Database Security Issues and Measures

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 5 months ago)

55 views

Database Security Issues and
Measures

Access Matrix


Use a single bit to indicate ability of a user
to perform an operation


Provide a bit for each operation to form a
mask


Build a matrix of user and objects


The mask determines a user’s ability to
perform an operation on an object

Access Matrix


Assume four types of table operations


SELECT

0001



INSERT

0010



UPDATE

0100



DELETE

1000

Access Matrix





CUSTOMER

PRODUCT

SALES

ADAMS



0001


0001



0001

SMITH



0101


0101



0101

JONES



1111


1111



1111

LEE



0001


0001



1111

WILSON




1111


1111



0000

Backup and Recovery


Server or Database Backup


Full Backup


Incremental (Partial) Backup



Database Backup


Transaction Log Backup



Journaling


Encryption


Use an
encryption key

to convert
plain text

to encrypted text


Symmetric: Use same key for both


DES 64 bit


not that safe


PGP 128 bit


regarded as much safer



Assymetric: Use a
public key

and a
private
key


RSA systems

Web Security


Internet uses TCP/IP


Transmission Control Protocol


Ensures messages are delivered correctly


Internet Protocol


Manages sending/receiving data packets using a 4
byte destination address called an IP number


TCP/IP often used to refer to a series of
protocols which use TCP/IP


Telnet, FTP, HTTP, DNS, SMTP, POP, etc.

Web Security


TCP/IP is an inherently an open system


Exposure to malicious activity a problem


System shutdowns


Identity theft


Attacks on other systems


Hardware damage


Corruption of databases

Web Security


Proxy Servers


Sits between Web server and user’s Browser


Can
filter

user requests


Restrict access to specific Web sites


Can improve performance


Cache accessed pages so they do not have to be
retrieved each time


Web Security


Firewalls


Tries to prevent unauthorized access to
network from the outside


Internet to Intranet, for example


May be implemented through


Software


Hardware


both

Web Security


Techniques commonly used by firewalls:


Packet filter


examines each data packet for
authorization (can be fooled)


Application gateway


applies security rules to
specific applications (can slow performance)


Circuit
-
level gateway


applies security when a
connection is made (no checking thereafter)


Proxy server


intercepts each message in or out
so it hides the true address


Multiple techniques often used together


Web Security


Message Digest Algorithm


One
-
way hash function generates digest
(hash) string for a message


unique to that message


contains nothing about the message


Digital Signature


two part identifier


a bit
-
string derived from the message itself (MDA)


a private key


May use MDA for all or part of the signature


Web Security


Digital Certificate


Authorization obtained in advance and
attached to a message


Applied for from a Certificate Authority (CA)


Certificate contains encrypted data


Applicant’s public key


Other identifying information


User verifies CA’s key then, sender’s

Web Security


Kerberos


Like Digital Certification


Use a common authentication for everything


network access, databases, etc


SSL and Secure HTTP


Secure sockets layer


uses private key to handle messages over SSL
socket



Use
https

protocol rather than http


Used extensively for transfer of credit card info

Web Security


Secure Electronic Transactions (SET)


SET relies heavily on certificates


Supported by many major suppliers of credit


Uses DES


Java Security


Uses a virtual machine (VM)


User operates in a “sandbox”