Administrative and network access controls
– End user account/device security
– Encryption
– Database software security
– Application/web server security
– Backup security
– Auditing

Module Code & Module Title Slide Title SLIDE 22

 Security Methods

People
• Individuals who have been granted privileges and permissions to access
applications, networks, servers, databases, data files and data.

How to Secure
• Establishment of security policies/procedures
• Physical limits on access to HW and documents
• Identification and authentication
• Training on the importance of security and how to protect information
assets

Module Code & Module Title Slide Title SLIDE 23

 Security Methods
Applications
• Application design and implementation, which includes privileges and
permissions granted to people.
• Be cautious because too loose permission results in violation of data
access, and too strict permission compromises availability.

How to Secure
• Authentication and authorization of users who access applications
• Good design - hide database implementation details, perform code reviews,
implements good error handling and not user facing
• Business rules to limit access
• Prevent SQL Injection
• Patched to the latest version

Module Code & Module Title Slide Title SLIDE 24

 Security Methods

Network
• Is the most sensitive security access point.
• Use best effort to protect the network.

How to Secure
• Firewalls
• VPN
• Authentication

Module Code & Module Title Slide Title SLIDE 25

 Security Methods

Operating system
• The authentication to the system and the gateway to the data.

How to Secure
• User accounts/authentication/authorization
• Intrusion detection
• Password policy
• Patched to the latest version

Module Code & Module Title Slide Title SLIDE 26

 Security Methods

DBMS
• Holds our data
• Logical structure of the database, include memory, executables, and other
binaries.

How to Secure
• Authentication & Authorization of People & Application
• Database Encryption
• Password Policy
• Database Auditing
• Backup Database
• Replication / Redundancy

Module Code & Module Title Slide Title SLIDE 27

 Security Methods

Data files
• Physical files

How to Secure
• File encryption, permission management and access monitoring

Data
• Actual data as can been seen by the users

How to Secure
• Validation, constraints, encryption, access

Module Code & Module Title Slide Title SLIDE 28

 Database Security Best Practices
• Permission Management / Access Control
• Authentication
• Authorization/Privileges
• Role based access control (RBAC)

• Data protection
• Obfuscation - Anonymization, Masking, Hashing, Encryption
• Backup
• High Availability
• User action validation to protect against accidental or intentional data loss

• Auditing – passive
• Try to identify what could happen (potential risk) - future
• Captured what happened – past

• Monitoring - active
• Keeping track of is happening (monitoring) – present

Module Code & Module Title Slide Title SLIDE 29

 Discussion

• What is Database Security?

• Where or what can be the security weaknesses in the system ?
• Identify common security threats specifically for database and
its hosting environment.
• List the database security scope of evaluation

Module Code & Module Title Slide Title SLIDE 30

 Summary / Recap of Main Points

• Definition of Database Security

• Type of threats in context of database security
• Database security scope of evaluation

Module Code & Module Title Slide Title SLIDE 31

 What To Expect Next Week

In Class Preparation for Class

• OS and Security Principles. • Do some research on operating system
(OS) security principles

Module Code & Module Title Slide Title SLIDE 32