Upload
bonnie-mcdowell
View
218
Download
0
Embed Size (px)
Citation preview
Chapter 19Security
• Integrity• Security• Control
– computer-based
– non-computer-based
• PC security• DBMS and Web security• Risk Analysis• Data protection and privacy laws
Integrity
• Definition– Consistent with constraints
• Types– Entity– Referential or existence – Domain– Enterprise
Security
• Threats– Theft & fraud– Loss of confidentiality– Loss of privacy– Loss of integrity– Loss of availability
Countermeasures
• Computer-based controls
• Non-computer-based controls
Computer-based Controls - 1
• Authorization & authentication– Password– Account number– Relations, users & right (CRUD) table
• Subschema– Create views
Computer-based Controls - 2
• Logs– Transaction logs– Violation logs (time, terminal, violation)
• Check points
• Backup (redundant array of independent disks - RAID) & recovery
• Audit
Computer-based Controls - 3
• Encryption or cryptosystem– Encryption key– Encryption algorithm– Decryption key– Decryption algorithm– Symmetric encryption (Data Encryption
Standard (DES)– Asymmetric encryption (RSA)
Example of Encryption - I
• Divide text into groups of 8 characters. Pad with blank at end as necessary
• Select an 8-characters key• Rearrange text by interchanging adjacent
characters• Translate each character into an ordinal number
with blank as 0, A as 1, B as 2…• Add the ordinal number of the key to the results• Divide the total by 27 and retain the remainder• Translate the remainder back into a character to
yield the cipher text
Example of Encryption - II
• Message: DATA COM
• Key: PROTOCOL
• A D A T C M O
• 01 04 01 20 03 00 13 15 (adatc mo)
• 01 04 01 20 03 00 13 15
• 16 18 15 20 15 03 15 12 (protocol)
• 17 22 16 40 18 03 28 27 (sum)
• 17 22 16 13 18 03 01 00 remainder
• Q V P M R C A SPACE
Example of Decryption - I
• Divide cipher text into groups of eight characters. Pad with blanks at end as necessary
• Translate each cipher text alphabetic character and the encryption key into an ordinal number
• For each group, subtract the ordinal number of the key value from the ordinal number of the cipher text
• Add 27 to any negative number• Translate the number back to alphabetic
equivalents• Rearrange the text by interchanging adjacent
characters
Example of Decryption - II
• Q V P M R C A SPACE
• 17 22 16 13 18 03 01 00 (qvpmrca )
• 17 22 16 13 18 03 01 00
• 16 18 15 20 15 03 15 12 (protocol)
• 01 04 01 -7 03 00 -14 -12 (substract)
• plus 27 27 27 27
• 01 04 01 20 03 00 13 15
• A D A T C M O
• D A T A C O M
Non-Computer-based Controls
• Security policy• Contingency plan
– Person, phone no., procedures
– Site (cold, warm, or hot)
• Personnel control– Reference
– Termination
– Training
– Balance of duty
• Escrow & maintenance agreements• Physical
PC Security
• Policy & procedure
• Physical
• Logical
• Virus
DBMS and Web Security
• Proxy server: performance & filtering• Firewall: packet filter, application gateway, circuit level
gateway, & proxy server• Digital signatures & Certificate Authority (CA)• Message digest algorithms and digital signature• Kerberos: centralized security server (certificate server• Secure Sockets Layer (SSL) for data & Secure HTTP for
individual message• Secure Electronic Transaction (SET) for credit card &
Secure Transaction Technology (STT) for bank payment
Risk Analysis
• Assets
• Threats and risks
• Countermeasures
• Cost/benefit analysis
• Testing
Data Protection & Privacy Law
Assignment
• Review chapters 5-6, 11-13, and 18• Read chapter 19• Exam 3
– Date: 12/9/04
• Project– Normalization and Corrected EER diagram due date:
12/2/04
– SQL, corrected normalization, and EER diagram due date: 12/15/04 (MIS Department Office)