CAN A DATABASE CAN A DATABASE REALLY BE SECURE?REALLY BE SECURE?

PRESENTED BY AUDREY WILLIAMSPRESENTED BY AUDREY WILLIAMS

22

OVERVIEWOVERVIEW What’s the purpose of a database security What’s the purpose of a database security

system?system? Why should an organization bother to Why should an organization bother to

implement a database security system?implement a database security system? What kinds of database security features can What kinds of database security features can

protect the DBMS?protect the DBMS? What are the responsibilities of the database What are the responsibilities of the database

administrator?administrator? Exposing classic database intrudersExposing classic database intruders SummationSummation BibliographyBibliography

33

DATABASE SECURITY DATABASE SECURITY What’s the purpose of a Database What’s the purpose of a Database

Security System?Security System?

To protect the stored data that is being To protect the stored data that is being collected to use in meaningful ways such collected to use in meaningful ways such as documents, charts, reports.as documents, charts, reports.

Also, to secure the data from intrudersAlso, to secure the data from intruders

Spafford implies, “Spafford implies, “the only truly secure the only truly secure system is one that is powered off, cast in a system is one that is powered off, cast in a block of concrete and sealed in a lead-block of concrete and sealed in a lead-lined room with armed guards - and even lined room with armed guards - and even then I have my doubts.then I have my doubts.””

44

DATABASE SECURITYDATABASE SECURITY

In response to Mr. Spafford’s statement – In response to Mr. Spafford’s statement –

Why should an organization bother to Why should an organization bother to implement a database security system?implement a database security system?

To protect the company’s clientele from predators To protect the company’s clientele from predators that will sell the data to the highest bidder.that will sell the data to the highest bidder.

Database intrusions and thefts will destroy or Database intrusions and thefts will destroy or reduce the company’s credibility & profits.reduce the company’s credibility & profits.

55

DATABASE SECURITYDATABASE SECURITY [Figure 1] demonstrates that the path [Figure 1] demonstrates that the path

of a source message comes from the of a source message comes from the client and is sent to the LAN/WAN client and is sent to the LAN/WAN router.router.

Next, the source message is passed to Next, the source message is passed to the server. The requested data is the server. The requested data is passed to the internet, internet router, passed to the internet, internet router, and firewall to the DBMS to retrieve and firewall to the DBMS to retrieve requested information. requested information.

After the destination server receives After the destination server receives

the message, the DBMS sends the the message, the DBMS sends the message back to the client as it was message back to the client as it was forwarded in the same order. forwarded in the same order.

So, the entry point for Hackers to So, the entry point for Hackers to breach the system is the internet, breach the system is the internet, internet router, and firewall connection internet router, and firewall connection which places the DBMS in jeopardy of which places the DBMS in jeopardy of data intrusion.data intrusion.

DBMSw/Server

LAN/Wan hd/sw

router/firewalls

Client Ntwkrouter

Figure 1Client/Server/DB

HackerIntrusion

Servers

Client Workstation Internet &Internet router/

firewall

66

DATABASE SECURITY DATABASE SECURITY FEATURESFEATURES What kinds of database security features can protect the DBMS?What kinds of database security features can protect the DBMS?

Digital CertificateDigital Certificate is a unique identifier given to an entity to provide is a unique identifier given to an entity to provide authentication of a computer, document, or webpage. Then, a third authentication of a computer, document, or webpage. Then, a third party such as Equifax certifies that the document is legal or illegal.party such as Equifax certifies that the document is legal or illegal.

EncryptionsEncryptions alter the data so unauthorized users cannot view data alter the data so unauthorized users cannot view data information.information.

FirewallsFirewalls protect a network from unauthorized access from the protect a network from unauthorized access from the internet.internet.

Proxy ServersProxy Servers shield the requests between the client computers shield the requests between the client computers inside a private network and the internet.inside a private network and the internet.

Security Socket LayerSecurity Socket Layer connects and transmits encrypted data. connects and transmits encrypted data.

S-HTTPS-HTTP (secure hypertext transport protocol) transmits web pages (secure hypertext transport protocol) transmits web pages securely.securely.

So, by configuring these features with internet and network So, by configuring these features with internet and network components, it is possible to provide privacy and security to reduce components, it is possible to provide privacy and security to reduce database security intrusions.database security intrusions.

77

RESPONSIBLITIES OF THE RESPONSIBLITIES OF THE DATABASE ADMINISTRATORDATABASE ADMINISTRATOR

To assign unique password & user identification for users to To assign unique password & user identification for users to have permission to access, read and or manipulate specific have permission to access, read and or manipulate specific information at a given time.information at a given time.

Enable various data layers that secure the access control, Enable various data layers that secure the access control,

auditing and authentication, encryption, and integrity auditing and authentication, encryption, and integrity controls.controls.

Perform a “vulnerability scan” on a routine basis to locate Perform a “vulnerability scan” on a routine basis to locate

configuration problems in the data layers of the DBMS configuration problems in the data layers of the DBMS software.software.

Evaluate and perform a “vulnerability assessment” against Evaluate and perform a “vulnerability assessment” against the database. This assessment makes an effort to locate the database. This assessment makes an effort to locate the cracks in the database security.the cracks in the database security.

88

RESPONSIBLITIES OF THE RESPONSIBLITIES OF THE DATABASE ADMINISTRATORDATABASE ADMINISTRATOR

To continually monitor the database security To continually monitor the database security standards to make sure that the company’s DBMS is standards to make sure that the company’s DBMS is in compliance with the database security standards. in compliance with the database security standards.

Two features of the database security compliance must be utilized.Two features of the database security compliance must be utilized.

Patch Management MethodPatch Management Method that locates problems in the that locates problems in the software, fixes and updates the cracks in the database software, fixes and updates the cracks in the database security.security.

Management & Review of Public & Granted Data AccessManagement & Review of Public & Granted Data Access relates relates to locating data objects in the database, such as the table that to locating data objects in the database, such as the table that holds data and evaluates who is entitled to manipulate or view holds data and evaluates who is entitled to manipulate or view the data objects. the data objects.

99

RESPONSIBLITIES OF THE RESPONSIBLITIES OF THE DATABASE ADMINISTRATORDATABASE ADMINISTRATOR

Always keep in mind that Always keep in mind that whenever a system has internet whenever a system has internet and network connections and network connections attached to a DBMS, security attached to a DBMS, security breaches will occur.breaches will occur.

Perform routine backup recovery Perform routine backup recovery procedures incase of electrical procedures incase of electrical outage and intruder attacks that outage and intruder attacks that can damage the DBMS.can damage the DBMS.

1010

THE CLASSIC DATABASE THE CLASSIC DATABASE INTRUDERSINTRUDERS

The Shifty Employees & Malicious The Shifty Employees & Malicious HackersHackers

1111

THE CLASSIC DATABASE THE CLASSIC DATABASE INTRUDERSINTRUDERS

EmployeesEmployees

For example, a salesperson in the sales department should For example, a salesperson in the sales department should have access to company prices of the product list instead of have access to company prices of the product list instead of data access of employee birth dates, extensive clientele data access of employee birth dates, extensive clientele information, home addresses, and salary information. information, home addresses, and salary information.

Adding to the example above, the salesperson learns that Adding to the example above, the salesperson learns that they will be fired or laid off; the salesperson could alter and they will be fired or laid off; the salesperson could alter and copy the database information for the purpose of using the copy the database information for the purpose of using the client list with their new job.client list with their new job.

So, the company and the database administrator are to So, the company and the database administrator are to blame for the employee having access to various amounts blame for the employee having access to various amounts of data to steal.of data to steal.

1212

THE CLASSIC DATABASE THE CLASSIC DATABASE INTRUDERSINTRUDERS

The Black Hat HackerThe Black Hat Hacker

Is a person that hacks into a Is a person that hacks into a security system to retrieve security system to retrieve data from a computer, data from a computer, network, and database system network, and database system with the intent to commit and with the intent to commit and terrorize the victims in a terrorize the victims in a criminal and criminal and maliciouslymaliciously act of act of blackmail, damage and blackmail, damage and larceny.larceny.

The purpose is to gain system The purpose is to gain system controls of the individual or the controls of the individual or the organization.organization.

1313

THE CLASSIC DATABASE THE CLASSIC DATABASE INTRUDERSINTRUDERS

Hackers believe: “The best hackers never get caught!” Hackers believe: “The best hackers never get caught!” However in 2006, 42% of cybercrimes were However in 2006, 42% of cybercrimes were

committed by hackers.committed by hackers. Then, the manpower from law enforcement is Then, the manpower from law enforcement is

limited in size to fully pursue limited in size to fully pursue everyevery high-tech crime high-tech crime that is committed, so the most costly crimes are that is committed, so the most costly crimes are the cases that are pursued by law enforcement.the cases that are pursued by law enforcement.

Yet, in 2006, global tasks forces in major cities are Yet, in 2006, global tasks forces in major cities are developing and devoting more manpower for the developing and devoting more manpower for the goal of locating, charging, arresting, and goal of locating, charging, arresting, and sentencing hackers for their cybercrimes.sentencing hackers for their cybercrimes.

In 2006, one hacker stole 165,000 consumer identities In 2006, one hacker stole 165,000 consumer identities and another hacker stole $800,000 from local banks and another hacker stole $800,000 from local banks through identity thefts. through identity thefts.

1414

SUMMATIONSUMMATION It seems that companies cannot deter or stop It seems that companies cannot deter or stop

predators from hacking into DBMS through the predators from hacking into DBMS through the internet and network connections.internet and network connections.

So, by applying database security features and So, by applying database security features and routine maintenance on the DBMS to: routine maintenance on the DBMS to:

Monitor the database security compliancesMonitor the database security compliances Perform vulnerability assessments and scans to discover Perform vulnerability assessments and scans to discover

cracks in the database securitycracks in the database security Reconfigure data access parameters to lock out Reconfigure data access parameters to lock out

imminent attackersimminent attackers Prevent employees from accessing and viewing more Prevent employees from accessing and viewing more

data than necessary should maintain the database data than necessary should maintain the database security to protect the data from most intrusions and security to protect the data from most intrusions and thefts.thefts.

1515

THE ENDTHE END

BIBLIOGRAPHYBIBLIOGRAPHY

WIKIPEDIAWIKIPEDIA DOJ & FBIDOJ & FBI Merriam-WebsterMerriam-Webster L.A.P.D.L.A.P.D. N.Y.P.D N.Y.P.D Spafford. Eugene H. Spafford. Eugene H. O'Reilly. S. Garfinkel. O'Reilly. S. Garfinkel. Web Web

Security & CommerceSecurity & Commerce. Retrieved from Internet . Retrieved from Internet 31.Mar.2007.31.Mar.2007. http://en.wikipedia.org/wiki/Hackerhttp://en.wikipedia.org/wiki/Hacker. . Article was created in 1997.Article was created in 1997.